Dear Andrzej, Thank you for your email. We have also noticed this and we recently sent an announcement to the membership: https://www.ripe.net/ripe/mail/archives/ncc-announce/2022-March/001563.html Members can always alert us to potential security incidents at <security@ripe.net>. Kind regards Antony Gollan Communications Team Manager RIPE NCC ****
As I was afraid Russian agents are trying to distribute malware using data from this mailing list (links to onedrive.com to download something).
In last days I've received at least two spoofed e-mail pretending to be from this mailing list quoting my older posts in this mailing list - thus it has to be an attempt from someone who has access to this mailing list.
The offending IPs are:
62.3.58.13
and
193.233.207.195
(originating mail IPs, both geolocated in Russian Federation)
I say again: both spoofed e-mail were quoting my older mails on this mailing list and attempting to pretend to be responses to my inquiries (one "personal information" and one "you can pay here for your LIR membership"). Thus the perpetrator has to be a LIR, not just a user of those operators.
What are the RIPE rules regarding LIRs trying to send other LIRs malware?
-- Regards Andrzej Ława tel. 500 206 268 DAWIS IT Sp. z o.o., 05-800 Pruszków, ul. Staszica 1 NIP 5342409456 / REGON 141663620/ KRS 0000319237