Hi,
Jeroen Massar schrieb am Tue, Jun 22, 2021 at 08:58:00AM +0200:
> That is a very odd ordering of headers:
>
> > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by
> > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from
> > <in3d...@in3days.org>) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon,
> > 21 Jun 2021 17:57:10 +0100
> > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com
> > [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > (256/256 bits)) (No client certificate requested) by
> > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for
> > <s.d...@protonmail.ch>; Mon, 21 Jun 2021 18:11:47 +0000 (UTC)
>
> Those normally go the other way around (top one is the newest).
Unfortunately some broken wannabe mail servers reorder them. Most
prominent example is that groupware server named Microsoft Exchange
which claims to also be a mail server (but fails in many aspects).
> Nevertheless... there are two options for this kind of spam:
>
> - something subscribe(s|d) to the list and just spams directly
> - something parses the mailman archives and spams directly
I suspect a third option and that one is what Serge wrote initially:
Someone who was already subscribed to the list for a while caught an
Emotet-like malware earlier this year on a client device which reads
this list's mail. That malware scraped the infected computer's mail
archive and forwarded/exfiltrated it to the malware operators. And now
that malware gang replies to these mails to persons in the mail
headers with faked real names from other persons also listed in these
headers.
And since this is about a mail from a mailing list, none of the IPs or
e-mail addresses in the headers of the mail forwarded by Serge need to
be related to the actually infected host or its owner. (With
non-mailing-list mails it's much easier to figure out the infected
host as it's usually a host of either the sender or one of its
recipients — unless BCC was used of course.)
> Nothing list-admins or members could do anything about.
Sure.
But Serge is nevertheless completely right when he writes:
> > > > It seems there is a SWINOG member who should clean his
> > > > computer.
Exactly: Someone subscribed to this list runs a computer which got
infected with an Emotet-like malware which scrapes local mail
archives, usually those of Microsoft Outlook.
Regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | a...@deuxchevaux.org (Mail)
X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
