[Systems] Fwd: Re: [Sonic #7314311] [ABUSE] E-mail spam alert (23739548 from 192.184.220.214) re Good Day

James Cameron quozl at laptop.org
Mon Oct 30 23:34:34 EDT 2023


If it is only weblate that needs port 465, please organise to bind the port to listen on the localhost address, that way weblate will be able to connect, but outsiders will not.

On Mon, Oct 30, 2023 at 01:41:14PM +0100, Chihurumnaya Ibiam wrote:
> I've closed all the ports except port 465 as weblate connects using that, email
> delivery at the moment doesn't
> work as expected like you said this is seen in the logs so it might take a
> while;
> 
> to=<[1]ibiamchihurumnaya at gmail.com>, relay=[2]gmail-smtp-in.l.google.com
> [2607:f8b0:4023:c0d::1a]:25, delay=0.99, delays=0.03/0/0.43/0.53, dsn=5.7.1,
> status=bounced (host [3]gmail-smtp-in.l.google.com[2607:f8b0:4023:c0d::1a]
> said: 550-5.7.1 [2001:5a8:601:f::214      19] Our system has detected that this
> 550-5.7.1 message is likely suspicious due to the very low reputation of the
> 550-5.7.1 sending domain. To best protect our users from spam, the message has
> 550-5.7.1 been blocked. Please visit 550 5.7.1  [4]https://support.google.com/
> mail/answer/188131 for more information.
> k190-20020a6384c7000000b005b96af23fe6si2917767pgd.284 - gsmtp (in reply to end
> of DATA command))
> 
> I was using dovecot - which is what's using imap -  for authentication with
> postfix but it seems we don't need that so I've uninstalled it.
> 
> --
> 
> Ibiam Chihurumnaya
> [5]ibiamchihurumnaya at gmail.com
> 
> On Mon, Oct 30, 2023 at 7:10 AM Bernie Innocenti <[6]bernie at codewiz.org> wrote:
> 
>     Postfix is still listening on port 25 (smtp), 465 (smtps) and 587
>     (submission). Does Weblate need to receive email? If not, please turn
>     these off in Postfix's [7]master.cf.
> 
>     Ports 143 (imap) and 993 (imaps) are also open. Is this part of Weblate?
>     If not, can we uninstall the IMAP service?
> 
>     % sudo nmap [8]weblate.sugarlabs.org
>     Not shown: 989 closed tcp ports (reset)
>     PORT    STATE    SERVICE
>     22/tcp  open     ssh
>     25/tcp  open     smtp
>     135/tcp filtered msrpc
>     139/tcp filtered netbios-ssn
>     143/tcp open     imap
>     443/tcp open     https
>     445/tcp filtered microsoft-ds
>     465/tcp open     smtps
>     587/tcp open     submission
>     593/tcp filtered http-rpc-epmap
>     993/tcp open     imaps
> 
>     On 2023/10/28 10:48, Chihurumnaya Ibiam wrote:
>     > Changed the password and restarted the containers and nginx.
>     >
>     > --
>     >
>     > Ibiam Chihurumnaya
>     > [9]ibiamchihurumnaya at gmail.com <mailto:[10]ibiamchihurumnaya at gmail.com>
>     >
>     >
>     >
>     >
>     > On Sat, Oct 28, 2023 at 6:35 PM Chihurumnaya Ibiam
>     > <[11]ibiamchihurumnaya at gmail.com <mailto:[12]ibiamchihurumnaya at gmail.com
>     >> wrote:
>     >
>     >     Nope, there's no root password.
>     >
>     >     Although weblate itself has a trivial password, I'll change it and
>     >     update the docker environment file.
>     >
>     >     --
>     >
>     >     Ibiam Chihurumnaya
>     >     [13]ibiamchihurumnaya at gmail.com <mailto:[14]
>     ibiamchihurumnaya at gmail.com>
>     >
>     >
>     >
>     >
>     >     On Sat, Oct 28, 2023 at 6:06 PM Bernie Innocenti <[15]
>     bernie at codewiz.org
>     >     <mailto:[16]bernie at codewiz.org>> wrote:
>     >
>     >         Then it's possible that they guessed the root password.
>     >
>     >         Was it something trivial or predictable, like "weblate" or
>     >         "sugarlabs"?
>     >
>     >
>     >         On October 28, 2023 4:49:26 PM UTC, Alex Perez
>     >         <[17]aperez at alexperez.com <mailto:[18]aperez at alexperez.com>>
>     wrote:
>     >
>     >             It is definitely listening on a public port, but it is not
>     >             an open relay:
>     >
>     >
>     >
>     >             Bernie Innocenti wrote on 10/28/23 9:34 AM:
>     >>             Ibiam, is the SMTP server on weblate listening on a public
>     >>             port?
