Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#16249 closed Bug/Something is broken (fixed)

MayFirst's 'Chinese Progressive Association' is using the legitgov site to spam thousands of people

Reported by: Lori Price Owned by: JaimeV
Priority: High Component: Tech
Keywords: Spam Cc: lori@…, southwell.gov@…, Jamie McClelland
Sensitive: no

Description

Dear MayFirst Team,

I today noticed in Roundcube webmail thousands and thousands of bounced emails. They were all comments on one particular CLG News summary, as a comment via the "send this article to a friend" feature. I investigated and learned that one particular website is using the CLG feature of "send this article to a friend" to trigger thousands of emails from june.legitgov.org with an invitation to a Chinese conference - in Chinese.

I have since implemented a math captcha to the feature to hopefully stop this abuse. But what's interesting is that I traced the IP - 162.247.75.105 - to one of the bounced emails, and the website sullying legitgov.org's name is https://cpasf.org, 'Chinese Progressive Association.' This group is making it appear as if legitgov.org is sending these emails. If this group wants to send thousands and thousands of invitations to the "'14th Five-Year Plan' Economic Personnel Growth Plan of Guochuang Think Tank (I translated it)," why don't they use their own resources instead of adding the invitation in Chinese as a comment to a CLG article?

Here is the email with mail header:

Delivery has failed to these recipients or groups:

charles@promobilia.com
The email address you entered couldn't be found. Please check the recipient's email address and try to resend the message. If the problem continues, please contact your email admin.

Diagnostic information for administrators:

Generating server: SRCEX4.SRC.local

charles@promobilia.com
Remote Server returned '550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup'

Original message headers:

Received: from SRCEXCAS02.SRC.local (10.0.0.229) by SRCEX4.SRC.local
 (10.0.0.234) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 21 Jan
 2021 19:55:25 -0500
Received: from ss.dsmhosting.net (204.92.16.133) by SRCEXCAS02.SRC.local
 (10.0.0.229) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2 via Frontend
 Transport; Thu, 21 Jan 2021 19:55:25 -0500
X-ASG-Debug-ID: 1611276923-0fada7318a2305c0001-aRRsTG
Received: from june.mayfirst.org (www.cpasf.org [162.247.75.105]) by ss.dsmhosting.net with ESMTP id vDCclufr8AuGvHpX (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <charles@promobilia.com>; Thu, 21 Jan 2021 19:55:23 -0500 (EST)
X-Barracuda-Envelope-From: legitgov@june.mayfirst.org
X-Barracuda-Effective-Source-IP: www.cpasf.org[162.247.75.105]
X-Barracuda-Apparent-Source-IP: 162.247.75.105
Received: from june.mayfirst.org (localhost [127.0.0.1])
	by june.mayfirst.org (Postfix) with ESMTP id 962D06ADA6
	for <charles@promobilia.com>; Thu, 21 Jan 2021 19:55:22 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on june.mayfirst.org
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,MIME_HTML_ONLY,NO_RELAYS,TO_NO_BRKTS_HTML_ONLY,
	URIBL_BLOCKED autolearn=disabled version=3.4.2
X-Spam-Language: en
X-Envelope-From: <legitgov@june.mayfirst.org>
Received: by june.mayfirst.org (Postfix, from userid 4119)
	id 63BC06ADB2; Thu, 21 Jan 2021 19:55:22 -0500 (EST)
To: <charles@promobilia.com>
Subject: angongbai has forwarded a page to you from CLG News
MIME-Version: 1.0
X-ASG-Orig-Subj: angongbai has forwarded a page to you from CLG News
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Sender: <lori@legitgov.org>
From: angongbai <lori@legitgov.org>
Reply-To: angongbai <tlaoshi@wcomcast.net>
Message-ID: <20210122005522.63BC06ADB2@june.mayfirst.org>
Date: Thu, 21 Jan 2021 19:55:22 -0500
X-Virus-Scanned: ClamAV using ClamSMTP
X-Barracuda-Connect: www.cpasf.org[162.247.75.105]
X-Barracuda-Start-Time: 1611276923
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://ss.dsmhosting.net:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at dsmhosting.net
X-Barracuda-Scan-Msg-Size: 2704
X-Barracuda-BRTS-Status: 1
X-Barracuda-Bayes: INNOCENT GLOBAL 0.5572 1.0000 0.7500
X-Barracuda-Spam-Score: 0.75
X-Barracuda-Spam-Status: No, SCORE=0.75 using global scores of TAG_LEVEL=2.5 QUARANTINE_LEVEL=3.0 KILL_LEVEL=5.0 tests=HTML_MESSAGE, MIME_HTML_ONLY
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.87417
	Rule breakdown below
	 pts rule name              description
	---- ---------------------- --------------------------------------------------
	0.00 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
	0.00 HTML_MESSAGE           BODY: HTML included in message
Return-Path: legitgov@june.mayfirst.org
Reporting-MTA: dns;SRCEX4.SRC.local
Received-From-MTA: dns;ss.dsmhosting.net
Arrival-Date: Fri, 22 Jan 2021 00:55:25 +0000

