[Systems] Fwd: Re: [Sonic #7314311] [ABUSE] E-mail spam alert (23739548 from 192.184.220.214) re Good Day
Chihurumnaya Ibiam
ibiamchihurumnaya at gmail.com
Mon Nov 20 18:39:28 EST 2023
I've set up authentication properly on weblate using cyrus, and mail
delivery worked although it might take a while before
other mail servers accept emails from weblate as we're not in the clear due
to the incident reported by Alex above.
--
Ibiam Chihurumnaya
ibiamchihurumnaya at gmail.com
On Tue, Oct 31, 2023 at 4:34 AM James Cameron <quozl at laptop.org> wrote:
> If it is only weblate that needs port 465, please organise to bind the
> port to listen on the localhost address, that way weblate will be able to
> connect, but outsiders will not.
>
> On Mon, Oct 30, 2023 at 01:41:14PM +0100, Chihurumnaya Ibiam wrote:
> > I've closed all the ports except port 465 as weblate connects using
> that, email
> > delivery at the moment doesn't
> > work as expected like you said this is seen in the logs so it might take
> a
> > while;
> >
> > to=<[1]ibiamchihurumnaya at gmail.com>, relay=[2]gmail-smtp-in.l.google.com
> > [2607:f8b0:4023:c0d::1a]:25, delay=0.99, delays=0.03/0/0.43/0.53,
> dsn=5.7.1,
> > status=bounced (host [3]gmail-smtp-in.l.google.com
> [2607:f8b0:4023:c0d::1a]
> > said: 550-5.7.1 [2001:5a8:601:f::214 19] Our system has detected
> that this
> > 550-5.7.1 message is likely suspicious due to the very low reputation of
> the
> > 550-5.7.1 sending domain. To best protect our users from spam, the
> message has
> > 550-5.7.1 been blocked. Please visit 550 5.7.1 [4]
> https://support.google.com/
> > mail/answer/188131 for more information.
> > k190-20020a6384c7000000b005b96af23fe6si2917767pgd.284 - gsmtp (in reply
> to end
> > of DATA command))
> >
> > I was using dovecot - which is what's using imap - for authentication
> with
> > postfix but it seems we don't need that so I've uninstalled it.
> >
> > --
> >
> > Ibiam Chihurumnaya
> > [5]ibiamchihurumnaya at gmail.com
> >
> > On Mon, Oct 30, 2023 at 7:10 AM Bernie Innocenti <[6]bernie at codewiz.org>
> wrote:
> >
> > Postfix is still listening on port 25 (smtp), 465 (smtps) and 587
> > (submission). Does Weblate need to receive email? If not, please turn
> > these off in Postfix's [7]master.cf.
> >
> > Ports 143 (imap) and 993 (imaps) are also open. Is this part of
> Weblate?
> > If not, can we uninstall the IMAP service?
> >
> > % sudo nmap [8]weblate.sugarlabs.org
> > Not shown: 989 closed tcp ports (reset)
> > PORT STATE SERVICE
> > 22/tcp open ssh
> > 25/tcp open smtp
> > 135/tcp filtered msrpc
> > 139/tcp filtered netbios-ssn
> > 143/tcp open imap
> > 443/tcp open https
> > 445/tcp filtered microsoft-ds
> > 465/tcp open smtps
> > 587/tcp open submission
> > 593/tcp filtered http-rpc-epmap
> > 993/tcp open imaps
> >
> > On 2023/10/28 10:48, Chihurumnaya Ibiam wrote:
> > > Changed the password and restarted the containers and nginx.
> > >
> > > --
> > >
> > > Ibiam Chihurumnaya
> > > [9]ibiamchihurumnaya at gmail.com <mailto:[10]
> ibiamchihurumnaya at gmail.com>
> > >
> > >
> > >
> > >
> > > On Sat, Oct 28, 2023 at 6:35 PM Chihurumnaya Ibiam
> > > <[11]ibiamchihurumnaya at gmail.com <mailto:[12]
> ibiamchihurumnaya at gmail.com
> > >> wrote:
> > >
> > > Nope, there's no root password.
