Just so the group is aware, our team is looking into the Zoom traffic. We aren't sure what they are doing with that mail stream, but it doesn't look good.
Both of the accounts reported by Michael have been suspended. Thanks, everyone. Luke On Thu, Jul 8, 2021 at 8:48 AM Michael Peddemors via mailop < mailop@mailop.org> wrote: > On 2021-07-08 8:20 a..m., Carl Byington via mailop wrote: > > On Thu, 2021-07-08 at 09:31 +0300, Atro Tossavainen via mailop wrote: > >> That one is Zoom.us itself. > > > >> Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144]) > > > >> Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us > >> [167.89.93.232]) > > > > Yes, the mail arrives from systems with rdns of *.sg.zoom.us, but my > > understanding is that the X-Entity-ID points to a sendgrid user. And the > > headers include stuff like: > > > > Received: by filter1889p1las1.sendgrid.net with SMTP id > > filter1889p1las1-10585-60DE6FD0-E > > 2021-07-02 01:45:52.506187482 +0000 UTC m=+23969.518969155 > > Received: from MjEwNzk4ODQ (unknown) > > by geopod-ismtpd-3-2 (SG) with HTTP id W8YVLKQPT6CK1S2NPi9CbA > > > > Which looks like the original submission was via a sendgrid web > > interface. A reply-to address in .vn, and a subject line (google > > translate from Vietnamese) of "Why real estate can make you rich?". > > > > Just more crap that sendgrid is leaking, this time sending their > > outbound spam via zoom.us servers. > > > > > Yeah, it is almost always a compromise, but hard to believe Zoom would > not have enabled two factor authentication, or similar restrictions on > who can use their sendgrid servers, keep thinking that their is another > back door that abusers are using at SendGrid.. > > Be nice to hear from Zoom (if anyone knows a contact) on what they > discover, since SendGrid hasn't been too transparent. > > -- > "Catch the Magic of Linux..." > ------------------------------------------------------------------------ > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at http://www.linuxmagic.com @linuxmagic > A Wizard IT Company - For More Info http://www.wizard.ca > "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. > ------------------------------------------------------------------------ > 604-682-0300 Beautiful British Columbia, Canada > > This email and any electronic data contained are confidential and intended > solely for the use of the individual or entity to which they are addressed. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company. > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop