It’s one of the more recent tactics being used by the “lovely” scumbags. It’s happening against multiple public mailing lists both RIPE and LINX ones so far .. probably others

 

 

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

 

 

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Rob Evans <rhe@nosc.ja.net>
Date: Thursday, 14 April 2022 at 09:19
To: Hans-Martin Mosner <hmm@heeg.de>
Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net>
Subject: Re: [anti-abuse-wg] Someone on this list has been hacked

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Hi Hans-Martin,

> looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-)

I received a similar message on Monday supposedly ‘in reply to’ a message I sent to the list nearly two years ago.

It may not be a list subscriber’s mailbox that has been hacked, it may just be using a public archive of the list.  Whilst the “real name” in the From: field was indeed the person I was replying to at the time (Suresh), the sender’s email address did not match the name.

In my case the spam message originated from:
> Received: from beatingart.com ([62.113.107.99])

The sending IP address matches the SPF record for beatingart.com and from a quick check doesn’t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means…

I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine.

Cheers,
Rob

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg