Closed Bug 922402 Opened 11 years ago Closed 11 years ago

mozilla-antarctica.org IP blacklisted by GMail/Google Apps due to Bulk Mail Detected

Categories

(mozilla.org :: Server Operations: Community IT, task)

Product:
mozilla.org
Component:
Server Operations: Community IT
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bkerensa, Assigned: tanner)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130917154415

Steps to reproduce:

It appears domains with email accounts on mozilla-antarctica.org are seeing some rejection notices from GMAIL/Google Apps.




Actual results:

http://pastebin.mozilla.org/3173808


Expected results:

Bulk Mailing should not occur on this server.
Severity: normal → major
Group: mozilla-reps
Component: Server Operations: Community IT → Community IT Requests
Product: mozilla.org → Mozilla Reps
Version: other → unspecified
I'd almost go as far as saying that it's possible that this is a server breach. According to MX Toolbox it's not an open relay ( http://mxtoolbox.com/SuperTool.aspx?action=smtp%3a216.70.91.72&run=toolpage ), so it could be that an account or the entire server was compromised. Not only mozilla-antarctica is hosted on this server, either. I'm not an expert on this or anything, but it might be best to assume that the entire server was compromised until proven otherwise.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Uh Oh, this isn't good

Moving back to server ops > community IT since this is an issue with an existing system. We use this category for reviewing and implementing new services.

I'll do some digging if I can get access to SSH, or find a way to do this in Plesk.
Group: mozilla-reps → community-it
Component: Community IT Requests → Server Operations: Community IT
Product: Mozilla Reps → mozilla.org
Version: unspecified → other
I honestly think it is just someones email account with compromised and is being used to spam. A quick review of the logs in Plesk should probably narrow it down.

I wonder though does IS do regular Plesk updates? :)
I can't actually find logs in plesk in the main admin section. I'll try checking inside of the antarctica control panel under their mail accounts
Any luck?
It's been three weeks since this was opened, do you have any update on this?
Flags: needinfo?(tom)
Sadly I don't

Are we still seeing this issue?
Flags: needinfo?(tom) → needinfo?(bkerensa)
Tad, I do not know of any new reports of bounced email.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bkerensa)
Resolution: --- → FIXED
So looks like this is still happening the Mozilla Governance mailing list just disabled my address because it said too many bounces occurred and Google's mail servers are used in this mix.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I'm looking into this.
Assignee: nobody → tanner.sumo.bugs
Status: REOPENED → ASSIGNED
Alright, I think I have figured out what's going on. Going to keep anything possibly sensitive out of the bug for now.

Looking at the mail log, there's a ton of emails coming from one Wordpress install, going to two people in specific. I'm not sure what the emails are, but they're being sent to emails belonging to two Mozilla contributors. In the past 14ish hours there's been nearly 300 of these emails sent. Since November 4, there's been about 1600 of these emails (if I'm grep'ing and doing my math right). I'm going to go out on a limb and say that Google considers this bulk mailing.

Right now I have no reason to believe that there's been a breach, because these emails are originating from a WP install and going to the two contributors, nobody else. There's nothing suspicious in the auth log, other than the normal break-in attempts.
(In reply to Tanner Filip [:Tanner] from comment #11)
> Alright, I think I have figured out what's going on. Going to keep anything
> possibly sensitive out of the bug for now.
> 
> Looking at the mail log, there's a ton of emails coming from one Wordpress
> install, going to two people in specific. I'm not sure what the emails are,
> but they're being sent to emails belonging to two Mozilla contributors. In
> the past 14ish hours there's been nearly 300 of these emails sent. Since
> November 4, there's been about 1600 of these emails (if I'm grep'ing and
> doing my math right). I'm going to go out on a limb and say that Google
> considers this bulk mailing.
> 
> Right now I have no reason to believe that there's been a breach, because
> these emails are originating from a WP install and going to the two
> contributors, nobody else. There's nothing suspicious in the auth log, other
> than the normal break-in attempts.

Excellent why don't we find out who the owner of the install is and reach out and see if they know why this is occurring.
Just reached out to the person it was sending emails to. I'll try to work with them to solve the problem ASAP.
We haven't yet received a response from Mozilla Myanmar. Tom said that the Wordpress panel said that there's over 50k comments on the site pending, a majority of which are spam. Wordpress was sending emails to people for every comment that was posted. He disabled the approval emails, though approval is still required to comment. 

I'm not going to resolve this bug until I'm sure it's actually fixed, so I'll keep an eye on the logs to see if it's still happening. Let me know if you see the same error again.
I've been watching the logs pretty carefully for the past 2 days, and unless spammers are taking a weekend off, this looks to be fixed. There have been no more emails sent from Mozilla Myanmar's WordPress, and I haven't seen the error in comment 0 since Tom disabled the approval emails. 

Please reopen this if you see the error again.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Resolved for a while, nothing private in here.
Group: community-it
You need to log in before you can comment on or make changes to this bug.