Have the OSGeo mail servers been compromised?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Have the OSGeo mail servers been compromised?

geowolf
Hi,
I just received three mails from apparently legit mail addresses, Frank W., Jeff and Arnulf,
all reporting a Amazon security issue and asking me to connect to some decently 
well made fake amazon site to verify my credentials. The title is "Important Notice To All Amazon Customers"
and they were all sent to the board list.

I don't think the people involved have all been compromised at the same time, it seems
more likely that OSGeo mail servers where hacked, or something similar...

The interesting bit is that since I know those people, the messages did not get into the
spam folder. Don't trust those mails!

--

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39  339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility  for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.



_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
Reply | Threaded
Open this post in threaded view
|

Re: Have the OSGeo mail servers been compromised?

Jorge Sanz (OSGeo)
I'm receiving some mailman rejection notices from announce and
belgium, but many others accepted (even they ended up in my spam
folder).

For example, there is a message sent on my behalf to the Argentina
list: https://lists.osgeo.org/pipermail/argentina/2017-July/002322.html

Looks like it's related with the aliases system that we use like mine
"[hidden email]"

Attaching screenshot and adding in CC the SAC list.

On 31 July 2017 at 19:31, Andrea Aime <[hidden email]> wrote:

> Hi,
> I just received three mails from apparently legit mail addresses, Frank W.,
> Jeff and Arnulf,
> all reporting a Amazon security issue and asking me to connect to some
> decently
> well made fake amazon site to verify my credentials. The title is "Important
> Notice To All Amazon Customers"
> and they were all sent to the board list.
>
> I don't think the people involved have all been compromised at the same
> time, it seems
> more likely that OSGeo mail servers where hacked, or something similar...
>
> The interesting bit is that since I know those people, the messages did not
> get into the
> spam folder. Don't trust those mails!
>
> --
>
> Regards,
>
> Andrea Aime
>
> ==
> GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
> for more information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054  Massarosa (LU)
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39  339 8844549
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
> file/s allegato/i sono da considerarsi strettamente riservate. Il loro
> utilizzo è consentito esclusivamente al destinatario del messaggio, per le
> finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio
> senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia
> via e-mail e di procedere alla distruzione del messaggio stesso,
> cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
> anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
> finalità diverse, costituisce comportamento contrario ai principi dettati
> dal D.Lgs. 196/2003.
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender does
> not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
>
>
> _______________________________________________
> Board mailing list
> [hidden email]
> https://lists.osgeo.org/mailman/listinfo/board


--
Jorge Sanz
http://www.osgeo.org
http://wiki.osgeo.org/wiki/Jorge_Sanz

_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

2017-07-31_19:37:33-Selection.png (280K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Have the OSGeo mail servers been compromised?

jmckenna
Administrator
I noticed a similar message on the OSGeo-Africa list, supposedly sent by
Gavin (not an @osgeo.org account):
https://lists.osgeo.org/pipermail/africa/2017-July/003143.html

-jeff


On 2017-07-31 2:44 PM, Jorge Sanz wrote:

> I'm receiving some mailman rejection notices from announce and
> belgium, but many others accepted (even they ended up in my spam
> folder).
>
> For example, there is a message sent on my behalf to the Argentina
> list: https://lists.osgeo.org/pipermail/argentina/2017-July/002322.html
>
> Looks like it's related with the aliases system that we use like mine
> "[hidden email]"
>
> Attaching screenshot and adding in CC the SAC list.
>
> On 31 July 2017 at 19:31, Andrea Aime <[hidden email]> wrote:
>> Hi,
>> I just received three mails from apparently legit mail addresses, Frank W.,
>> Jeff and Arnulf,
>> all reporting a Amazon security issue and asking me to connect to some
>> decently
>> well made fake amazon site to verify my credentials. The title is "Important
>> Notice To All Amazon Customers"
>> and they were all sent to the board list.
>>
>> I don't think the people involved have all been compromised at the same
>> time, it seems
>> more likely that OSGeo mail servers where hacked, or something similar...
>>
>> The interesting bit is that since I know those people, the messages did not
>> get into the
>> spam folder. Don't trust those mails!
>>
>> --
>>
>> Regards,
>>
>> Andrea Aime
>>
>> ==
>> GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
>> for more information.
>> ==
>>
>> Ing. Andrea Aime
>> @geowolf
>> Technical Lead
>>
>> GeoSolutions S.A.S.
>> Via di Montramito 3/A
>> 55054  Massarosa (LU)
>> phone: +39 0584 962313
>> fax: +39 0584 1660272
>> mob: +39  339 8844549
>>
>> http://www.geo-solutions.it
>> http://twitter.com/geosolutions_it
>>
>> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>>
>> Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
>> file/s allegato/i sono da considerarsi strettamente riservate. Il loro
>> utilizzo è consentito esclusivamente al destinatario del messaggio, per le
>> finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio
>> senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia
>> via e-mail e di procedere alla distruzione del messaggio stesso,
>> cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
>> anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
>> finalità diverse, costituisce comportamento contrario ai principi dettati
>> dal D.Lgs. 196/2003.
>>
>> The information in this message and/or attachments, is intended solely for
>> the attention and use of the named addressee(s) and may be confidential or
>> proprietary in nature or covered by the provisions of privacy act
>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>> copying, distribution, or either dissemination, either whole or partial, is
>> strictly forbidden except previous formal approval of the named
>> addressee(s). If you are not the intended recipient, please contact
>> immediately the sender by telephone, fax or e-mail and delete the
>> information in this message that has been received in error. The sender does
>> not give any warranty or accept liability as the content, accuracy or
>> completeness of sent messages and accepts no responsibility  for changes
>> made after they were sent or for other risks which arise as a result of
>> e-mail transmission, viruses, etc.
>>
>>
>>
>> _______________________________________________
>> Board mailing list
>> [hidden email]
>> https://lists.osgeo.org/mailman/listinfo/board
>
>
>
_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
Reply | Threaded
Open this post in threaded view
|

