Inkscape Website: Attack and Spam
Dear developers,
I've just now been alerted to some activity on our webserver py1. Email bounces from users started arriving to me (the webmaster) and I quickly tried to gather information about what kind of event we had. One of the bounces contained headers showing the emails were coming from our server.
I have thus shut down postfix on py1 as a precaution, the website will be unable to send email for the time being.
I've been digging through the logs to find out what kind of issue we have:
* A service ticket has been created for OSUOSL to investigate * None of the email addresses appear in our user accounts list, so our database is unlikely to have been compromised. * There's been an sshd attack against the server today from 3:12am to 18:23pm but no actual signs of a break in. * Email appear at 18:53, unknown quantity (more than 40), logs do not report quantity at this time. So it might be something pretending to be py1 to osuosl's smtp server.
I'll reply here when I know more, although I probably won't hear back from osuosl until tomorrow.
Best regards, Martin Owens
Hey Martin, Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
Ryan
On 07/15/2018 01:36 PM, doctormo@...400... wrote:
Dear developers,
I've just now been alerted to some activity on our webserver py1. Email bounces from users started arriving to me (the webmaster) and I quickly tried to gather information about what kind of event we had. One of the bounces contained headers showing the emails were coming from our server.
I have thus shut down postfix on py1 as a precaution, the website will be unable to send email for the time being.
I've been digging through the logs to find out what kind of issue we have:
- A service ticket has been created for OSUOSL to investigate
- None of the email addresses appear in our user accounts list, so our
database is unlikely to have been compromised.
- There's been an sshd attack against the server today from 3:12am to
18:23pm but no actual signs of a break in.
- Email appear at 18:53, unknown quantity (more than 40), logs do not
report quantity at this time. So it might be something pretending to be py1 to osuosl's smtp server.
I'll reply here when I know more, although I probably won't hear back from osuosl until tomorrow.
Best regards, Martin Owens
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Hi Ryan,
I can send along the email I have and see what you think. It could be that the server is fine and it's a spoof in the smtp transport to another osuosl server. But it looks like it routed through osuosl.
Best Regards, Martin Owens
On Mon, 2018-07-16 at 13:42 -0600, Ryan Gorley via Inkscape-devel wrote:
Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
Yeah, forward it over. I'll at least look and see if anything looks off to me.
Ryan Gorley Founder + Creative Director
https://dijt.co 1.801.999.1530 ×101 1.801.898.7926
On 07/16/2018 02:13 PM, doctormo@...400... wrote:
Hi Ryan,
I can send along the email I have and see what you think. It could be that the server is fine and it's a spoof in the smtp transport to another osuosl server. But it looks like it routed through osuosl.
Best Regards, Martin Owens
On Mon, 2018-07-16 at 13:42 -0600, Ryan Gorley via Inkscape-devel wrote:
Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
participants (2)
-
unknown@example.com -
Ryan Gorley