Re: [swinog] Coop.ch geoblocking?
Hi, Jeroen Massar schrieb am Tue, Jun 22, 2021 at 08:58:00AM +0200: > That is a very odd ordering of headers: > > > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by > > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from > > ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, > > 21 Jun 2021 17:57:10 +0100 > > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com > > [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > (256/256 bits)) (No client certificate requested) by > > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for > > ; Mon, 21 Jun 2021 18:11:47 + (UTC) > > Those normally go the other way around (top one is the newest). Unfortunately some broken wannabe mail servers reorder them. Most prominent example is that groupware server named Microsoft Exchange which claims to also be a mail server (but fails in many aspects). > Nevertheless... there are two options for this kind of spam: > > - something subscribe(s|d) to the list and just spams directly > - something parses the mailman archives and spams directly I suspect a third option and that one is what Serge wrote initially: Someone who was already subscribed to the list for a while caught an Emotet-like malware earlier this year on a client device which reads this list's mail. That malware scraped the infected computer's mail archive and forwarded/exfiltrated it to the malware operators. And now that malware gang replies to these mails to persons in the mail headers with faked real names from other persons also listed in these headers. And since this is about a mail from a mailing list, none of the IPs or e-mail addresses in the headers of the mail forwarded by Serge need to be related to the actually infected host or its owner. (With non-mailing-list mails it's much easier to figure out the infected host as it's usually a host of either the sender or one of its recipients — unless BCC was used of course.) > Nothing list-admins or members could do anything about. Sure. But Serge is nevertheless completely right when he writes: > > > > It seems there is a SWINOG member who should clean his > > > > computer. Exactly: Someone subscribed to this list runs a computer which got infected with an Emotet-like malware which scrapes local mail archives, usually those of Microsoft Outlook. Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News| a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
TLDR: Spam outside of swinog list by participating in mailinglist... That is a very odd ordering of headers: > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from > ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, > 21 Jun 2021 17:57:10 +0100 > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com > [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits)) (No client certificate requested) by > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for > ; Mon, 21 Jun 2021 18:11:47 + (UTC) Those normally go the other way around (top one is the newest). Nevertheless... there are two options for this kind of spam: - something subscribe(s|d) to the list and just spams directly - something parses the mailman archives and spams directly Nothing list-admins or members could do anything about. Closing the archives is a silly option, closing subscriptions another silly one, why bother having a mailinglist in that case. Noting that I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it? Then again, from the order of those headers, does not look