[Systems] Fwd: Re: [Sonic #7314311] [ABUSE] E-mail spam alert (23739548 from 192.184.220.214) re Good Day
Chihurumnaya Ibiam
ibiamchihurumnaya at gmail.com
Mon Oct 30 08:41:14 EDT 2023
I've closed all the ports except port 465 as weblate connects using that,
email delivery at the moment doesn't
work as expected like you said this is seen in the logs so it might take a
while;
to=<ibiamchihurumnaya at gmail.com>,
relay=gmail-smtp-in.l.google.com[2607:f8b0:4023:c0d::1a]:25,
delay=0.99, delays=0.03/0/0.43/0.53, dsn=5.7.1, status=bounced (host
gmail-smtp-in.l.google.com[2607:f8b0:4023:c0d::1a] said: 550-5.7.1
[2001:5a8:601:f::214 19] Our system has detected that this 550-5.7.1
message is likely suspicious due to the very low reputation of the
550-5.7.1 sending domain. To best protect our users from spam, the message
has 550-5.7.1 been blocked. Please visit 550 5.7.1
https://support.google.com/mail/answer/188131 for more information.
k190-20020a6384c7000000b005b96af23fe6si2917767pgd.284 - gsmtp (in reply to
end of DATA command))
I was using dovecot - which is what's using imap - for authentication with
postfix but it seems we don't need that so I've uninstalled it.
--
Ibiam Chihurumnaya
ibiamchihurumnaya at gmail.com
On Mon, Oct 30, 2023 at 7:10 AM Bernie Innocenti <bernie at codewiz.org> wrote:
> Postfix is still listening on port 25 (smtp), 465 (smtps) and 587
> (submission). Does Weblate need to receive email? If not, please turn
> these off in Postfix's master.cf.
>
> Ports 143 (imap) and 993 (imaps) are also open. Is this part of Weblate?
> If not, can we uninstall the IMAP service?
>
>
> % sudo nmap weblate.sugarlabs.org
> Not shown: 989 closed tcp ports (reset)
> PORT STATE SERVICE
> 22/tcp open ssh
> 25/tcp open smtp
> 135/tcp filtered msrpc
> 139/tcp filtered netbios-ssn
> 143/tcp open imap
> 443/tcp open https
> 445/tcp filtered microsoft-ds
> 465/tcp open smtps
> 587/tcp open submission
> 593/tcp filtered http-rpc-epmap
> 993/tcp open imaps
>
>
> On 2023/10/28 10:48, Chihurumnaya Ibiam wrote:
> > Changed the password and restarted the containers and nginx.
> >
> > --
> >
> > Ibiam Chihurumnaya
> > ibiamchihurumnaya at gmail.com <mailto:ibiamchihurumnaya at gmail.com>
> >
> >
> >
> >
> > On Sat, Oct 28, 2023 at 6:35 PM Chihurumnaya Ibiam
> > <ibiamchihurumnaya at gmail.com <mailto:ibiamchihurumnaya at gmail.com>>
> wrote:
> >
> > Nope, there's no root password.
> >
> > Although weblate itself has a trivial password, I'll change it and
> > update the docker environment file.
> >
> > --
> >
> > Ibiam Chihurumnaya
> > ibiamchihurumnaya at gmail.com <mailto:ibiamchihurumnaya at gmail.com>
> >
> >
> >
> >
> > On Sat, Oct 28, 2023 at 6:06 PM Bernie Innocenti <bernie at codewiz.org
> > <mailto:bernie at codewiz.org>> wrote:
> >
> > Then it's possible that they guessed the root password.
> >
> > Was it something trivial or predictable, like "weblate" or
> > "sugarlabs"?
> >
> >
> > On October 28, 2023 4:49:26 PM UTC, Alex Perez
> > <aperez at alexperez.com <mailto:aperez at alexperez.com>> wrote:
> >
> > It is definitely listening on a public port, but it is not
> > an open relay:
> >
> >
> >
> > Bernie Innocenti wrote on 10/28/23 9:34 AM:
> >> Ibiam, is the SMTP server on weblate listening on a public
> >> port?
