Hi All,
Apologies for hitting both lists at once. I'm somewhat concerned that
cross-posting will cause a massive disturbance in the force. Or the
routing table. Or both...
Thanks for the numerous notifications both via E-mail and social media
in the past few weeks.
No, I don't have a compromised machine. That would be easy to fix :( I
seem to be on a two-weekly cycle of "Hey, lets use this poor sod as the
envelope from address" for these damned messages. However, they are
grouped in an interesting way with other known contacts as the from
name, and also in the To: line, and I am definitely the common factor.
It appears that a couple of folders of my email (an archive folder, and
possibly a 6 month or-so old inbox) leaked somehow; current most likely
culprit is an older version of the Mail app in Windows 10 that was
briefly configured with prt.org mail but we don't know for certain.
What we do know is that is isn't a systemic mail system leak as it has
only affected me, and we'd certainly know about it if other customers
had been caught up in it.
If anyone cares, the anatomy of this seems to be:
a) All of these messages have a similar "Fw: New Message" subject line,
and are a link to a PHP script, of differing names and differing domains.
b) That PHP script is a one-line redirect to somewhere else (again, this
also differs). The one in the mail sent to uknof redirects to
contentedmotivation.com
c) One of two things then happens: Either, you get some spamvertised
website, or
d) You get redirected through another one or two sites to a legitimate
site - but one presumes some drive-by browser hack has been attempted in
the redirection process.
What has staggered me in all of this is that very few mail systems are
honouring the SPF records published for the domain. This sort of
problem is *the* raison d'etre for SPF, so please, if you don't have it
enabled on your domain, turn it on today!
If you know me, and use [email protected], I'll be dropping that address later
today as I can't be doing with the >2K overnight bounces that I'm
getting weekly (and, of course, all of those helpful MTAs dutifully
telling me every 4,8,12,24,48 hours that my important message has been
delayed, but they are diligently still trying. Its 2016, do we really
need that as default MTA behaviour now?).
I'll be reverting to <firstname>@prt.org for the time being.
Paul.
