[Systems] Fwd: Re: [Sonic #7314311] [ABUSE] E-mail spam alert (23739548 from 192.184.220.214) re Good Day

Bernie Innocenti bernie at codewiz.org
Mon Oct 30 02:10:36 EDT 2023


Postfix is still listening on port 25 (smtp), 465 (smtps) and 587 
(submission). Does Weblate need to receive email? If not, please turn 
these off in Postfix's master.cf.

Ports 143 (imap) and 993 (imaps) are also open. Is this part of Weblate? 
If not, can we uninstall the IMAP service?


% sudo nmap weblate.sugarlabs.org
Not shown: 989 closed tcp ports (reset)
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  open     smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open     imap
443/tcp open     https
445/tcp filtered microsoft-ds
465/tcp open     smtps
587/tcp open     submission
593/tcp filtered http-rpc-epmap
993/tcp open     imaps


On 2023/10/28 10:48, Chihurumnaya Ibiam wrote:
> Changed the password and restarted the containers and nginx.
> 
> -- 
> 
> Ibiam Chihurumnaya
> ibiamchihurumnaya at gmail.com <mailto:ibiamchihurumnaya at gmail.com>
> 
> 
> 
> 
> On Sat, Oct 28, 2023 at 6:35 PM Chihurumnaya Ibiam 
> <ibiamchihurumnaya at gmail.com <mailto:ibiamchihurumnaya at gmail.com>> wrote:
> 
>     Nope, there's no root password.
> 
>     Although weblate itself has a trivial password, I'll change it and
>     update the docker environment file.
> 
>     -- 
> 
>     Ibiam Chihurumnaya
>     ibiamchihurumnaya at gmail.com <mailto:ibiamchihurumnaya at gmail.com>
> 
> 
> 
> 
>     On Sat, Oct 28, 2023 at 6:06 PM Bernie Innocenti <bernie at codewiz.org
>     <mailto:bernie at codewiz.org>> wrote:
> 
>         Then it's possible that they guessed the root password.
> 
>         Was it something trivial or predictable, like "weblate" or
>         "sugarlabs"?
> 
> 
>         On October 28, 2023 4:49:26 PM UTC, Alex Perez
>         <aperez at alexperez.com <mailto:aperez at alexperez.com>> wrote:
> 
>             It is definitely listening on a public port, but it is not
>             an open relay:
> 
> 
> 
>             Bernie Innocenti wrote on 10/28/23 9:34 AM:
>>             Ibiam, is the SMTP server on weblate listening on a public
>>             port?
>>
>>
>>             On October 28, 2023 3:22:31 PM UTC, Alex Perez
>>             <aperez at alexperez.com> <mailto:aperez at alexperez.com> wrote:
>>
>>                 FYI. The e-mail being sent from weblate appears to be
>>                 incorrectly configured. I don't have time to deal with
>>                 this in a timely manner, but perhaps someone else
>>                 does.  The recipient, johnl at iecc.com
>>                 <mailto:johnl at iecc.com>, reported they received a
>>                 message from our weblate host, which they reported as
>>                 spam.
>>
>>
>>                 -------- Forwarded Message --------
>>                 Subject: 	Re: [Sonic #7314311] [ABUSE] E-mail spam
>>                 alert (23739548 from 192.184.220.214) re Good Day
>>                 Date: 	Fri, 27 Oct 2023 16:43:16 -0700
>>                 From: 	Sonic Abuse <abuse at sonic.net>
>>                 <mailto:abuse at sonic.net>
>>                 To: 	aperez at alexperez.com <mailto:aperez at alexperez.com>
>>
>>
>>
>>                 Hello,
>>                 Recently a message was sent from your mailbox"root at weblate.sugarlabs.org"  <mailto:root at weblate.sugarlabs.org>  and one of the receipts has reported it as spam. I have included the original headers below.
>>                 If you sent this email, and you believe it was marked as spam incorrectly, you may want to contact the recipient.
>>                 However if you did not send this email, it is likely that your mailbox was compromised and needs to be secured.
>>                 If you have any questions, you can respond to this email or contact our customer support department.
>>
>>                 --1698095665.7060_boundary
>>                 Content-Type: message/feedback-report
>>
>>                 Feedback-Type: abuse
>>                 User-Agent: mspam/1.3
>>                 Version: 1
>>                 Source-IP: 192.184.220.214
>>                 Original-Rcpt-To:johnl at iecc.com  <mailto:johnl at iecc.com>
>>                 Received-Date: 23 Oct 2023 05:57:47 -0000
>>
>>                 --1698095665.7060_boundary
>>                 Content-Type: message/rfc822
>>                 Content-Disposition: inline; filename="23739548.eml"
>>
>>                 Return-Path:<root at weblate.sugarlabs.org>  <mailto:root at weblate.sugarlabs.org>
>>                 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) ongal.iecc.com  <http://gal.iecc.com>
>>                 X-Spam-Flag: YES
>>                 X-Spam-Level: ****************
>>                 X-Spam-Status: Yes, score=16.6 required=4.4 tests=ADVANCE_FEE_3_NEW_FRM_MNY,
>>                 	BAYES_50,DEAR_BENEFICIARY,FILL_THIS_FORM,FILL_THIS_FORM_LONG,
