Issue Details (XML | Word | Printable)

Key: ABOUT-152
Type: Bug Bug
Status: Closed Closed
Resolution: Works as designed
Priority: Major Major
Assignee: sonyabarry
Reporter: Hildeberto Mendonça
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
about

Phishing occurrence in the mailing list

Created: 20/Jun/12 12:23 PM   Updated: 21/Aug/12 11:45 PM   Resolved: 21/Aug/12 11:45 PM
Component/s: None
Affects Version/s: None
Fix Version/s: None

Time Tracking:
Not Specified

Tags: mailinglist phishing
Participants: carterc44, Hildeberto Mendonça and sonyabarry


 Description  « Hide

CEJUG's mailing list (discussao@cejug.java.net) is closed for subscribers only, but we were victims of phishing, sent by an unidentified sender. The message is pasted below:

=========================================================================
From: discussao@cejug.java.net <discussao@cejug.java.net>
Date: Wed, Jun 20, 2012 at 6:19 AM
Subject: [CEJUG] NFE - Nota Fiscal
To: discussao@cejug.java.net

Sr. Contribuinte,

esta mensagem refere-se à Nota Fiscal Eletrônica de Serviços No. 5078
emitida pelo prestador de serviços:

Razão Social: Nome Fantasia
E-mail: discussao@cejug.java.net
CCM : 158796
CNPJ: 00.000.000/0000-00
_______________________________________________________________________
2 anexos - Baixar todos os anexos
RPS120514766429000107000000000216433106200001.pdf
6K Visualizar Baixar
RPS120514766429000107000000000216433106200001.xml
7K Baixar
=========================================================================

How to deal with the problem? Is there anything we can do or you guys can do to avoid it happening again?



Hildeberto Mendonça added a comment - 26/Jul/12 09:05 AM

The problem continues and it is getting worse. We are losing members because of this. I think the solution for this problem is related to the send scheme "restricted to local domain and subscribers". It is just about creating a new schema "restricted to subscribers only", which would block emails from the local domain, that people may use to send spam to the list.


carterc44 added a comment - 27/Jul/12 04:58 PM

Please copy and paste the message source for the phishing email. In Thunderbird you can do this with Ctrl+U or View-->Message Source from the menu.


carterc44 added a comment - 27/Jul/12 11:03 PM

The mailing list from message is being forged. See en.wikipedia.org/wiki/Email_spoofing.

------------------------------ From the archives:
Return-Path: <discussao@cejug.java.net>
Received: from mailin01.kenai.com (mailin01.network.org [192.9.171.171])
by mail01.java.net (Postfix) with ESMTP id 9EDA214014
for <discussao@cejug.java.net>; Wed, 20 Jun 2012 04:19:30 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
by mailin01.kenai.com (Postfix) with ESMTP id 9916216944
for <discussao@cejug.java.net>; Wed, 20 Jun 2012 04:19:30 +0000 (GMT)
X-Virus-Scanned: amavisd-new at network.org
Received: from mailin01.kenai.com ([127.0.0.1])
by localhost (mailin01.network.org [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id WltAnzekhu7s for <discussao@cejug.java.net>;
Wed, 20 Jun 2012 04:19:27 +0000 (GMT)
Received: from hm1481-21.locaweb.com.br (hm1481-21.locaweb.com.br [201.76.49.143])
by mailin01.kenai.com (Postfix) with ESMTP id 3A8B616939
for <discussao@cejug.java.net>; Wed, 20 Jun 2012 04:19:27 +0000 (GMT)
Received: from mcbain0008.email.locaweb.com.br (189.126.112.84) by hm1481-10.locaweb.com.br (PowerMTA(TM) v3.5r13) id hs57ku0nvasr for <discussao@cejug.java.net>; Wed, 20 Jun 2012 01:19:15 -0300 (envelope-from <discussao@cejug.java.net>)
Received: from bart0011.locaweb.com.br (bart0011.email.locaweb.com.br [200.234.210.77])
by mcbain0008.email.locaweb.com.br (Postfix) with ESMTP id E928E23EE5C
for <discussao@cejug.java.net>; Wed, 20 Jun 2012 01:19:14 -0300 (BRT)
X-LocaWeb-COR: locaweb_2009_x-mail
Received: from HP-ENVY (189-106-232-20.user.veloxzone.com.br [189.106.232.20])
(Authenticated sender: pu@pu.com.br)
by bart0011.locaweb.com.br (Postfix) with ESMTPA id B00897C203426
for <discussao@cejug.java.net>; Wed, 20 Jun 2012 01:19:14 -0300 (BRT)
From: "discussao@cejug.java.net" <discussao@cejug.java.net>
To: discussao@cejug.java.net
Content-Type: multipart/alternative; boundary="cp86sQeub3vR0KlXlc3GKV=_vaJpfLw4Ac"
MIME-Version: 1.0
Date: Wed, 20 Jun 2012 01:19:01 -0300
Message-Id: <20120620011900080452A864$4B4BAF7F4A@HPENVY>
X-Virus-Scanned: clamav-milter 0.97.3 at mcbain0008
X-Virus-Status: Clean
X-CMAE-Verdict: spam
X-CMAE-Score: 100
X-CMAE-Analysis: v=2.0 cv=fNaOK+me c=0 sm=1 p=dIyz0z5VZVaCewUXFDIA:9
a=T5vw+xqpBOaaAOXznB3o8g==:17 a=4-Gijvo9mX4A:10 a=tQok-r1sLRwA:10
a=COfzQ7OkAAAA:8 a=J9c1G1phAAAA:8 a=KAIQvzXo5on7lfW82YMA:9
a=wPNLvfGTeEIA:10 a=UfeQh6XFaCQA:10 a=1mf6Ppw5AAAA:8
a=qULWnLwCRv48X46zLgUqdw==:117
Subject: [CEJUG] NFE - Nota Fiscal
-------------------------------------------


