is pfsense forums hacked?

ipfftw · Jun 30, 2021, 12:03 AM

Background: I use a custom email address @domain.ca for everything.

Problem: Today i recieved an email that was to pfsense@domain.ca . What this likely means, since i have never used that anywhere else, is that some pfsense forums or other pfsense corporate asset is compromised. There are no google hits on the email address, so it hasnt been published anywhere. You can all draw your own conclusions, but this is just a be wary message, a slight caution has been raised.

Posting here incase anyone sees the same thing. Perhaps i am super paranoid, but i often find database compromises for companies in this fashion. Partial headers follow:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.144.145.183; helo=mta0.zechstreets.com; envelope-from=pfsense5041@zechstreets.com; receiver=<UNKNOWN> 
Message-ID: <A6F1EF9ED0CFFA51C43D4A697B92B7C1@lpr>
From: Ray Ban <pfsense5041@zechstreets.com>
To: pfsense <pfsense@DOMAIN.CA>
Subject: Ray Ban Sunglasses 2021 New Styles - Save up to 80% Off
Date: Tue, 29 Jun 2021 20:10:04 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_001_143f1e62313290e9_=----"

This is a multi-part message in MIME format.

------=_001_143f1e62313290e9_=----
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: base64

ICAgIC

REMOVED ENCODE BECAUSE I DONT KNOW WHAT IT DOES 

ogDQo=

------=_001_143f1e62313290e9_=----
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: base64

PCFET0NUWVB 

REMOVED ENCODE BECAUSE I DONT KNOW WHAT IT DOES 

w+DQo=

------=_001_143f1e62313290e9_=------

kiokoman · Jul 12, 2021, 9:21 AM

@ipfftw
nothing to do with pfsense or netgate,
the culprit is https://whois.domaintools.com/198.144.145.183
zechstreets.com

Gertjan · Jul 12, 2021, 9:21 AM

@kiokoman said in is pfsense forums hacked?:

nothing to do with pfsense or netgate,

I guess @ipfftw was asking : how did "zechstreets.com" obtained my mail address "pfsense@DOMAIN.CA".

kiokoman · Jul 12, 2021, 7:30 PM

@gertjan
ahh now I understand...
without the real domain it's impossible to say

Knight · Jul 12, 2021, 10:51 PM

Hi @ipfftw !

I do the same for most sites (with some exceptions)...

I do have a pfsense@MYDOMAIN for this site and it has not been spammed yet, let's hope it stays that way...

What was that email about, was it from a possible Netgate partner?

As for the comment you made about removing part of the email it was HTML encoded in base 64, you can use one of the online base 64 decoders to look at it but it should essentially be the body of the email you received.

As for how they got your email it does not necessarily mean this site or another Netgate related site was compromised, it could also be the mail server(s) involved in sending and receiving those emails (are you self hosting?) or the computer(s) you are writing/receiving those messages on...

Good luck and have a nice day!

Nick

ipfftw · Jul 14, 2021, 12:27 AM

no it was about sunglasses, you can see the subject of the mail. Nothing to do with netgate.

well post back if you get spammed too.

answer to your question its self hosted ubuntu with autoupdate on. And its just a catchall domain, so its not like i actually wrote "pfsense@domain.ca" anywhere on the mailserver. I mean sure its possible someone hacked my email, but unlikely, as this would be the least of my worries...

And they would spam with one of the real users on the host, not a fake alias that only is used for pfsense forums.
im not super worried about it, just wanted to see if anyone else had the same experience. i obviously use a random password on every site so no problem with that. And i haven't received any login attempts with it as shown by my daily logwatch...

just strange.

chpalmer · Jul 14, 2021, 12:53 AM

@ipfftw Same here.. I use an email address for every forum I am on that is specific to them. Nothing here spam related on the pfSense email address as of this date.

GruensFroeschli · Aug 4, 2021, 9:00 PM

So i just started receiving spam to my pfsense address as well.
I'm in the same boat as ipfftw, where i know that this address is used nowhere except pfsense related things.
Somewhere something has been leaked.

ipfftw · Aug 5, 2021, 1:27 AM

@gruensfroeschli
two people could be random chance or something. Still i would be interested to see sanitized headers if you want to post them. see if there are any comonalities. Could be some kind of targeted spearphishing campaign. (because we are just that important... :P )

