You are not logged in.

#1 2019-02-16 11:03:30

ula8000
Member
Registered: 2017-12-27
Posts: 11

noreply@archlinux32.org sending Spam ?

Some month ago I changed my email from gmail to posteo here in the forum.

Today I got this in my google inbox:

from:	Arch Linux 32 Forums Mailer <noreply@archlinux32.org>
reply-to:	Walterreedy <antoninadurova421@gmail.com>
to:	xxxxxxxxxxxx@gmail.com (Yes, this is you.) Learn more
date:	Feb 16, 2019, 6:08 AM
subject:	В сеть слили премьеру
signed-by:	archlinux32.org
security:	 Standard encryption (TLS) Learn more

Walterreedy from Arch Linux 32 Forums has sent you a message. You can reply to Walterreedy by replying to this email.

The message reads as follows:
-----------------------------------------------------------------------

Для просмотра теперь доступно, бесплатно без регистрации 

[url=https://www.youtube.com/watch?v=gfiQtRgKQrk&t=11s]4 сезон Полицейский с рублевки смотреть[/url]

-----------------------------------------------------------------------

--
Arch Linux 32 Forums Mailer

Was my email change  not properly saved in the forum ?
My Profile shows the new address...
Or is this a backscatter ?

Anyone else got Spam ?

Offline

#2 2019-02-16 11:36:56

andreas_baumann
Administrator
From: Zurich, Switzerland
Registered: 2017-08-10
Posts: 833
Website

Re: noreply@archlinux32.org sending Spam ?

Yes, I also got two spam emails like this..

Offline

#3 2019-02-16 11:58:13

ula8000
Member
Registered: 2017-12-27
Posts: 11

Re: noreply@archlinux32.org sending Spam ?

The interesting question is here, why I get the spam to my old gmail account, while the forum has my new posteo address.
The old gmail account was only known to archlinux32.org by the way!
The notification to this thread goes correct to my new address...

In my profile this is set:
Hide your email address and disallow form email.

Offline

#4 2019-02-16 12:07:12

andreas_baumann
Administrator
From: Zurich, Switzerland
Registered: 2017-08-10
Posts: 833
Website

Re: noreply@archlinux32.org sending Spam ?

Yeah. I also think, someone read the database with emails from the BB forum..

Offline

#5 2019-02-16 20:53:27

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,197

Re: noreply@archlinux32.org sending Spam ?

I wonder about gmail adding the 'yes this is you' helper to your to field.  That suggests to me they didn't have your exact email address, but gmail guessed they meant you.  Can you check to see if the email address they used is exactly your address?

I've not had any spam like that yet here.  Maybe the database was leaked before I registered?


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

#6 2019-02-17 09:57:59

ula8000
Member
Registered: 2017-12-27
Posts: 11

Re: noreply@archlinux32.org sending Spam ?

Hi levi,
I anonymized my first post of course, there was exactly my email address, and exactly that one I used only for archlinux32.org.

Me:
Registered: 2017-12-27
email changed from gmail to posteo: 2018-09-18

I have the complete email header, if one would like to have a look...
For me it looks like a back-scatter from srv1.tyzoid.com, but that doesn't explain why they know the correct email address.

Offline

#7 2019-02-17 18:00:01

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,197

Re: noreply@archlinux32.org sending Spam ?

Can you post the intitial Received: lines?  You shouldn't need to post any received lines from after it gets inside google's domain, but there may be some previous lines that indicate it's actual mail path  (although it's always possible to prepend some fake ones, they should be true after a point).  Decoding received lines is a bit of a black art I find, but gmail when I used to use it at least seemed to add headers like this:

Received-SPF: pass (google.com: best guess record for domain of #mailsrv# designates #ip# as permitted sender) client-ip=;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of #mailsrv# designates #ip# as permitted sender) smtp.mailfrom=#mailsrv#

If they're still adding those headers (my last email to check is from 2018 before google blocked my client), at least one of them should be true and might tell you the actual server used, or at least google's best guess.


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

#8 2019-02-18 11:31:25

andreas_baumann
Administrator
From: Zurich, Switzerland
Registered: 2017-08-10
Posts: 833
Website

Re: noreply@archlinux32.org sending Spam ?