> > >
> > > Although weblate itself has a trivial password, I'll change it
> and
> > > update the docker environment file.
> > >
> > > --
> > >
> > > Ibiam Chihurumnaya
> > > [13]ibiamchihurumnaya at gmail.com <mailto:[14]
> > ibiamchihurumnaya at gmail.com>
> > >
> > >
> > >
> > >
> > > On Sat, Oct 28, 2023 at 6:06 PM Bernie Innocenti <[15]
> > bernie at codewiz.org
> > > <mailto:[16]bernie at codewiz.org>> wrote:
> > >
> > > Then it's possible that they guessed the root password.
> > >
> > > Was it something trivial or predictable, like "weblate" or
> > > "sugarlabs"?
> > >
> > >
> > > On October 28, 2023 4:49:26 PM UTC, Alex Perez
> > > <[17]aperez at alexperez.com <mailto:[18]aperez at alexperez.com
> >>
> > wrote:
> > >
> > > It is definitely listening on a public port, but it is
> not
> > > an open relay:
> > >
> > >
> > >
> > > Bernie Innocenti wrote on 10/28/23 9:34 AM:
> > >> Ibiam, is the SMTP server on weblate listening on a
> public
> > >> port?
> > >>
> > >>
> > >> On October 28, 2023 3:22:31 PM UTC, Alex Perez
> > >> <[19]aperez at alexperez.com> <mailto:[20]
> aperez at alexperez.com>
> > wrote:
> > >>
> > >> FYI. The e-mail being sent from weblate appears
> to be
> > >> incorrectly configured. I don't have time to deal
> with
> > >> this in a timely manner, but perhaps someone else
> > >> does. The recipient, [21]johnl at iecc.com
> > >> <mailto:[22]johnl at iecc.com>, reported they
> received a
> > >> message from our weblate host, which they
> reported as
> > >> spam.
> > >>
> > >>
> > >> -------- Forwarded Message --------
> > >> Subject: Re: [Sonic #7314311] [ABUSE] E-mail
> spam
> > >> alert (23739548 from 192.184.220.214) re Good Day
> > >> Date: Fri, 27 Oct 2023 16:43:16 -0700
> > >> From: Sonic Abuse <[23]abuse at sonic.net>
> > >> <mailto:[24]abuse at sonic.net>
> > >> To: [25]aperez at alexperez.com <mailto:[26]
> > aperez at alexperez.com>
> > >>
> > >>
> > >>
> > >> Hello,
> > >> Recently a message was sent from your mailbox"[27]
> > root at weblate.sugarlabs.org" <mailto:[28]root at weblate.sugarlabs.org>
> and
> > one of the receipts has reported it as spam. I have included the
> original
> > headers below.
> > >> If you sent this email, and you believe it was
> marked as
> > spam incorrectly, you may want to contact the recipient.
> > >> However if you did not send this email, it is
> likely
> > that your mailbox was compromised and needs to be secured.
> > >> If you have any questions, you can respond to
> this email
> > or contact our customer support department.
