Inkscape Website: Attack and Spam
![](https://secure.gravatar.com/avatar/15f5e6abf26f57e1838c29a8356ce7f8.jpg?s=120&d=mm&r=g)
Dear developers,
I've just now been alerted to some activity on our webserver py1. Email bounces from users started arriving to me (the webmaster) and I quickly tried to gather information about what kind of event we had. One of the bounces contained headers showing the emails were coming from our server.
I have thus shut down postfix on py1 as a precaution, the website will be unable to send email for the time being.
I've been digging through the logs to find out what kind of issue we have:
* A service ticket has been created for OSUOSL to investigate * None of the email addresses appear in our user accounts list, so our database is unlikely to have been compromised. * There's been an sshd attack against the server today from 3:12am to 18:23pm but no actual signs of a break in. * Email appear at 18:53, unknown quantity (more than 40), logs do not report quantity at this time. So it might be something pretending to be py1 to osuosl's smtp server.
I'll reply here when I know more, although I probably won't hear back from osuosl until tomorrow.
Best regards, Martin Owens
![](https://secure.gravatar.com/avatar/f4cdf9dc994e8d0adb9c39ed8a0d0535.jpg?s=120&d=mm&r=g)
Hey Martin, Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
Ryan
On 07/15/2018 01:36 PM, doctormo@...400... wrote:
Dear developers,
I've just now been alerted to some activity on our webserver py1. Email bounces from users started arriving to me (the webmaster) and I quickly tried to gather information about what kind of event we had. One of the bounces contained headers showing the emails were coming from our server.
I have thus shut down postfix on py1 as a precaution, the website will be unable to send email for the time being.
I've been digging through the logs to find out what kind of issue we have:
- A service ticket has been created for OSUOSL to investigate
- None of the email addresses appear in our user accounts list, so our
database is unlikely to have been compromised.
- There's been an sshd attack against the server today from 3:12am to
18:23pm but no actual signs of a break in.
- Email appear at 18:53, unknown quantity (more than 40), logs do not
report quantity at this time. So it might be something pretending to be py1 to osuosl's smtp server.
I'll reply here when I know more, although I probably won't hear back from osuosl until tomorrow.
Best regards, Martin Owens
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
![](https://secure.gravatar.com/avatar/15f5e6abf26f57e1838c29a8356ce7f8.jpg?s=120&d=mm&r=g)
Hi Ryan,
I can send along the email I have and see what you think. It could be that the server is fine and it's a spoof in the smtp transport to another osuosl server. But it looks like it routed through osuosl.
Best Regards, Martin Owens
On Mon, 2018-07-16 at 13:42 -0600, Ryan Gorley via Inkscape-devel wrote:
Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
![](https://secure.gravatar.com/avatar/f4cdf9dc994e8d0adb9c39ed8a0d0535.jpg?s=120&d=mm&r=g)
Yeah, forward it over. I'll at least look and see if anything looks off to me.
Ryan Gorley Founder + Creative Director
https://dijt.co 1.801.999.1530 ×101 1.801.898.7926
On 07/16/2018 02:13 PM, doctormo@...400... wrote:
Hi Ryan,
I can send along the email I have and see what you think. It could be that the server is fine and it's a spoof in the smtp transport to another osuosl server. But it looks like it routed through osuosl.
Best Regards, Martin Owens
On Mon, 2018-07-16 at 13:42 -0600, Ryan Gorley via Inkscape-devel wrote:
Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
participants (2)
-
unknown@example.com
-
Ryan Gorley