>     >>
>     >>
>     >>             On October 28, 2023 3:22:31 PM UTC, Alex Perez
>     >>             <[19]aperez at alexperez.com> <mailto:[20]aperez at alexperez.com>
>     wrote:
>     >>
>     >>                 FYI. The e-mail being sent from weblate appears to be
>     >>                 incorrectly configured. I don't have time to deal with
>     >>                 this in a timely manner, but perhaps someone else
>     >>                 does.  The recipient, [21]johnl at iecc.com
>     >>                 <mailto:[22]johnl at iecc.com>, reported they received a
>     >>                 message from our weblate host, which they reported as
>     >>                 spam.
>     >>
>     >>
>     >>                 -------- Forwarded Message --------
>     >>                 Subject:     Re: [Sonic #7314311] [ABUSE] E-mail spam
>     >>                 alert (23739548 from 192.184.220.214) re Good Day
>     >>                 Date:        Fri, 27 Oct 2023 16:43:16 -0700
>     >>                 From:        Sonic Abuse <[23]abuse at sonic.net>
>     >>                 <mailto:[24]abuse at sonic.net>
>     >>                 To:  [25]aperez at alexperez.com <mailto:[26]
>     aperez at alexperez.com>
>     >>
>     >>
>     >>
>     >>                 Hello,
>     >>                 Recently a message was sent from your mailbox"[27]
>     root at weblate.sugarlabs.org"  <mailto:[28]root at weblate.sugarlabs.org>  and
>     one of the receipts has reported it as spam. I have included the original
>     headers below.
>     >>                 If you sent this email, and you believe it was marked as
>     spam incorrectly, you may want to contact the recipient.
>     >>                 However if you did not send this email, it is likely
>     that your mailbox was compromised and needs to be secured.
>     >>                 If you have any questions, you can respond to this email
>     or contact our customer support department.
>     >>
>     >>                 --1698095665.7060_boundary
>     >>                 Content-Type: message/feedback-report
>     >>
>     >>                 Feedback-Type: abuse
>     >>                 User-Agent: mspam/1.3
>     >>                 Version: 1
>     >>                 Source-IP: 192.184.220.214
>     >>                 [29]Original-Rcpt-To:johnl at iecc.com  <mailto:[30]
>     johnl at iecc.com>
>     >>                 Received-Date: 23 Oct 2023 05:57:47 -0000
>     >>
>     >>                 --1698095665.7060_boundary
>     >>                 Content-Type: message/rfc822
>     >>                 Content-Disposition: inline; filename="23739548.eml"
>     >>
>     >>                 Return-Path:<[31]root at weblate.sugarlabs.org>  <mailto:
>     [32]root at weblate.sugarlabs.org>
>     >>                 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) 
>     [33]ongal.iecc.com  <[34]http://gal.iecc.com>
>     >>                 X-Spam-Flag: YES
>     >>                 X-Spam-Level: ****************
>     >>                 X-Spam-Status: Yes, score=16.6 required=4.4 tests=
>     ADVANCE_FEE_3_NEW_FRM_MNY,
>     >>                     
>     BAYES_50,DEAR_BENEFICIARY,FILL_THIS_FORM,FILL_THIS_FORM_LONG,
>     >>                     
>     FORM_FRAUD_5,FREEMAIL_FORGED_REPLYTO,HK_SCAM,HTML_MESSAGE,
>     >>                     
>     LOTS_OF_MONEY,MIME_HTML_ONLY,MIXED_HREF_CASE,MONEY_ATM_CARD,
>     >>                     
>     MONEY_FRAUD_5,MONEY_FREEMAIL_REPTO,SPF_HELO_PASS,SPF_PASS
>     >>                      autolearn=spam autolearn_force=no version=4.0.0
>     >>                 X-Spam-Report:
>     >>                      * -0.0 SPF_PASS SPF: sender matches SPF record
>     >>                      * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>     >>                      *  0.8 BAYES_50 BODY: Bayes spam probability is 40
>     to 60%
>     >>                      *      [score: 0.4611]
>     >>                      *  1.6 DEAR_BENEFICIARY BODY: Dear Beneficiary:
>     >>                      *  0.0 HTML_MESSAGE BODY: HTML included in message
>     >>                      *  0.1 MIME_HTML_ONLY BODY: Message only has text/
>     html MIME parts
>     >>                      *  2.0 MIXED_HREF_CASE Has href in mixed case
>     >>                      *  1.1 HK_SCAM No description available.