> > >>
> > >> --1698095665.7060_boundary
> > >> Content-Type: message/feedback-report
> > >>
> > >> Feedback-Type: abuse
> > >> User-Agent: mspam/1.3
> > >> Version: 1
> > >> Source-IP: 192.184.220.214
> > >> [29]Original-Rcpt-To:johnl at iecc.com <mailto:[30]
> > johnl at iecc.com>
> > >> Received-Date: 23 Oct 2023 05:57:47 -0000
> > >>
> > >> --1698095665.7060_boundary
> > >> Content-Type: message/rfc822
> > >> Content-Disposition: inline;
> filename="23739548.eml"
> > >>
> > >> Return-Path:<[31]root at weblate.sugarlabs.org>
> <mailto:
> > [32]root at weblate.sugarlabs.org>
> > >> X-Spam-Checker-Version: SpamAssassin 4.0.0
> (2022-12-14)
> > [33]ongal.iecc.com <[34]http://gal.iecc.com>
> > >> X-Spam-Flag: YES
> > >> X-Spam-Level: ****************
> > >> X-Spam-Status: Yes, score=16.6 required=4.4 tests=
> > ADVANCE_FEE_3_NEW_FRM_MNY,
> > >>
> > BAYES_50,DEAR_BENEFICIARY,FILL_THIS_FORM,FILL_THIS_FORM_LONG,
> > >>
> > FORM_FRAUD_5,FREEMAIL_FORGED_REPLYTO,HK_SCAM,HTML_MESSAGE,
> > >>
> > LOTS_OF_MONEY,MIME_HTML_ONLY,MIXED_HREF_CASE,MONEY_ATM_CARD,
> > >>
> > MONEY_FRAUD_5,MONEY_FREEMAIL_REPTO,SPF_HELO_PASS,SPF_PASS
> > >> autolearn=spam autolearn_force=no
> version=4.0.0
> > >> X-Spam-Report:
> > >> * -0.0 SPF_PASS SPF: sender matches SPF
> record
> > >> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF
> record
> > >> * 0.8 BAYES_50 BODY: Bayes spam probability
> is 40
> > to 60%
> > >> * [score: 0.4611]
> > >> * 1.6 DEAR_BENEFICIARY BODY: Dear
> Beneficiary:
> > >> * 0.0 HTML_MESSAGE BODY: HTML included in
> message
> > >> * 0.1 MIME_HTML_ONLY BODY: Message only has
> text/
> > html MIME parts
> > >> * 2.0 MIXED_HREF_CASE Has href in mixed case
> > >> * 1.1 HK_SCAM No description available.
> > >> * 0.0 LOTS_OF_MONEY Huge... sums of money
> > >> * 2.1 FREEMAIL_FORGED_REPLYTO Freemail in
> > Reply-To, but not From
> > >> * 0.0 FILL_THIS_FORM Fill in a form with
> personal
> > information
> > >> * 2.0 FILL_THIS_FORM_LONG Fill in a form
> with
> > personal information
> > >> * 2.5 MONEY_FREEMAIL_REPTO Lots of money
> from
> > someone using free email?
> > >> * 1.0 MONEY_ATM_CARD Lots of money on an
> ATM card
> > >> * 2.1 MONEY_FRAUD_5 Lots of money and many
> fraud
> > phrases
> > >> * 1.0 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee
> fraud
> > form and lots of money
> > >> * 0.4 FORM_FRAUD_5 Fill a form and many
> fraud
> > phrases
> > >> [35]Delivered-To:johnl at iecc.com <mailto:[36]
> > johnl at iecc.com>
> > >> Received: (qmail 24861 invoked from network); 23
> Oct
> > 2023 05:57:47 -0000
> > >> Authentication-Results:[37]iecc.com <[38]http://
> > iecc.com>; spf=passspf.mailfrom=[39]root at weblate.sugarlabs.org
> <mailto:
> > [40]spf.mailfrom=[41]root at weblate.sugarlabs.org> spf.helo=[42]
> > weblate.sugarlabs.org <[43]http://weblate.sugarlabs.org>
> smtp.remote-ip=
> > "192.184.220.214"; dmarc=pass header.from=[44]weblate.sugarlabs.org
> <[45]
> > http://weblate.sugarlabs.org> polrec.p=quarantine polrec.pct=5
> > >> Received: [46]fromweblate.sugarlabs.org
