It’s one of the more recent tactics being used by the “lovely” scumbags. It’s happening against multiple public mailing lists both RIPE and LINX ones so far .. probably others -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Rob Evans <rhe@nosc.ja.net> Date: Thursday, 14 April 2022 at 09:19 To: Hans-Martin Mosner <hmm@heeg.de> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Someone on this list has been hacked [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Hi Hans-Martin,
looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-)
I received a similar message on Monday supposedly ‘in reply to’ a message I sent to the list nearly two years ago. It may not be a list subscriber’s mailbox that has been hacked, it may just be using a public archive of the list. Whilst the “real name” in the From: field was indeed the person I was replying to at the time (Suresh), the sender’s email address did not match the name. In my case the spam message originated from:
Received: from beatingart.com ([62.113.107.99])
The sending IP address matches the SPF record for beatingart.com and from a quick check doesn’t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means… I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine. Cheers, Rob -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg