[GTALUG] mail oddity [was Re: Debian Linux as-a-router Guide]

[BCLUG]

D. Hugh Redelmeier via talk wrote on 2023-09-08 07:04:

> I sent this yesterday.
> To talk at gtalug.org  and jamonation at gmail.com
> I got a bounce message from ubuntu-users-owner at lists.ubuntu.com
> ("Post by non-member to a members-only list")
> 
> How would this get to the ubuntu users list with my address on it?
> 
> | From: Jamon Camisso via talk<talk at gtalug.org>
> | To:talk at gtalug.org
> | Cc: Jamon Camisso<jamonation at gmail.com>
> | Date: Thu, 7 Sep 2023 14:54:30 -0400
> | Subject: Re: [GTALUG] Debian Linux as-a-router Guide

There's something weird going on in the world of mailing lists.


First, it appears Jamon works/worked at Canonical, so there's a 
tangential relation to lists.ubuntu.com.


Two days ago, I got a weird message from someone I barely know via a LUG 
that was "Checking in" and "Is this email still valid for you? There is 
something important I'd like to discuss."

Checking list archives, the From: was valid, but the ReplyTo: had a 
couple extra numbers on the end, then a different domain.


Very odd. Maybe he was hacked? The mailing list itself?


Then, yesterday I awoke to a flood of incoming bounce messages from *MY* 
mail server.

Someone logged into my server as admin at bclug.ca (SASL plain auth), and 
started sending messages full of base64-encoded attachments (spam).


That scared me - how did this happen?!?


I shut down postfix, archived the queue then analyzed it, then deleted 
it. Changed my SASL password (a very lengthy one before & after), and it 
appears to be okay now?



Maybe there's some automated attack going on against small Linux email 
lists / servers?



Also, there was a back-scatter issue a few / several months ago 
targeting a user and/or mailing list in SF.



TL;DR:

I dunno why you got the bounce from Ubuntu lists.