GruensFroeschli · Aug 9, 2021, 8:07 AM

@ipfftw sure

Return-Path: <info123@geoattendance.com>
Delivered-To: **********@may.nu
Received: from mail.may.nu
	by mail.may.nu (Dovecot) with LMTP id r3d1F8ibCmEAdQAA7RFmPA
	for <**********@may.nu>; Wed, 04 Aug 2021 15:53:12 +0200
Received: from alpha.xprohosting.com (f012.fuchsia.servdiscount-customer.com [217.79.181.12])
	by mail.may.nu (Postfix) with ESMTPS id 2909D17C036E
	for <**********@may.nu>; Wed,  4 Aug 2021 15:53:08 +0200 (CEST)
Authentication-Results: mail.may.nu;
	dkim=pass (2048-bit key; unprotected) header.d=geoattendance.com header.i=@geoattendance.com header.b="SLa04DyS";
	dkim-atps=neutral
Received: from r22710 (unknown [40.77.63.56])
	by alpha.xprohosting.com (Postfix) with ESMTPSA id 35CDB34CA593
	for <**********@may.nu>; Wed,  4 Aug 2021 15:53:08 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=geoattendance.com;
	s=202009; t=1628085188;
	bh=FoCUUax9aL+R62ReUNyY9gsQPsuhHPLNyC8eXoKsv6A=;
	h=From:To:Date:Subject:From;
	b=SLa04DyS8KOLi8bqYBPLfvk7lqQzewCkc2vR8PsBV1z8F/8kyuZU+0Yo4xoBv7DIo
	 z6hupnWk3i615wrSCDxqN2ShuokuVoxkcrTykOBgbk2/63jFfigsOZlgJ/Wv4hLX8D
	 t9KWHfYjlLu9rUWRferINJWM4z36GwkbJP7P+ArWQWNQgoQVGj4V4bODK24G5/8+u5
	 CI9tgbFmhJhZJ6Due1P29b5Q+Bdoqt2tVU6quD3TqW4vHJkA0/l1slsvWoqUhFunvA
	 MYcxOX+pEZMFrlEmVkqHlbfqD300Wmbt8vYCQRCJwk6dqN1Gy6FU1QPQ/1XV7ru20k
	 BzlhVy1LoabwA==
MIME-Version: 1.0
From: "app invoice" <info123@geoattendance.com>
To: **********@may.nu
Date: 4 Aug 2021 13:53:08 +0000
Subject: Premium package activated for **********@may.nu cloud account. Enjoy
 feaures and services.
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-Spam-Status: No, score=1.7 required=4.5 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,
	MIME_HTML_ONLY,MISSING_MID,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.may.nu

and

Return-Path: <office@d2turboparts.com>
Delivered-To: **********@may.nu
Received: from mail.may.nu
	by mail.may.nu (Dovecot) with LMTP id pt2cBSj7CmHZNAAA7RFmPA
	for <**********@may.nu>; Wed, 04 Aug 2021 22:40:08 +0200
Received: from vmi314772.contaboserver.net (autoq.ro [213.136.74.59])
	by mail.may.nu (Postfix) with ESMTPS id 22FC217C036E
	for <**********@may.nu>; Wed,  4 Aug 2021 22:40:06 +0200 (CEST)
Authentication-Results: mail.may.nu;
	dkim=pass (2048-bit key; unprotected) header.d=d2turboparts.com header.i=@d2turboparts.com header.b="daoofF1+";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=d2turboparts.com; s=default; h=Content-Transfer-Encoding:Content-Type:
	Subject:Date:To:From:MIME-Version:Sender:Reply-To:Message-ID:Cc:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=FoCUUax9aL+R62ReUNyY9gsQPsuhHPLNyC8eXoKsv6A=; b=daoofF1+w3pvvKfo+ERt1hAdqn
	rJ1oLc7KfAggISxUkG/zSwdy9V+PIJB4qCoy2W6BNYBBvfjStjQhsyQWnnhncAH8Ly8BOS3PIV5px
	43gJ8funa4hhs35Y7Vs9PbDkrTqzHTbKi+n+SqI2/w7lfekHwDS1em4ixVJIFvyZs75YAw+BpZ7YF
	UcEz7kcE9o9jiCMm6b875UBpSTdZvr7mBs4rEOTzlbRR6YujxCDt+RS+FoehthUjAbG8wz4IG1kVn
	z+c9dF62yeqXE8s6gcLI7KtBDK7mnwtp0DQEm5Rv4hSvxqbZvmdMT9C3L/c3oqFdlYjNDBLcIn9F7
	DQjShqpg==;
Received: from [20.74.174.147] (port=51985 helo=r2074)
	by vmi314772.contaboserver.net with esmtpsa  (TLS1) tls TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
	(Exim 4.94.2)
	(envelope-from <office@d2turboparts.com>)
	id 1mBL04-0008Eh-QJ
	for **********@may.nu; Wed, 04 Aug 2021 20:48:14 +0300
MIME-Version: 1.0
From: "app info" <office@d2turboparts.com>
To: **********@may.nu
Date: 4 Aug 2021 17:48:14 +0000
Subject: Order for **********@may.nu cloud account placed. Please confirm
 delivery and purchase.
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vmi314772.contaboserver.net
X-AntiAbuse: Original Domain - may.nu
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - d2turboparts.com
X-Get-Message-Sender-Via: vmi314772.contaboserver.net: authenticated_id: office@d2turboparts.com
X-Authenticated-Sender: vmi314772.contaboserver.net: office@d2turboparts.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Spam-Status: No, score=1.7 required=4.5 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,
	MIME_HTML_ONLY,MISSING_MID,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.may.nu

Proximil · Aug 11, 2021, 4:17 PM

This post is deleted!

Honda5678 · Aug 27, 2021, 8:00 AM

This post is deleted!