@tyzoid: can you check, but it seems that the emails are sent from your server running the BBS:

Return-Path: <www-data@srv1.tyzoid.com>
Received: from smtp.andreasbaumann.cc ([unix socket])
	 by euroweb (Cyrus 2.5.10) with LMTPA;
	 Mon, 18 Feb 2019 11:23:44 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail.tyzoid.com (mail.tyzoid.com [23.92.211.62])
	by smtp.andreasbaumann.cc (Postfix) with ESMTP id 51234CD9FB
	for <mail@andreasbaumann.cc>; Mon, 18 Feb 2019 11:23:42 +0100 (CET)
Received: from srv1.tyzoid.com (unknown [10.10.1.8])
	by mail.tyzoid.com (Postfix) with ESMTPS id 36E46243DB
	for <mail@andreasbaumann.cc>; Mon, 18 Feb 2019 10:23:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=archlinux32.org;
	s=mail; t=1550485401;
	bh=Ha1S6//vdNX+QctMeQI1k4hsZobqI3BS3GIsKp/U5HY=;
	h=To:Subject:From:Date:Reply-To:From;
	b=rReY9YRgLCB8haS+IjE5xt5075RzGl/sABDlGOuG+moDDbt8Bcj4R8zZRzv8yZ4++
	 6vl084Tu086/iImWOeay2v+0xdNGbrlztt1fTBoAmXeQPJqm+6Qe8mtQaVs9BwJ7S5
	 ASOBJdHkCwxEV42CB+Uz5nKJbIDhau/CXvOAdUAw=
Received: by srv1.tyzoid.com (Postfix, from userid 33)
	id 14FDB3375D; Mon, 18 Feb 2019 10:23:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux32.org;
	s=mail; t=1550485401;
	bh=PH0F3DZyff+JvrpiIJ/+gBXwpvGfj+sHClF8nC+GUc8=;
	h=To:Subject:From:Date:Reply-To:From;
	b=l1mGzsSo8p8K6HzWD+UL3qg6YuDcQroIv3JCbVgQARh20ZNa6xkZq0OjLzHqC8gkk
	 9YcoAn3WrgoAx5C1/TXc41cVyMaY1AAaiBybPTy9KRa4VooBOFdfTLDMHp3vDkwJzE
	 CXUFa2oTjHyFVLrSbFmVNRA0dKMKvMuAn3SD7pWM=
To: mail@andreasbaumann.cc
Subject: Weightloss
X-PHP-Originating-Script: 1000:email.php
From: "Arch Linux 32 Forums Mailer" <noreply@archlinux32.org>
Date: Mon, 18 Feb 2019 10:23:21 +0000
MIME-Version: 1.0
Content-transfer-encoding: 8bit
Content-type: text/plain; charset=utf-8
X-Mailer: FluxBB Mailer
Reply-To: "Josephchich" <zabenko65903@myblogmail.xyz>
Message-Id: <20190218102321.14FDB3375D@srv1.tyzoid.com>

Josephchich from Arch Linux 32 Forums has sent you a message. You can reply to Josephchich by replying to this email.

The message reads as follows:
-----------------------------------------------------------------------

[url=https://5b7053wx8g902z6de2srdp1mc6.hop.clickbank.net/?tid=XRM55]The Flat Belly Fix[/url] 
This is the only 21-day rapid [url=https://5b7053wx8g902z6de2srdp1mc6.hop.clickbank.net/?tid=XRM55]weight loss system[/url] that allows you to easily lose an average of 1 lb a day for 21 days without feeling hungry or deprived. The unique and brand new techniques used in this System are proven SAFE. And they do not cause the rebound weight gain common to all the other rapid weight loss systems that are not backed by the latest science. The Flat Belly Fix System takes advantage of a recent scientific discovery that proves the effective weight loss power of an ancient spice. Combined with other cutting edge ingredients in the patent pending Flat Belly Fix Tea™ — that you can make right in your own kitchen in minutes — this System is the quickest, easiest and most enjoyable way to quickly get the body you desire and deserve.

-----------------------------------------------------------------------

--
Arch Linux 32 Forums Mailer

Or the receive path via srv1.tyzoid.com, mail.tyzoid.com is 100% faked, but I doubt that.

Offline

#9 2019-02-18 18:11:49

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,197

Re: noreply@archlinux32.org sending Spam ?

Received: from mail.tyzoid.com (mail.tyzoid.com [23.92.211.62])
	by smtp.andreasbaumann.cc (Postfix) with ESMTP id 51234CD9FB
	for <mail@andreasbaumann.cc>; Mon, 18 Feb 2019 11:23:42 +0100 (CET)

This line at least claims to have been written by smtp.andreadbaumann.cc which I assume is under your indirect control at least.  That suggests it really was on a server called mail.tyzoid.com at the step before, so he's gone to a lot of effort faking it if that is all bogus.


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

#10 2019-02-18 21:47:49

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,197

Re: noreply@archlinux32.org sending Spam ?

Okay, I've seen the full email of ula8000 now.  It suggests google actually received the mail from an ipv6 address indicating a cloud computer run by a run by centrilogic, rather than tyzoid's server, which is different to andreas's mail above.

Andreas' mail looks to me all like a geniune mailing from the boards, the only odd thing is I can't find a user called Josephchich.  I'm not sure if I can see banned users in the user list though.


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

Board footer

Powered by FluxBB