like the receiver is properly configured either. Greets, Jeroen -- > On 20210622, at 08:40, Serge Droz wrote: > > Sure, here you go: > > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; charset=utf-8 > References: > <7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA==@protonmail.internalid> > X-Pm-Date: Mon, 21 Jun 2021 15:57:11 + > X-Pm-External-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> > X-Pm-Internal-Id: > 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA== > To: "Serge Droz" > Reply-To: "Roger" > From: "Roger" > Subject: Re: [swinog] Coop.ch geoblocking? > X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits) > Delivered-To: s.d...@protonmail.ch > X-Original-To: s.d...@protonmail.ch > X-Antiabuse: Sender Address Domain - in3days.org > X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] > X-Antiabuse: Original Domain - protonmail.ch > X-Antiabuse: Primary Hostname - cloudserver2.webbossuk.com > X-Antiabuse: This header was added to track abuse, please include it with > any abuse report > X-Authenticated-Sender: cloudserver2.webbossuk.com: in3d...@in3days.org > Return-Path: > X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: > in3d...@in3days.org > X-Pm-Content-Encryption: on-delivery > Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=in3days.org ; s=default; > h=MIME-Version:Message-ID:Subject:From:To:Date:Content-Type: > > Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: > Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: > In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: > List-Post:List-Owner:List-Archive; > bh=uAxy3zLHqvfXb2TMYjrhYr5Z2Iu5r3NwESS4F1OCQg8=; > b=pK1dKfuL2dIP2X5U9hf1z+iIGv > e9DBaAUxWcNJsesFiRorFjvKyzPWnZ+20RDKKpGfsaEjcu7xuxyYrZbfICXsM0mzgfCry/DVoe+QU > c2uMZspDly4ulZf0mp4o2Yx66GNBHlh0s0yZOjzrBc9whwJSk01vPFoKc/qthRVzR2Tc4GrsW4MlF > R02FpGbOo3XzfjLoWwRWn52qVGvEaScq2tk8O4YAWm14iMUIGPHMZbmT9UWsODV7TvQDyRjQTb9YA > IaffxFi0eEjohCq5WyMOBJbGq91Me/rI9o8Hhsqv5bnh3W1qI4K5L+nUn2tvRckpY/S9r2+BQORdE > 99Vu9hyQ==; > X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC2CIIMQGw2YDZDNmd > > RkNDzGUOOgDz4EGN2NiU0sIHzCJIYIS6gsHImIzlNwX3iW0YOAiwiACL2cvNUicmwiAOLACiwVmc > 3b0JogIjwi0ILAjgGB1U0XFh9fTETEFUUByT6YEUEIFh8gTE0WFbYh2lTBycEUgYVjcmk3JbX4Gg > w4CMFIQN9ORlF05TINFQgojR2cuVVyZGvGRIZMXg09mbHI1BxpYmg2gcY4WgGB1UFIlJ9yY2uFxZ > IADuIBCMEVM11FX0B1NURU0gE9kQTWgoRNSFpCBTbNmslRWdCZpBBtbizXNZYdWlt4GXCMx4RLIE > fU1SVFkMfRUSVQgUVzTWn2FcZBSogMXYSY2BxpYWECBZSl0Ny9GIEILRNpIHh25ZdVHymBSZmct9 > 4gXG0XVYa9GygM3JGZt9luYWgG4XM4CxLREIUSf1lHU0EkVTI1ElhN3c2ZgUFzaGgGEIRtEJvBST > icEBBzSyuWdaYRX1sUmcGIv5BudClWNZcN3hslmcVeuxZhIHkGlbX4Gtx4CMEILR1fSUMkFVSQUg > zVWT2cnFBoZSgXMYYQXghVGb3cgQ5lb2hHZIblGkLREIUSg0Igb3gEsRcl2n0FmbXdlJ4tXGxC4M > IRELf1USkVMFRfSUgUYRTVWznF2cSZoBMgYX2SBYYxWpEBCZ0SNl9yIGLERIINHph52ZHdyVBmZS > tm9cX4Gg25WZWZvxUtcGvnJZbBSkh12bWac5AwbigjALUNkWJ9FRlTQ9wgQkjmVUZlW2gQWZmdhl > EgIGsmVcYkXgg4Wa3UhBhhbWgXMdUJEMi4GXHIg0fQ== > X-Pm-Spamscore: 0 > X-Pm-Origin: external > X-Pm-Spam-Action: dunno > Message-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> > Received: from [1
Re: [swinog] Coop.ch geoblocking?