> <[47]http://
> > weblate.sugarlabs.org> ([48]weblate.sugarlabs.org <[49]http://
> > weblate.sugarlabs.org> [192.184.220.214])
> > >> [50]bymail1.iecc.com <[51]
> http://mail1.iecc.com>
> > ([64.57.183.56])
> > >> with ESMTPS via TCP (port 51298/25) id
> 720822916
> > >> tls TLS1_3_ECDHE_RSA_AES_256_GCM_AEAD; 23 Oct
> 2023
> > 05:57:47 -0000
> > >> Received: [52]fromweblate.sugarlabs.org
> <[53]http://
> > weblate.sugarlabs.org> ([54]60-251-35-90.hinet-ip.hinet.net
> <[55]http://
> > 60-251-35-90.hinet-ip.hinet.net> [60.251.35.90])
> > >> (Authenticated sender: root)
> > >> [56]byweblate.sugarlabs.org <[57]http://
> > weblate.sugarlabs.org> (Postfix) with ESMTPSA id 879DA68732
> > >> for<[58]johnl at iecc.com> <mailto:[59]
> johnl at iecc.com
> > >; Sun, 22 Oct 2023 22:50:32 -0700 (PDT)
> > >> [60]Reply-To:olivera4good at gmail.com <mailto:[61]
> > olivera4good at gmail.com>
> > >> From: Info<[62]root at weblate.sugarlabs.org>
> <mailto:[63]
> > root at weblate.sugarlabs.org>
> > >> [64]To:johnl at iecc.com <mailto:[65]johnl at iecc.com
> >
> > >> Subject: Good Day
> > >> Date: 23 Oct 2023 13:50:34 +0800
> > >> Message-ID:<[66]
> > 20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org> <mailto:[67]
> > 20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org>
> > >> MIME-Version: 1.0
> > >> Content-Type: text/html;
> > >> charset="iso-8859-1"
> > >> Content-Transfer-Encoding: quoted-printable
> > >> X-DCC-iecc-Metrics:[68]gal.iecc.com <[69]http://
> > gal.iecc.com> 1107; Body=1 Fuz1=1 Fuz2=1
> > >> X-Tag: tagged by spamassassin
> > >>
> > >> Logan P.
> > >>
> > >> [70]support at sonic.net <mailto:[71]
> support at sonic.net>
> > Sonic LLC
> > >> Sonic.net Support
>
> > 2260 Apollo Way
> > >> 1.855.394.0100 (Tech Support)
> > Santa Rosa, CA 95407
> > >> 1.707.547.2199 (FAX)[72]http://sonic.com/support
> <[73]
> > http://sonic.com/support>
> > >>
> > >> --
> > >> Sent with K-9 Mail.
> > >
> > > --
> > > Sent with K-9 Mail.
> > > _______________________________________________
> > > Systems mailing list
> > > [74]Systems at lists.sugarlabs.org <mailto:[75]
> > Systems at lists.sugarlabs.org>
> > > [76]http://lists.sugarlabs.org/listinfo/systems
> > > <[77]http://lists.sugarlabs.org/listinfo/systems>
> > >
> > >
> > > _______________________________________________
> > > Systems mailing list
> > > [78]Systems at lists.sugarlabs.org
> > > [79]http://lists.sugarlabs.org/listinfo/systems
> >
> > --
> > _ // Bernie Innocenti
> > \X/ [80]https://codewiz.org/
> >
> > References:
> >
> > [1] mailto:ibiamchihurumnaya at gmail.com
> > [2] http://gmail-smtp-in.l.google.com/
> > [3] http://gmail-smtp-in.l.google.com/
> > [4] https://support.google.com/mail/answer/188131
> > [5] mailto:ibiamchihurumnaya at gmail.com
> > [6] mailto:bernie at codewiz.org
> > [7] http://master.cf/
> > [8] http://weblate.sugarlabs.org/
> > [9] mailto:ibiamchihurumnaya at gmail.com
> > [10] mailto:ibiamchihurumnaya at gmail.com
> > [11] mailto:ibiamchihurumnaya at gmail.com
> > [12] mailto:ibiamchihurumnaya at gmail.com