>     >>                      *  0.0 LOTS_OF_MONEY Huge... sums of money
>     >>                      *  2.1 FREEMAIL_FORGED_REPLYTO Freemail in
>     Reply-To, but not From
>     >>                      *  0.0 FILL_THIS_FORM Fill in a form with personal
>     information
>     >>                      *  2.0 FILL_THIS_FORM_LONG Fill in a form with
>     personal information
>     >>                      *  2.5 MONEY_FREEMAIL_REPTO Lots of money from
>     someone using free email?
>     >>                      *  1.0 MONEY_ATM_CARD Lots of money on an ATM card
>     >>                      *  2.1 MONEY_FRAUD_5 Lots of money and many fraud
>     phrases
>     >>                      *  1.0 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud
>     form and lots of money
>     >>                      *  0.4 FORM_FRAUD_5 Fill a form and many fraud
>     phrases
>     >>                 [35]Delivered-To:johnl at iecc.com  <mailto:[36]
>     johnl at iecc.com>
>     >>                 Received: (qmail 24861 invoked from network); 23 Oct
>     2023 05:57:47 -0000
>     >>                 Authentication-Results:[37]iecc.com  <[38]http://
>     iecc.com>; spf=passspf.mailfrom=[39]root at weblate.sugarlabs.org  <mailto:
>     [40]spf.mailfrom=[41]root at weblate.sugarlabs.org>  spf.helo=[42]
>     weblate.sugarlabs.org  <[43]http://weblate.sugarlabs.org>  smtp.remote-ip=
>     "192.184.220.214"; dmarc=pass header.from=[44]weblate.sugarlabs.org  <[45]
>     http://weblate.sugarlabs.org>  polrec.p=quarantine polrec.pct=5
>     >>                 Received: [46]fromweblate.sugarlabs.org  <[47]http://
>     weblate.sugarlabs.org>  ([48]weblate.sugarlabs.org  <[49]http://
>     weblate.sugarlabs.org>  [192.184.220.214])
>     >>                    [50]bymail1.iecc.com  <[51]http://mail1.iecc.com>     ([64.57.183.56])
>     >>                    with ESMTPS via TCP (port 51298/25) id 720822916
>     >>                    tls TLS1_3_ECDHE_RSA_AES_256_GCM_AEAD; 23 Oct 2023
>     05:57:47 -0000
>     >>                 Received: [52]fromweblate.sugarlabs.org  <[53]http://
>     weblate.sugarlabs.org>  ([54]60-251-35-90.hinet-ip.hinet.net  <[55]http://
>     60-251-35-90.hinet-ip.hinet.net>  [60.251.35.90])
>     >>                      (Authenticated sender: root)
>     >>                      [56]byweblate.sugarlabs.org  <[57]http://
>     weblate.sugarlabs.org>  (Postfix) with ESMTPSA id 879DA68732
>     >>                      for<[58]johnl at iecc.com>  <mailto:[59]johnl at iecc.com
>     >; Sun, 22 Oct 2023 22:50:32 -0700 (PDT)
>     >>                 [60]Reply-To:olivera4good at gmail.com  <mailto:[61]
>     olivera4good at gmail.com>
>     >>                 From: Info<[62]root at weblate.sugarlabs.org>  <mailto:[63]
>     root at weblate.sugarlabs.org>
>     >>                 [64]To:johnl at iecc.com  <mailto:[65]johnl at iecc.com>
>     >>                 Subject: Good Day
>     >>                 Date: 23 Oct 2023 13:50:34 +0800
>     >>                 Message-ID:<[66]
>     20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org>  <mailto:[67]
>     20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org>
>     >>                 MIME-Version: 1.0
>     >>                 Content-Type: text/html;
>     >>                      charset="iso-8859-1"
>     >>                 Content-Transfer-Encoding: quoted-printable
>     >>                 X-DCC-iecc-Metrics:[68]gal.iecc.com  <[69]http://
>     gal.iecc.com>  1107; Body=1 Fuz1=1 Fuz2=1
>     >>                 X-Tag: tagged by spamassassin
>     >>
>     >>                 Logan P.
>     >>
>     >>                 [70]support at sonic.net  <mailto:[71]support at sonic.net>   
>                                           Sonic LLC
>     >>                 Sonic.net Support                                       
>        2260 Apollo Way
>     >>                 1.855.394.0100 (Tech Support)                     
>      Santa Rosa, CA 95407
>     >>                 1.707.547.2199 (FAX)[72]http://sonic.com/support  <[73]
>     http://sonic.com/support>
>     >>
>     >>             --
>     >>             Sent with K-9 Mail.
>     >
>     >         --
>     >         Sent with K-9 Mail.
