On 14 Apr 2022, at 12:23, Michele Neylon - Blacknight via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:

It’s one of the more recent tactics being used by the “lovely” scumbags. It’s happening against multiple public mailing lists both RIPE and LINX ones so far .. probably others

Also some private mailing lists with tight controls on membership and with no public archives.

It’s presumably either compromised end users or phished IMAP credentials.

Cheers,

Steve

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Rob Evans <rhe@nosc.ja.net>
Date: Thursday, 14 April 2022 at 09:19
To: Hans-Martin Mosner <hmm@heeg.de>
Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net>
Subject: Re: [anti-abuse-wg] Someone on this list has been hacked
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Hi Hans-Martin,

> looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-)

I received a similar message on Monday supposedly ‘in reply to’ a message I sent to the list nearly two years ago.

It may not be a list subscriber’s mailbox that has been hacked, it may just be using a public archive of the list. Whilst the “real name” in the From: field was indeed the person I was replying to at the time (Suresh), the sender’s email address did not match the name.

In my case the spam message originated from:
> Received: from beatingart.com ([62.113.107.99])

The sending IP address matches the SPF record for beatingart.com and from a quick check doesn’t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means…

I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine.

Cheers,
Rob

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit:https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg