If you start flagging accounts that send email to sync-master.org you'll
consistently catch them before they send spam. That attacker waits a few
days at least before using an account. I have a whole list of recipients
that these attackers send their "test" emails to and, as a result, we
have virtually zero successful compromised spam events. I'll share them
privately if anyone wants, but I don't publish them because I'm getting
the impression that spammers are parsing our github with AI now.
On 2025-12-09 05:11, Alessandro Vesely via mailop wrote:
It is worth checking logins, definitely. That's how I discovered a
breach and prompted the user to change her password ASAP. What is
strange is the way the intruders behaved.
First came 50.171.64.170, on the 7th around noon UTC. It had made 590
login attempts to this server since March 2024, using both existing and
non-existent accounts. This time, it succeeded; it seems possible,
given that the password was trivial.
Second came 98.181.46.43, on the 8th around 11 a.m. UTC. No previous
violations at mine.
Then came 129.80.228.231, ten minutes after the second. Only 91
violations at mine since April 2025.
All three IPs are 100% abusive according to AbuseIPDB, which is how I
spotted them.
The user changed her password a couple of hours after the third breach.
It looks like the second and the third hackers acquired the password
from the first. The strange thing is that no one sent tons of spam
exploiting the breach. All they did was send a single message each,
the first to [email protected], the second and third to
[email protected].
Is this a non-exploitative password trading?
Best
Ale
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
