[swinog] Re: Is AS203790 reading this list? (up-network.ch)
Hi Benoit, Benoit Panizzon schrieb am Thu, Oct 27, 2022 at 10:45:31AM +0200: > > Let me guess: You've got an abuse report to your abuse e-mail address > > about some IP ranges and domains (including up-network.ch) which have > > no relation to your AS at all? > > > > If yes: You're not the only one. > > Yes after the 3rd report, from yet another source we got after I sent > the email, the joe-job got quite apparent. Ok, we so far just got one such mail. > The first report was rather short but could be understood as are report > about https://dashboard.myrdp.gg/login being a phishing site hosted by > one of our customers under the IP: 45.158.77.203 Ok, so you actually have a relation to some of the mentioned assets? We don't have any. > On Tuesday we got 3 more report from another sender sent to different > abuse and NOC addresses regarding the same phishing site, not the full > URL anymore, but a more sensible list of affected IP addresses: > > 45.148.119.0/24 > 171.22.147.0/24 > 45.148.116.0/24 > MyRDP.gg > up-network.ch That list is actually the same that we got to our abuse address, too. For reference, here's the relevant part of that weird mail as we received it: | Date: Tue, 25 Oct 2022 14:59:36 +0200 | From: ab...@cognitive-cloud.com | To: abuse@[…] | Subject: Abuse report | X-Mailer: mail (GNU Mailutils 3.7) | | Hello, | | We have detected that the AS: "AS203790 - Association UP-NETWORK" is responsible for hosting a phishing campaign targeting French institutions and private banks. | | We ask you to stop their service completely, an investigation is in progress | | 45.148.119.0/24 | 171.22.147.0/24 | 45.148.116.0/24 | MyRDP.gg | up-network.ch | | You can check all the proof here : | - https://ipinfo.io/AS203790 | | = | 45.148.116.57 macartevitaleameli.fr | 171.22.147.226 amelicartevitaleverif.com | 171.22.147.40 assure-cartes.com | = [Signature or at least what seems to be a signature stripped] I assume that most of these mails looked like this one. > So I guess this is some kind of campaign targeting up-network. Yes, I interpret this as trying to convince other organisations to block up-network.ch's IP ranges in their AS. Which is kinda weird. First time I see such a request on the abuse address of an unrelated organisation. But it is difficult to say if this a helpless, but true request or an hostile attack. Asking to block 3x /24 just because of three phishing sites seems a bit of an overzealous reaction to me, though. This is what blacklists are for. Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News| a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | https://axel.beckert.ch/ ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: Is AS203790 reading this list? (up-network.ch)
Hoi Benoît, Benoît Panizzon schrieb am Tue, Oct 25, 2022 at 03:53:12PM +0200: > If so, could you please contact me off-list (attempted your abuse desk > last week) regarding either a joe-job against your company, or a real > incident where our customer involved is hiding his IP in our > network behind cloudflare. Let me guess: You've got an abuse report to your abuse e-mail address about some IP ranges and domains (including up-network.ch) which have no relation to your AS at all? If yes: You're not the only one. Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News| a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | https://axel.beckert.ch/ ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
Re: [swinog] Coop.ch geoblocking?
Hi, Jeroen Massar schrieb am Tue, Jun 22, 2021 at 08:58:00AM +0200: > That is a very odd ordering of headers: > > > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by > > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from > > ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, > > 21 Jun 2021 17:57:10 +0100 > > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com > > [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > (256/256 bits)) (No client certificate requested) by > > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for > > ; Mon, 21 Jun 2021 18:11:47 + (UTC) > > Those normally go the other way around (top one is the newest). Unfortunately some broken wannabe mail servers reorder them. Most prominent example is that groupware server named Microsoft Exchange which claims to also be a mail server (but fails in many aspects). > Nevertheless... there are two options for this kind of spam: > > - something subscribe(s|d) to the list and just spams directly > - something parses the mailman archives and spams directly I suspect a third option and that one is what Serge wrote initially: Someone who was already subscribed to the list for a while caught an Emotet-like malware earlier this year on a client device which reads this list's mail. That malware scraped the infected computer's mail archive and forwarded/exfiltrated it to the malware operators. And now that malware gang replies to these mails to persons in the mail headers with faked real names from other persons also listed in these headers. And since this is about a mail from a mailing list, none of the IPs or e-mail addresses in the headers of the mail forwarded by Serge need to be related to the actually infected host or its owner. (With non-mailing-list mails it's much easier to figure out the infected host as it's usually a host of either the sender or one of its recipients — unless BCC was used of course.) > Nothing list-admins or members could do anything about. Sure. But Serge is nevertheless completely right when he writes: > > > > It seems there is a SWINOG member who should clean his > > > > computer. Exactly: Someone subscribed to this list runs a computer which got infected with an Emotet-like malware which scrapes local mail archives, usually those of Microsoft Outlook. Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News| a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Telegram group
Hi, Ralph Krämer schrieb am Thu, Feb 13, 2020 at 02:46:58AM +0100: > why telegram and not signal or threema? Now that's easy to answer: * Signal refuses connections from forked clients like LibreSignal, i.e. might be "open source", but is not "open". * Threema is no free software (not even open source) and hence can't be trusted anyway. But Telegram has issues, too: * The server-side code is not open source. * End to end is not default and also cumbersome, because it's device to device, not user to user. Huge matrix (sic!) comparing features and anti-features of messengers: https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHalWVztqZo7uxlCeKPQ-8uoFOU/htmlview (Yes, someone is comparing — amongst others — privacy features of messengers and hosts it at Google. Via https://mstdn.io/@jomo/10293121889537) Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News| a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog