is pfsense forums hacked?
Background: I use a custom email address @domain.ca for everything.
Problem: Today i recieved an email that was to email@example.com . What this likely means, since i have never used that anywhere else, is that some pfsense forums or other pfsense corporate asset is compromised. There are no google hits on the email address, so it hasnt been published anywhere. You can all draw your own conclusions, but this is just a be wary message, a slight caution has been raised.
Posting here incase anyone sees the same thing. Perhaps i am super paranoid, but i often find database compromises for companies in this fashion. Partial headers follow:
Return-Path: <firstname.lastname@example.org> X-Original-To: pfsense@DOMAIN.CA Delivered-To: pfsense@DOMAIN.CA Received: by mailsever.DOMAIN.CA (Postfix, from userid 5001) id 71B469AC75; Tue, 29 Jun 2021 13:10:40 -0700 (PDT) Authentication-Results: mailsever.DOMAIN.CA; dkim=pass (1024-bit key; unprotected) header.d=zechstreets.com email@example.com header.b="VgtYQVpk"; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mailsever.DOMAIN.CA X-Spam-Level: **** X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,DATE_IN_FUTURE_06_12, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE, SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID,URIBL_ABUSE_SURBL autolearn=no autolearn_force=no version=3.4.2 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=220.127.116.11; helo=mta0.zechstreets.com; firstname.lastname@example.org; receiver=<UNKNOWN> Received: from mta0.zechstreets.com (unknown [18.104.22.168]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mailsever.DOMAIN.CA (Postfix) with ESMTPS id 6877799F81 for <pfsense@DOMAIN.CA>; Tue, 29 Jun 2021 13:10:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=zechstreets.com; h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type; email@example.com; bh=AaQrtjXVeCq0ayCHS51WeqhwKVk=; b=VgtYQVpklOVrI4x7o0uhIMGqn4QqPlMz10xq755+IDCO28gEPUYuVWt3EU7M7DhQMxnAoATa9zOH Y3tLQzXGWJWuMT2gF4BblN40favon4mJQqMmvFUf9po2Z/P6M3ggcfOXSKekq7kHXCBAXTyfOs3h wzlrbu1aSk7s427MH5U= Message-ID: <A6F1EF9ED0CFFA51C43D4A697B92B7C1@lpr> From: Ray Ban <firstname.lastname@example.org> To: pfsense <pfsense@DOMAIN.CA> Subject: Ray Ban Sunglasses 2021 New Styles - Save up to 80% Off Date: Tue, 29 Jun 2021 20:10:04 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_001_143f1e62313290e9_=----" This is a multi-part message in MIME format. ------=_001_143f1e62313290e9_=---- Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 ICAgIC REMOVED ENCODE BECAUSE I DONT KNOW WHAT IT DOES ogDQo= ------=_001_143f1e62313290e9_=---- Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PCFET0NUWVB REMOVED ENCODE BECAUSE I DONT KNOW WHAT IT DOES w+DQo= ------=_001_143f1e62313290e9_=------
nothing to do with pfsense or netgate,
the culprit is https://whois.domaintools.com/22.214.171.124
Gertjan last edited by Gertjan
ahh now I understand...
without the real domain it's impossible to say
Hi @ipfftw !
I do the same for most sites (with some exceptions)...
I do have a pfsense@MYDOMAIN for this site and it has not been spammed yet, let's hope it stays that way...
What was that email about, was it from a possible Netgate partner?
As for the comment you made about removing part of the email it was HTML encoded in base 64, you can use one of the online base 64 decoders to look at it but it should essentially be the body of the email you received.
As for how they got your email it does not necessarily mean this site or another Netgate related site was compromised, it could also be the mail server(s) involved in sending and receiving those emails (are you self hosting?) or the computer(s) you are writing/receiving those messages on...
Good luck and have a nice day!
no it was about sunglasses, you can see the subject of the mail. Nothing to do with netgate.
well post back if you get spammed too.
answer to your question its self hosted ubuntu with autoupdate on. And its just a catchall domain, so its not like i actually wrote "email@example.com" anywhere on the mailserver. I mean sure its possible someone hacked my email, but unlikely, as this would be the least of my worries...
And they would spam with one of the real users on the host, not a fake alias that only is used for pfsense forums.
im not super worried about it, just wanted to see if anyone else had the same experience. i obviously use a random password on every site so no problem with that. And i haven't received any login attempts with it as shown by my daily logwatch...
chpalmer last edited by
@ipfftw Same here.. I use an email address for every forum I am on that is specific to them. Nothing here spam related on the pfSense email address as of this date.