Re: Have the OSGeo mail servers been compromised?

Markus Neteler

Please analyse the mail headers to really understand from which mail server these messages were sent.

Markus (on mobile only at time)


On Jul 31, 2017 8:03 PM, "Jeff McKenna" <[hidden email]> wrote:
I noticed a similar message on the OSGeo-Africa list, supposedly sent by Gavin (not an @osgeo.org account): https://lists.osgeo.org/pipermail/africa/2017-July/003143.html

-jeff


On 2017-07-31 2:44 PM, Jorge Sanz wrote:
I'm receiving some mailman rejection notices from announce and
belgium, but many others accepted (even they ended up in my spam
folder).

For example, there is a message sent on my behalf to the Argentina
list: https://lists.osgeo.org/pipermail/argentina/2017-July/002322.html

Looks like it's related with the aliases system that we use like mine
"[hidden email]"

Attaching screenshot and adding in CC the SAC list.

On 31 July 2017 at 19:31, Andrea Aime <[hidden email]> wrote:
Hi,
I just received three mails from apparently legit mail addresses, Frank W.,
Jeff and Arnulf,
all reporting a Amazon security issue and asking me to connect to some
decently
well made fake amazon site to verify my credentials. The title is "Important
Notice To All Amazon Customers"
and they were all sent to the board list.

I don't think the people involved have all been compromised at the same
time, it seems
more likely that OSGeo mail servers where hacked, or something similar...

The interesting bit is that since I know those people, the messages did not
get into the
spam folder. Don't trust those mails!

--

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39  339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono da considerarsi strettamente riservate. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio
senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia
via e-mail e di procedere alla distruzione del messaggio stesso,
cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
finalità diverse, costituisce comportamento contrario ai principi dettati
dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender does
not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.



_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board



_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
Reply | Threaded
Open this post in threaded view
|

Re: Have the OSGeo mail servers been compromised?

Markus Neteler
On Mon, Jul 31, 2017 at 8:06 PM, Markus Neteler <[hidden email]> wrote:
> Please analyse the mail headers to really understand from which mail server
> these messages were sent.

I had a quick glance at the *original* message header (most email
clients can show that) and these messages seem to come from
"elsewhere".

I guess we are hit by this:

[Mailman-Users] What is the best way to avoid fake senders?
https://mail.python.org/pipermail/mailman-users/2010-April/069212.html

Markus
_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
Reply | Threaded
Open this post in threaded view
|

Re: Have the OSGeo mail servers been compromised?

jmckenna
Administrator
On 2017-08-01 3:11 AM, Markus Neteler wrote:
> On Mon, Jul 31, 2017 at 8:06 PM, Markus Neteler <[hidden email]> wrote:
>> Please analyse the mail headers to really understand from which mail server
>> these messages were sent.
>
> I had a quick glance at the *original* message header (most email
> clients can show that) and these messages seem to come from
> "elsewhere".

I also looked at the headers of several of these messages and they
seemed to originate from an external server: se2portals12.asp.gmi.lcl
(elsewhere indeed), I tried to look deeper at that server but could not
find any more info to report.  They're good!

-jeff


_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
Reply | Threaded
Open this post in threaded view
|

Re: Have the OSGeo mail servers been compromised?

jody.garnett
geonode-devel has been unsubscribing gmail users due to bounces.

--
Jody Garnett

On 1 August 2017 at 06:04, Jeff McKenna <[hidden email]> wrote:
On 2017-08-01 3:11 AM, Markus Neteler wrote:
On Mon, Jul 31, 2017 at 8:06 PM, Markus Neteler <[hidden email]> wrote:
Please analyse the mail headers to really understand from which mail server
these messages were sent.

I had a quick glance at the *original* message header (most email
clients can show that) and these messages seem to come from
"elsewhere".

I also looked at the headers of several of these messages and they seemed to originate from an external server: se2portals12.asp.gmi.lcl (elsewhere indeed), I tried to look deeper at that server but could not find any more info to report.  They're good!

-jeff



_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board


_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board