Hildeberto Mendonça added a comment - 28/Jul/12 12:38 PM

Delivered-To: me@hildeberto.com
Received: by 10.68.68.38 with SMTP id s6csp414214pbt;
Tue, 24 Jul 2012 14:36:40 -0700 (PDT)
Received: by 10.60.22.165 with SMTP id e5mr30277800oef.60.1343165798869;
Tue, 24 Jul 2012 14:36:38 -0700 (PDT)
Return-Path: <discussao-owner@cejug.java.net>
Received: from mailout01.kenai.com (mailout01.kenai.com. [192.9.171.172])
by mx.google.com with ESMTP id r4si16301006obz.57.2012.07.24.14.36.38;
Tue, 24 Jul 2012 14:36:38 -0700 (PDT)
Received-SPF: neutral (google.com: 192.9.171.172 is neither permitted nor denied by best guess record for domain of discussao-owner@cejug.java.net) client-ip=192.9.171.172;
Authentication-Results: mx.google.com; spf=neutral (google.com: 192.9.171.172 is neither permitted nor denied by best guess record for domain of discussao-owner@cejug.java.net) smtp.mail=discussao-owner@cejug.java.net
Received: from mail01.java.net (jnxmlm02z1.network.org [192.9.171.232])
by mailout01.kenai.com (Postfix) with ESMTP id 334E269C788;
Tue, 24 Jul 2012 21:36:37 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
by mail01.java.net (Postfix) with ESMTP id E2A51109BB;
Tue, 24 Jul 2012 21:36:35 +0000 (GMT)
X-Virus-Scanned: amavisd-new at network.org
Received: from mail01.java.net ([127.0.0.1])
by localhost (jnxmlm02z1.network.org [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id Zd1mT83a4JUp; Tue, 24 Jul 2012 21:36:35 +0000 (GMT)
Received: by mail01.java.net (Postfix, from userid 60005)
id 7054110966; Tue, 24 Jul 2012 21:36:32 +0000 (GMT)
Received: from mailin02.kenai.com (mailin02.network.org [192.9.171.174])
by mail01.java.net (Postfix) with ESMTP id 8382A1092E
for <discussao@cejug.java.net>; Tue, 24 Jul 2012 21:36:27 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
by mailin02.kenai.com (Postfix) with ESMTP id 788C72DC5A
for <discussao@cejug.java.net>; Tue, 24 Jul 2012 21:36:27 +0000 (GMT)
X-Virus-Scanned: amavisd-new at network.org
Received: from mailin02.kenai.com ([127.0.0.1])
by localhost (mailin02.network.org [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id MOsUbRRpEBtK for <discussao@cejug.java.net>;
Tue, 24 Jul 2012 21:36:24 +0000 (GMT)
Received: from hm1831-36.locaweb.com.br (hm1831-36.locaweb.com.br [189.126.112.56])
by mailin02.kenai.com (Postfix) with ESMTP id 69A912DC50
for <discussao@cejug.java.net>; Tue, 24 Jul 2012 21:36:24 +0000 (GMT)
Received: from mcbain0002.email.locaweb.com.br (189.126.112.13) by hm1831-34.locaweb.com.br (PowerMTA(TM) v3.5r15) id h1salg12li8f for <discussao@cejug.java.net>; Tue, 24 Jul 2012 18:36:22 -0300 (envelope-from <discussao@cejug.java.net>)
Received: from bart0026.locaweb.com.br (bart0026.email.locaweb.com.br [200.234.210.24])
by mcbain0002.email.locaweb.com.br (Postfix) with ESMTP id 8E27B80A2E6
for <discussao@cejug.java.net>; Tue, 24 Jul 2012 18:35:25 -0300 (BRT)