> >>
> >>
> >> On October 28, 2023 3:22:31 PM UTC, Alex Perez
> >> <aperez at alexperez.com> <mailto:aperez at alexperez.com> wrote:
> >>
> >> FYI. The e-mail being sent from weblate appears to be
> >> incorrectly configured. I don't have time to deal with
> >> this in a timely manner, but perhaps someone else
> >> does. The recipient, johnl at iecc.com
> >> <mailto:johnl at iecc.com>, reported they received a
> >> message from our weblate host, which they reported as
> >> spam.
> >>
> >>
> >> -------- Forwarded Message --------
> >> Subject: Re: [Sonic #7314311] [ABUSE] E-mail spam
> >> alert (23739548 from 192.184.220.214) re Good Day
> >> Date: Fri, 27 Oct 2023 16:43:16 -0700
> >> From: Sonic Abuse <abuse at sonic.net>
> >> <mailto:abuse at sonic.net>
> >> To: aperez at alexperez.com <mailto:aperez at alexperez.com>
> >>
> >>
> >>
> >> Hello,
> >> Recently a message was sent from your mailbox"
> root at weblate.sugarlabs.org" <mailto:root at weblate.sugarlabs.org> and one
> of the receipts has reported it as spam. I have included the original
> headers below.
> >> If you sent this email, and you believe it was marked
> as spam incorrectly, you may want to contact the recipient.
> >> However if you did not send this email, it is likely
> that your mailbox was compromised and needs to be secured.
> >> If you have any questions, you can respond to this
> email or contact our customer support department.
> >>
> >> --1698095665.7060_boundary
> >> Content-Type: message/feedback-report
> >>
> >> Feedback-Type: abuse
> >> User-Agent: mspam/1.3
> >> Version: 1
> >> Source-IP: 192.184.220.214
> >> Original-Rcpt-To:johnl at iecc.com <mailto:johnl at iecc.com
> >
> >> Received-Date: 23 Oct 2023 05:57:47 -0000
> >>
> >> --1698095665.7060_boundary
> >> Content-Type: message/rfc822
> >> Content-Disposition: inline; filename="23739548.eml"
> >>
> >> Return-Path:<root at weblate.sugarlabs.org> <mailto:
> root at weblate.sugarlabs.org>
> >> X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14)
> ongal.iecc.com <http://gal.iecc.com>
> >> X-Spam-Flag: YES
> >> X-Spam-Level: ****************
> >> X-Spam-Status: Yes, score=16.6 required=4.4
> tests=ADVANCE_FEE_3_NEW_FRM_MNY,
> >>
> BAYES_50,DEAR_BENEFICIARY,FILL_THIS_FORM,FILL_THIS_FORM_LONG,
> >>
> FORM_FRAUD_5,FREEMAIL_FORGED_REPLYTO,HK_SCAM,HTML_MESSAGE,
> >>
> LOTS_OF_MONEY,MIME_HTML_ONLY,MIXED_HREF_CASE,MONEY_ATM_CARD,
> >>
> MONEY_FRAUD_5,MONEY_FREEMAIL_REPTO,SPF_HELO_PASS,SPF_PASS
> >> autolearn=spam autolearn_force=no version=4.0.0
> >> X-Spam-Report:
> >> * -0.0 SPF_PASS SPF: sender matches SPF record
> >> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> >> * 0.8 BAYES_50 BODY: Bayes spam probability is 40
> to 60%
> >> * [score: 0.4611]
> >> * 1.6 DEAR_BENEFICIARY BODY: Dear Beneficiary:
> >> * 0.0 HTML_MESSAGE BODY: HTML included in message
> >> * 0.1 MIME_HTML_ONLY BODY: Message only has
> text/html MIME parts
> >> * 2.0 MIXED_HREF_CASE Has href in mixed case
> >> * 1.1 HK_SCAM No description available.