>     >         _______________________________________________
>     >         Systems mailing list
>     >         [74]Systems at lists.sugarlabs.org <mailto:[75]
>     Systems at lists.sugarlabs.org>
>     >         [76]http://lists.sugarlabs.org/listinfo/systems
>     >         <[77]http://lists.sugarlabs.org/listinfo/systems>
>     >
>     >
>     > _______________________________________________
>     > Systems mailing list
>     > [78]Systems at lists.sugarlabs.org
>     > [79]http://lists.sugarlabs.org/listinfo/systems
> 
>     --
>     _ // Bernie Innocenti
>     \X/  [80]https://codewiz.org/
> 
> References:
> 
> [1] mailto:ibiamchihurumnaya at gmail.com
> [2] http://gmail-smtp-in.l.google.com/
> [3] http://gmail-smtp-in.l.google.com/
> [4] https://support.google.com/mail/answer/188131
> [5] mailto:ibiamchihurumnaya at gmail.com
> [6] mailto:bernie at codewiz.org
> [7] http://master.cf/
> [8] http://weblate.sugarlabs.org/
> [9] mailto:ibiamchihurumnaya at gmail.com
> [10] mailto:ibiamchihurumnaya at gmail.com
> [11] mailto:ibiamchihurumnaya at gmail.com
> [12] mailto:ibiamchihurumnaya at gmail.com
> [13] mailto:ibiamchihurumnaya at gmail.com
> [14] mailto:ibiamchihurumnaya at gmail.com
> [15] mailto:bernie at codewiz.org
> [16] mailto:bernie at codewiz.org
> [17] mailto:aperez at alexperez.com
> [18] mailto:aperez at alexperez.com
> [19] mailto:aperez at alexperez.com
> [20] mailto:aperez at alexperez.com
> [21] mailto:johnl at iecc.com
> [22] mailto:johnl at iecc.com
> [23] mailto:abuse at sonic.net
> [24] mailto:abuse at sonic.net
> [25] mailto:aperez at alexperez.com
> [26] mailto:aperez at alexperez.com
> [27] mailto:root at weblate.sugarlabs.org
> [28] mailto:root at weblate.sugarlabs.org
> [29] mailto:Original-Rcpt-To%3Ajohnl at iecc.com
> [30] mailto:johnl at iecc.com
> [31] mailto:root at weblate.sugarlabs.org
> [32] mailto:root at weblate.sugarlabs.org
> [33] http://ongal.iecc.com/
> [34] http://gal.iecc.com/
> [35] mailto:Delivered-To%3Ajohnl at iecc.com
> [36] mailto:johnl at iecc.com
> [37] http://iecc.com/
> [38] http://iecc.com/
> [39] mailto:root at weblate.sugarlabs.org
> [40] mailto:spf.mailfrom
> [41] mailto:root at weblate.sugarlabs.org
> [42] http://weblate.sugarlabs.org/
> [43] http://weblate.sugarlabs.org/
> [44] http://weblate.sugarlabs.org/
> [45] http://weblate.sugarlabs.org/
> [46] http://fromweblate.sugarlabs.org/
> [47] http://weblate.sugarlabs.org/
> [48] http://weblate.sugarlabs.org/
> [49] http://weblate.sugarlabs.org/
> [50] http://bymail1.iecc.com/
> [51] http://mail1.iecc.com/
> [52] http://fromweblate.sugarlabs.org/
> [53] http://weblate.sugarlabs.org/
> [54] http://60-251-35-90.hinet-ip.hinet.net/
> [55] http://60-251-35-90.hinet-ip.hinet.net/
> [56] http://byweblate.sugarlabs.org/
> [57] http://weblate.sugarlabs.org/
> [58] mailto:johnl at iecc.com
> [59] mailto:johnl at iecc.com
> [60] mailto:Reply-To%3Aolivera4good at gmail.com
> [61] mailto:olivera4good at gmail.com
> [62] mailto:root at weblate.sugarlabs.org
> [63] mailto:root at weblate.sugarlabs.org
> [64] mailto:To%3Ajohnl at iecc.com
> [65] mailto:johnl at iecc.com
> [66] mailto:20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org
> [67] mailto:20231023135034.F8EDC8E49D7FE2C7 at weblate.sugarlabs.org
> [68] http://gal.iecc.com/
> [69] http://gal.iecc.com/
> [70] mailto:support at sonic.net
> [71] mailto:support at sonic.net
> [72] http://sonic.com/support
> [73] http://sonic.com/support
> [74] mailto:Systems at lists.sugarlabs.org
> [75] mailto:Systems at lists.sugarlabs.org
> [76] http://lists.sugarlabs.org/listinfo/systems
> [77] http://lists.sugarlabs.org/listinfo/systems
> [78] mailto:Systems at lists.sugarlabs.org
> [79] http://lists.sugarlabs.org/listinfo/systems
> [80] https://codewiz.org/

> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems



More information about the Systems mailing list