> > [13] mailto:ibiamchihurumnaya at gmail.com
> > [14] mailto:ibiamchihurumnaya at gmail.com
> > [15] mailto:bernie at codewiz.org
> > [16] mailto:bernie at codewiz.org
> > [17] mailto:aperez at alexperez.com
> > [18] mailto:aperez at alexperez.com
> > [19] mailto:aperez at alexperez.com
> > [20] mailto:aperez at alexperez.com
> > [21] mailto:johnl at iecc.com
> > [22] mailto:johnl at iecc.com
> > [23] mailto:abuse at sonic.net
> > [24] mailto:abuse at sonic.net
> > [25] mailto:aperez at alexperez.com
> > [26] mailto:aperez at alexperez.com
> > [27] mailto:root at weblate.sugarlabs.org
> > [28] mailto:root at weblate.sugarlabs.org
> > [29] mailto:Original-Rcpt-To%3Ajohnl at iecc.com
> > [30] mailto:johnl at iecc.com
> > [31] mailto:root at weblate.sugarlabs.org
> > [32] mailto:root at weblate.sugarlabs.org
> > [33] http://ongal.iecc.com/
> > [34] http://gal.iecc.com/
> > [35] mailto:Delivered-To%3Ajohnl at iecc.com
> > [36] mailto:johnl at iecc.com
> > [37] http://iecc.com/
> > [38] http://iecc.com/
> > [39] mailto:root at weblate.sugarlabs.org
> > [40] mailto:spf.mailfrom
> > [41] mailto:root at weblate.sugarlabs.org
> > [42] http://weblate.sugarlabs.org/
> > [43] http://weblate.sugarlabs.org/
> > [44] http://weblate.sugarlabs.org/
> > [45] http://weblate.sugarlabs.org/
> > [46] http://fromweblate.sugarlabs.org/
> > [47] http://weblate.sugarlabs.org/
> > [48] http://weblate.sugarlabs.org/
> > [49] http://weblate.sugarlabs.org/
> > [50] http://bymail1.iecc.com/
> > [51] http://mail1.iecc.com/
> > [52] http://fromweblate.sugarlabs.org/
> > [53] http://weblate.sugarlabs.org/
> > [54] http://60-251-35-90.hinet-ip.hinet.net/
> > [55] http://60-251-35-90.hinet-ip.hinet.net/
> > [56] http://byweblate.sugarlabs.org/
> > [57] http://weblate.sugarlabs.org/
> > [58] mailto:johnl at iecc.com
> > [59] mailto:johnl at iecc.com
> > [60] mailto:Reply-To%3Aolivera4good at gmail.com
> > [61] mailto:olivera4good at gmail.com
> > [62] mailto:root at weblate.sugarlabs.org
> > [63] mailto:root at weblate.sugarlabs.org
> > [64] mailto:To%3Ajohnl at iecc.com
> > [65] mailto:johnl at iecc.com
> > [66] mailto:20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org
> > [67] mailto:20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org
> > [68] http://gal.iecc.com/
> > [69] http://gal.iecc.com/
> > [70] mailto:support at sonic.net
> > [71] mailto:support at sonic.net
> > [72] http://sonic.com/support
> > [73] http://sonic.com/support
> > [74] mailto:Systems at lists.sugarlabs.org
> > [75] mailto:Systems at lists.sugarlabs.org
> > [76] http://lists.sugarlabs.org/listinfo/systems
> > [77] http://lists.sugarlabs.org/listinfo/systems
> > [78] mailto:Systems at lists.sugarlabs.org
> > [79] http://lists.sugarlabs.org/listinfo/systems
> > [80] https://codewiz.org/
>
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org
> > http://lists.sugarlabs.org/listinfo/systems
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20231121/f2fcfc5d/attachment.htm>
More information about the Systems
mailing list