> >> * 0.0 LOTS_OF_MONEY Huge... sums of money
> >> * 2.1 FREEMAIL_FORGED_REPLYTO Freemail in
> Reply-To, but not From
> >> * 0.0 FILL_THIS_FORM Fill in a form with personal
> information
> >> * 2.0 FILL_THIS_FORM_LONG Fill in a form with
> personal information
> >> * 2.5 MONEY_FREEMAIL_REPTO Lots of money from
> someone using free email?
> >> * 1.0 MONEY_ATM_CARD Lots of money on an ATM card
> >> * 2.1 MONEY_FRAUD_5 Lots of money and many fraud
> phrases
> >> * 1.0 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud
> form and lots of money
> >> * 0.4 FORM_FRAUD_5 Fill a form and many fraud
> phrases
> >> Delivered-To:johnl at iecc.com <mailto:johnl at iecc.com>
> >> Received: (qmail 24861 invoked from network); 23 Oct
> 2023 05:57:47 -0000
> >> Authentication-Results:iecc.com <http://iecc.com>;
> spf=passspf.mailfrom=root at weblate.sugarlabs.org <mailto:spf.mailfrom=
> root at weblate.sugarlabs.org> spf.helo=weblate.sugarlabs.org <
> http://weblate.sugarlabs.org> smtp.remote-ip="192.184.220.214";
> dmarc=pass header.from=weblate.sugarlabs.org <
> http://weblate.sugarlabs.org> polrec.p=quarantine polrec.pct=5
> >> Received: fromweblate.sugarlabs.org <
> http://weblate.sugarlabs.org> (weblate.sugarlabs.org <
> http://weblate.sugarlabs.org> [192.184.220.214])
> >> bymail1.iecc.com <http://mail1.iecc.com>
> ([64.57.183.56])
> >> with ESMTPS via TCP (port 51298/25) id 720822916
> >> tls TLS1_3_ECDHE_RSA_AES_256_GCM_AEAD; 23 Oct 2023
> 05:57:47 -0000
> >> Received: fromweblate.sugarlabs.org <
> http://weblate.sugarlabs.org> (60-251-35-90.hinet-ip.hinet.net <
> http://60-251-35-90.hinet-ip.hinet.net> [60.251.35.90])
> >> (Authenticated sender: root)
> >> byweblate.sugarlabs.org <
> http://weblate.sugarlabs.org> (Postfix) with ESMTPSA id 879DA68732
> >> for<johnl at iecc.com> <mailto:johnl at iecc.com>;
> Sun, 22 Oct 2023 22:50:32 -0700 (PDT)
> >> Reply-To:olivera4good at gmail.com <mailto:
> olivera4good at gmail.com>
> >> From: Info<root at weblate.sugarlabs.org> <mailto:
> root at weblate.sugarlabs.org>
> >> To:johnl at iecc.com <mailto:johnl at iecc.com>
> >> Subject: Good Day
> >> Date: 23 Oct 2023 13:50:34 +0800
> >> Message-ID:<
> 20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org> <mailto:
> 20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org>
> >> MIME-Version: 1.0
> >> Content-Type: text/html;
> >> charset="iso-8859-1"
> >> Content-Transfer-Encoding: quoted-printable
> >> X-DCC-iecc-Metrics:gal.iecc.com <http://gal.iecc.com>
> 1107; Body=1 Fuz1=1 Fuz2=1
> >> X-Tag: tagged by spamassassin
> >>
> >> Logan P.
> >>
> >> support at sonic.net <mailto:support at sonic.net>
> Sonic LLC
> >> Sonic.net Support
> 2260 Apollo Way
> >> 1.855.394.0100 (Tech Support)
> Santa Rosa, CA 95407
> >> 1.707.547.2199 (FAX)http://sonic.com/support <
> http://sonic.com/support>
> >>
> >> --
> >> Sent with K-9 Mail.
> >
> > --
> > Sent with K-9 Mail.
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
> > http://lists.sugarlabs.org/listinfo/systems
> > <http://lists.sugarlabs.org/listinfo/systems>
> >
> >
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org
> > http://lists.sugarlabs.org/listinfo/systems
>
> --
> _ // Bernie Innocenti
> \X/ https://codewiz.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20231030/0d0eae31/attachment.htm>
More information about the Systems
mailing list