Original-Recipient: rfc822;charles@promobilia.com
Final-Recipient: rfc822;charles@promobilia.com
Action: failed
Status: 5.1.10
Diagnostic-Code: smtp;550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup

Subject	angongbai has forwarded a page to you from CLG News
From	angongbai
Sender	lori@legitgov.org
To	charles@promobilia.com
Date	2021-01-21 19:55
CLG News

angongbai thought you would like to see this page from the CLG News web site.
Message from Sender

诚邀您加入国创智库"十四五"经济人士成长计划,与中央各部委相关人员共同学习,让您读懂中央经济政策,紧随国家发展战略,融入区域经济发展,地方领导圆桌对话,致力企业经营当中所遇的难点问题,对接政商资源。百战归来再读书为您的企业百年长青保驾护航。学制两年,学费69.9万!联系李老师:13717999787同微信2021-01-22 00:55:36

US: Missile transfers could lead to war

by legitgov

US: Missile transfers could lead to war 21 Apr 2010 The Obama administration's top diplomat for the Middle East says the United States has warned Syria numerous times in recent weeks that transferring ballistic missiles to Lebanon's Hezbollah militia could lead to war in the region. Assistant Secretary of State for Near East Affairs Jeffrey Feltman said Wednesday giving such weapons to Hezbollah would be "an incendiary, provocative action." He would not confirm reports that Syria has sent Scud missiles to Hezbollah, but he said the administration viewed the matter with the gravest concern.

Click here to read more on our site

Thank you,

Lori Price

Change History (9)

comment:1 Changed 6 months ago by Lori Price

Update: They seemingly can circumvent the math captcha, as they've sent another one since I've posted this ticket. Why is one MayFirst website allowed to troll and abuse another member of MayFirst?

Lori

comment:2 Changed 6 months ago by Lori Price

Actually, the last two bounces were from emails sent Sunday, so they weren't sent after I added the captcha.

Lori

comment:3 Changed 6 months ago by JaimeV

Cc: Jamie McClelland added

Hi Lori, I think there must be a misunderstanding but please give me some time to further investigate.

comment:4 Changed 6 months ago by Jamie McClelland

The IP address 162.247.75.105 maps to june.mayfirst.org - which is the server hosting legitgov.net, which is responsible for sending the email. CPASF has nothing to do with it.

CPASF does have an errant DNS pointer record assigned to the IP - so the IP address points to the CPASF domain (I just disabled that errant record), but again, that's not a sign that CPASF sent the message or has anything to do with it.

The IP address identifies the source of the email, and the source is the legitgov.net site which is hosted on that IP address.

comment:5 Changed 6 months ago by JaimeV

Owner: set to JaimeV
Status: newassigned

Thanks jamie. Lori does that clear things up for you?

comment:6 Changed 6 months ago by JaimeV

Resolution: fixed
Status: assignedfeedback

comment:7 in reply to:  5 Changed 6 months ago by Lori Price

Resolution: fixed
Status: feedbackassigned

Replying to JaimeV:

Thanks jamie. Lori does that clear things up for you?

Hi Jamie and Jaime.


Understood. But do we know who sent the hundreds (or thousands) of invitations to that conference, using CLG's feature?


Thank you,
Lori

comment:8 Changed 6 months ago by Jamie McClelland

Resolution: fixed
Status: assignedclosed

You'd have to check your log file - and look for what IP address is accessing the page that is sending those comments. But I don't think that will help - you will probably get a bunch of different IPs that were used to send the spam, but it won't tell you who is actually behind it.

comment:9 Changed 6 months ago by Lori Price

Thank you, Jamie and Jaime!


Lori

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.