<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:-webkit-standard;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-IE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">It�s one of the more recent tactics being used by the �lovely� scumbags. It�s happening against multiple public mailing lists both RIPE and LINX ones so far .. probably others<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">--<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Mr Michele Neylon<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Blacknight Solutions<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Hosting, Colocation & Domains<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><a href="https://www.blacknight.com/"><span style="color:#0563C1">https://www.blacknight.com/</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><a href="https://blacknight.blog/"><span style="color:#0563C1">https://blacknight.blog/</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Intl. +353 (0) 59 9183072<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Direct Dial: +353 (0)59 9183090<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Personal blog: <a href="https://michele.blog/"><span style="color:#0563C1">https://michele.blog/</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Some thoughts: <a href="https://ceo.hosting/"><span style="color:#0563C1">https://ceo.hosting/</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">-------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Rob Evans <rhe@nosc.ja.net><br>
<b>Date: </b>Thursday, 14 April 2022 at 09:19<br>
<b>To: </b>Hans-Martin Mosner <hmm@heeg.de><br>
<b>Cc: </b>anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net><br>
<b>Subject: </b>Re: [anti-abuse-wg] Someone on this list has been hacked<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.<br>
<br>
Hi Hans-Martin,<br>
<br>
> looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active
in anti-abuse and presumably not a noob :-)<br>
<br>
I received a similar message on Monday supposedly �in reply to� a message I sent to the list nearly two years ago.<br>
<br>
It may not be a list subscriber�s mailbox that has been hacked, it may just be using a public archive of the list. Whilst the �real name� in the From: field was indeed the person I was replying to at the time (Suresh), the sender�s email address did not match
the name.<br>
<br>
In my case the spam message originated from:<br>
> Received: from beatingart.com ([62.113.107.99])<br>
<br>
The sending IP address matches the SPF record for beatingart.com and from a quick check doesn�t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means�<br>
<br>
I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine.<br>
<br>
Cheers,<br>
Rob<br>
<br>
--<br>
<br>
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit:
<a href="https://mailman.ripe.net/">https://mailman.ripe.net/</a><o:p></o:p></span></p>
</div>
</div>
</body>
</html>