>>                 	FORM_FRAUD_5,FREEMAIL_FORGED_REPLYTO,HK_SCAM,HTML_MESSAGE,
>>                 	LOTS_OF_MONEY,MIME_HTML_ONLY,MIXED_HREF_CASE,MONEY_ATM_CARD,
>>                 	MONEY_FRAUD_5,MONEY_FREEMAIL_REPTO,SPF_HELO_PASS,SPF_PASS
>>                 	autolearn=spam autolearn_force=no version=4.0.0
>>                 X-Spam-Report:
>>                 	* -0.0 SPF_PASS SPF: sender matches SPF record
>>                 	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>>                 	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>>                 	*      [score: 0.4611]
>>                 	*  1.6 DEAR_BENEFICIARY BODY: Dear Beneficiary:
>>                 	*  0.0 HTML_MESSAGE BODY: HTML included in message
>>                 	*  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>>                 	*  2.0 MIXED_HREF_CASE Has href in mixed case
>>                 	*  1.1 HK_SCAM No description available.
>>                 	*  0.0 LOTS_OF_MONEY Huge... sums of money
>>                 	*  2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
>>                 	*  0.0 FILL_THIS_FORM Fill in a form with personal information
>>                 	*  2.0 FILL_THIS_FORM_LONG Fill in a form with personal information
>>                 	*  2.5 MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
>>                 	*  1.0 MONEY_ATM_CARD Lots of money on an ATM card
>>                 	*  2.1 MONEY_FRAUD_5 Lots of money and many fraud phrases
>>                 	*  1.0 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
>>                 	*  0.4 FORM_FRAUD_5 Fill a form and many fraud phrases
>>                 Delivered-To:johnl at iecc.com  <mailto:johnl at iecc.com>
>>                 Received: (qmail 24861 invoked from network); 23 Oct 2023 05:57:47 -0000
>>                 Authentication-Results:iecc.com  <http://iecc.com>; spf=passspf.mailfrom=root at weblate.sugarlabs.org  <mailto:spf.mailfrom=root at weblate.sugarlabs.org>  spf.helo=weblate.sugarlabs.org  <http://weblate.sugarlabs.org>  smtp.remote-ip="192.184.220.214"; dmarc=pass header.from=weblate.sugarlabs.org  <http://weblate.sugarlabs.org>  polrec.p=quarantine polrec.pct=5
>>                 Received: fromweblate.sugarlabs.org  <http://weblate.sugarlabs.org>  (weblate.sugarlabs.org  <http://weblate.sugarlabs.org>  [192.184.220.214])
>>                    bymail1.iecc.com  <http://mail1.iecc.com>  ([64.57.183.56])
>>                    with ESMTPS via TCP (port 51298/25) id 720822916
>>                    tls TLS1_3_ECDHE_RSA_AES_256_GCM_AEAD; 23 Oct 2023 05:57:47 -0000
>>                 Received: fromweblate.sugarlabs.org  <http://weblate.sugarlabs.org>  (60-251-35-90.hinet-ip.hinet.net  <http://60-251-35-90.hinet-ip.hinet.net>  [60.251.35.90])
>>                 	(Authenticated sender: root)
>>                 	byweblate.sugarlabs.org  <http://weblate.sugarlabs.org>  (Postfix) with ESMTPSA id 879DA68732
>>                 	for<johnl at iecc.com>  <mailto:johnl at iecc.com>; Sun, 22 Oct 2023 22:50:32 -0700 (PDT)
>>                 Reply-To:olivera4good at gmail.com  <mailto:olivera4good at gmail.com>
>>                 From: Info<root at weblate.sugarlabs.org>  <mailto:root at weblate.sugarlabs.org>
>>                 To:johnl at iecc.com  <mailto:johnl at iecc.com>
>>                 Subject: Good Day
>>                 Date: 23 Oct 2023 13:50:34 +0800
>>                 Message-ID:<20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org>  <mailto:20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org>
>>                 MIME-Version: 1.0
>>                 Content-Type: text/html;
>>                 	charset="iso-8859-1"
>>                 Content-Transfer-Encoding: quoted-printable
>>                 X-DCC-iecc-Metrics:gal.iecc.com  <http://gal.iecc.com>  1107; Body=1 Fuz1=1 Fuz2=1
>>                 X-Tag: tagged by spamassassin
>>
>>                 Logan P.
>>
>>                 support at sonic.net  <mailto:support at sonic.net>                                          Sonic LLC
>>                 Sonic.net Support                                           2260 Apollo Way
>>                 1.855.394.0100 (Tech Support)                       Santa Rosa, CA 95407
>>                 1.707.547.2199 (FAX)http://sonic.com/support  <http://sonic.com/support>
>>
>>             -- 
>>             Sent with K-9 Mail.
> 
>         -- 
>         Sent with K-9 Mail.
>         _______________________________________________
>         Systems mailing list
>         Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
>         http://lists.sugarlabs.org/listinfo/systems
>         <http://lists.sugarlabs.org/listinfo/systems>
> 
> 
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems

-- 
_ // Bernie Innocenti
\X/  https://codewiz.org/



More information about the Systems mailing list