Sure, here you go: Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 References: <7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA==@protonmail.internalid> X-Pm-Date: Mon, 21 Jun 2021 15:57:11 + X-Pm-External-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> X-Pm-Internal-Id: 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA== To: "Serge Droz" Reply-To: "Roger" From: "Roger" Subject: Re: [swinog] Coop.ch geoblocking? X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Delivered-To: s.d...@protonmail.ch X-Original-To: s.d...@protonmail.ch X-Antiabuse: Sender Address Domain - in3days.org X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Original Domain - protonmail.ch X-Antiabuse: Primary Hostname - cloudserver2.webbossuk.com X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Authenticated-Sender: cloudserver2.webbossuk.com: in3d...@in3days.org Return-Path: X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: in3d...@in3days.org X-Pm-Content-Encryption: on-delivery Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=in3days.org ; s=default; h=MIME-Version:Message-ID:Subject:From:To:Date:Content-Type: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uAxy3zLHqvfXb2TMYjrhYr5Z2Iu5r3NwESS4F1OCQg8=; b=pK1dKfuL2dIP2X5U9hf1z+iIGv e9DBaAUxWcNJsesFiRorFjvKyzPWnZ+20RDKKpGfsaEjcu7xuxyYrZbfICXsM0mzgfCry/DVoe+QU c2uMZspDly4ulZf0mp4o2Yx66GNBHlh0s0yZOjzrBc9whwJSk01vPFoKc/qthRVzR2Tc4GrsW4MlF R02FpGbOo3XzfjLoWwRWn52qVGvEaScq2tk8O4YAWm14iMUIGPHMZbmT9UWsODV7TvQDyRjQTb9YA IaffxFi0eEjohCq5WyMOBJbGq91Me/rI9o8Hhsqv5bnh3W1qI4K5L+nUn2tvRckpY/S9r2+BQORdE 99Vu9hyQ==; X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC2CIIMQGw2YDZDNmd RkNDzGUOOgDz4EGN2NiU0sIHzCJIYIS6gsHImIzlNwX3iW0YOAiwiACL2cvNUicmwiAOLACiwVmc 3b0JogIjwi0ILAjgGB1U0XFh9fTETEFUUByT6YEUEIFh8gTE0WFbYh2lTBycEUgYVjcmk3JbX4Gg w4CMFIQN9ORlF05TINFQgojR2cuVVyZGvGRIZMXg09mbHI1BxpYmg2gcY4WgGB1UFIlJ9yY2uFxZ IADuIBCMEVM11FX0B1NURU0gE9kQTWgoRNSFpCBTbNmslRWdCZpBBtbizXNZYdWlt4GXCMx4RLIE fU1SVFkMfRUSVQgUVzTWn2FcZBSogMXYSY2BxpYWECBZSl0Ny9GIEILRNpIHh25ZdVHymBSZmct9 4gXG0XVYa9GygM3JGZt9luYWgG4XM4CxLREIUSf1lHU0EkVTI1ElhN3c2ZgUFzaGgGEIRtEJvBST icEBBzSyuWdaYRX1sUmcGIv5BudClWNZcN3hslmcVeuxZhIHkGlbX4Gtx4CMEILR1fSUMkFVSQUg zVWT2cnFBoZSgXMYYQXghVGb3cgQ5lb2hHZIblGkLREIUSg0Igb3gEsRcl2n0FmbXdlJ4tXGxC4M IRELf1USkVMFRfSUgUYRTVWznF2cSZoBMgYX2SBYYxWpEBCZ0SNl9yIGLERIINHph52ZHdyVBmZS tm9cX4Gg25WZWZvxUtcGvnJZbBSkh12bWac5AwbigjALUNkWJ9FRlTQ9wgQkjmVUZlW2gQWZmdhl EgIGsmVcYkXgg4Wa3UhBhhbWgXMdUJEMi4GXHIg0fQ== X-Pm-Spamscore: 0 X-Pm-Origin: external X-Pm-Spam-Action: dunno Message-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for ; Mon, 21 Jun 2021 18:11:47 + (UTC) Mime-Version: 1.0 Date: Mon, 21 Jun 2021 17:57:11 +0200 Authentication-Results: mailin025.protonmail.ch; dkim=pass (2048-bit key) header.d=in3days.org header.i=@in3days.org header.b="pK1dKfuL" Authentication-Results: mailin025.protonmail.ch; spf=none smtp.mailfrom=in3d...@in3days.org Authentication-Results: mailin025.protonmail.ch; dmarc=none (p=none dis=none) header.from=in3days.org Authentication-Results: mailin025.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=in3days.org header.a=rsa-sha256 On 21.06.21 23:42, Jeroen Massar wrote: > Full headers would be rather useful to determine the real origin of that > message... > > Greets, > Jeroen > > >> On 20210621, at 21:35, Serge Droz wrote: >> >> Hi all >> >> It seems there is a SWINOG member who should clean his computer. >> >> Happy hunting >> Serge >> >> >> >> Forwarded Message >> Subject: Re: [swinog] Coop.ch geoblocking? >> Date:Mon, 21 Jun 2021 17:57:11 +0200 >> From:Roger >> Reply-To:Roger >> To: Serge Droz >> >> >> >> Good day! >> >> We mail document to you again. You can discover it at the link lower: >> >> >> annanigrodermatologia.it/mac-lesch/s_droz-80.zip >> >> >> >> >> >>> Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten >>> meinungen falsch > ist . > Das sehe