X-LocaWeb-COR: locaweb_2009_x-mail
Received: from Cliente-HP (unknown [189.31.20.22])
(Authenticated sender: neto@marceneirjc.com)
by bart0026.locaweb.com.br (Postfix) with ESMTPSA id 723B82DB7
for <discussao@cejug.java.net>; Tue, 24 Jul 2012 18:36:20 -0300 (BRT)
From: discussao@cejug.java.net
To: discussao@cejug.java.net
Content-Type: multipart/alternative;
boundary="----=_NextPart_6A7_06A6_26272697.96864700"
MIME-Version: 1.0
Date: Tue, 24 Jul 2012 18:36:19 -0300
Message-Id: <201207241836185A203A18C2$2485F4C234@CLIENTEHP>
Status: N
X-Antivirus: avast! (VPS 120724-1, 24/07/2012), Outbound message
X-Antivirus-Status: Clean
X-Virus-Scanned: clamav-milter 0.97.2 at mcbain0002
X-Virus-Status: Clean
X-CMAE-Verdict: spam
X-CMAE-Score: 100
X-CMAE-Analysis: v=2.0 cv=dfQ3Kwre c=0 sm=1 p=VXP8YCfM5NXcRXOyNGkA:9
a=dwJZYQf5wdo7ECUhxwFKBw==:17 a=EWHUlan9URkA:10 a=4-Gijvo9mX4A:10
a=WFU3zxOKDXEA:10 a=COfzQ7OkAAAA:8 a=32vWuwgjIx4wFRIVeBnZFQ==:117
Subject: [CEJUG] NF: entregue com sucesso! Terca, 24 de julho de 2012
Reply-To: discussao@cejug.java.net
X-Loop: discussao@cejug.java.net
X-Sequence: 4377
Errors-to: discussao-owner@cejug.java.net
Precedence: list
X-no-archive: yes
List-Id: <discussao.cejug.java.net>
List-Help: <sympa@cejug.java.net?subject=help>
List-Subscribe: <sympa@cejug.java.net?subject=subscribe%20discussao>
List-Unsubscribe: <sympa@cejug.java.net?subject=unsubscribe%20discussao>
List-Post: <discussao@cejug.java.net>
List-Owner: <discussao-request@cejug.java.net>

This is a multi-part message in MIME format

------=_NextPart_6A7_06A6_26272697.96864700
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

A WR Cobran=E7a,
Informa que voc=EA tem at=E9 15/07/2012 para efetuar o pagamento da fatu=
ra referente atraso do m=EAs 06 (junho) 2012, caso pagamento
n=E3o seja efetuado ser=E1 levado a protesto ap=F3s a data mencionada.

Boleto_Referente_Junho.zip

------=_NextPart_6A7_06A6_26272697.96864700
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html><he=
ad>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-88=
59-1">
<META name=3DGenerator content=3D4.61> <title>NF: entregue com sucesso=
! Terca, 24 de julho de 2012</title>
</head>
<body> <DIV><A href=3D"http://www.tominas.com//includes/js/tabs/indexx.=
php" target=3D_blank>NF.Eletronica.zip</A><BR> <P align=3Dleft>Bom dia!<=
BR>Segue em anexo a nota fiscal solicitada via telefone.</p><p align=3Dl=
eft>Aguardo retorno de recebimento</P><BR></DIV></body>
</html>

-----=_NextPart_6A7_06A6_26272697.96864700-


sonyabarry added a comment - 21/Aug/12 11:45 PM

Closing because we don't have a way to fix this issue at this time. We will be replacing the MLM at some time in the near future, and can't spare the engineering resources for something that will be replaced soon. Temporary resolution is to switch list to moderated.