Spam received on UNIQUE stash license registration e-mail address

[sgielen]

Dear AppsCode,

I always give every company I work with a different e-mail address. Then, when I receive anything other than the intended information on that e-mail address, I know who leaked it.

It disappoints me to say that I have received spam from hola@reservandonos.com, for https://slidetours.com/, which seems to be a phishing website, on an e-mail address I 100% absolutely sure only ever gave to AppsCode.

In case this was accidental or the cause of an incident, this notification allows you to take a look at how this happened and fix any data leaks. If it was intentional, this also serves as a warning to other users that AppsCode may not be a reliable company.

For your information, the e-mail is included below, with some parts redacted.

Return-Path: <sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net>
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
     by sloti51n04 (Cyrus 3.9.0-alpha0-206-g57c8fdedf8-fm-20230227.001-g57c8fded) with LMTPA;
     Wed, 08 Mar 2023 23:50:14 -0500
X-Cyrus-Session-Id: sloti51n04-1678337414-3357534-2-2146109867198175468
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no ("Email failed DMARC policy for domain")
X-Spam-sender-reputation: 500 (none)
X-Spam-score: 4.2
X-Spam-hits: DCC_CHECK 1.1, HEADER_FROM_DIFFERENT_DOMAINS 0.25,
  HTML_IMAGE_ONLY_12 1.629, HTML_IMAGE_RATIO_02 0.001, HTML_MESSAGE 0.001,
  HTML_SHORT_LINK_IMG_1 0.139, ME_HAS_VSSU 0.001,
  ME_SENDERREP_NEUTRAL 0.001, RCVD_IN_DNSWL_NONE -0.0001,
  RCVD_IN_MSPIKE_H2 -0.001, SPF_HELO_PASS -0.001, SPF_PASS -0.001,
  URIBL_GREY 1.084, LANGUAGES en, BAYES_USED none, SA_VERSION 3.4.6
X-Spam-source: IP='198.71.244.90', Host='m327.em.secureserver.net', Country='US',
  FromHeader='com', MailFrom='net'
X-Spam-charsets: plain='UTF-8', html='UTF-8'
X-Resolved-to: [redacted, my e-mail address]
X-Delivered-to: [redacted, appscode-unique e-mail address]
X-Mail-from: sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net
Received: from mx6 ([10.202.2.205])
  by compute6.internal (LMTPProxy); Wed, 08 Mar 2023 23:50:14 -0500
Received: from mx6.messagingengine.com (localhost [127.0.0.1])
    by mailmx.nyi.internal (Postfix) with ESMTP id E73225C00DD
    for <[redacted, appscode-unique e-mail address]>; Wed,  8 Mar 2023 23:50:13 -0500 (EST)
Received: from mx6.messagingengine.com (localhost [127.0.0.1])
    by mx6.messagingengine.com (Authentication Milter) with ESMTP
    id 6B1E9E194C7;
    Wed, 8 Mar 2023 23:50:13 -0500
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t=
    1678337413; b=erZ07ivxP5tHFz0tyUxLQN+afXRUVK1UVBd7H6ZWqWVKgzmskK
    7T5A71aCuRSbh7bVHn+fUPQRcjPrBligGLHNup+c93fVPSAlW4Hd2x7sfEtEQAsx
    dU8aC3QVmoICKEpIHIP858yVY4jXhHOUR60yIXJdxRSEKmLfCABpILX7XmQy2n8r
    97Be9fvEPuZ/j5jg0RlxtSIuQhu73PdwVt1MiVNgCTmmvXs6lQjYj1dWeurZ7ecA
    VmJ3bM4lK/LoOkVA/ZrV4yhuCJQhb5dpBe9e+t2VJHM6b95bT1VzQ6OkD6peMHId
    orcacHS+3jpp5CefY5VISfDwE69KT4aTEjvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=date:from:to:message-id:subject
    :mime-version:content-type:content-transfer-encoding
    :list-unsubscribe; s=fm1; t=1678337413; bh=iOD/Pn2xDhji269SUmnCQ
    hdIkWwPixDcnC51pMMGRr0=; b=TeKD+/INfQCbePCu1gtYc1R0WmmNyn9GRLwk5
    tBWqrZ94uxM4Y3b6kEmima417dcKFUvwqfVWp2yqfvawrY33ggoWO06162zAcJb/
    gEN0tjLD8dn2gjgJ9fh0Jl/8+IAcNbxNLd2IFLjl+Q0uzNz1egLSpL1kVefLbPLT
    hkTZjsxq/Y9b34WFK1cDElmtMUQEp6PxElad7k20e3ETQ1ZwbVmnZW3lbZxjmK4T
    6e9R/KGaMpkLGR1njpi0//qL5vKi2uKkxQUufOgsVGIsADN98siW8PhZ8H3xga28
    S3beSC6HYYzIp3oSSBD40WoNlBx0cFqcVQNoTFe3o4OR6hbiQ==
ARC-Authentication-Results: i=1; mx6.messagingengine.com;
    x-csa=none;
    x-me-sender=none;
    x-ptr=pass smtp.helo=m327.em.secureserver.net
    policy.ptr=m327.em.secureserver.net;
    bimi=skipped (DMARC did not pass);
    arc=none (no signatures found);
    dkim=pass (1024-bit rsa key sha256) header.d=em.secureserver.net
    header.i=@em.secureserver.net header.b=dXfxc4NV header.a=rsa-sha256
    header.s=aug05em x-bits=1024;
    dmarc=fail policy.published-domain-policy=none
    policy.applied-disposition=none policy.evaluated-disposition=none
    policy.arc-aware-result=fail
    (p=none,d=none,d.eval=none,arc_aware_result=fail) policy.policy-from=p
    header.from=reservandonos.com;
    iprev=pass smtp.remote-ip=198.71.244.90 (m327.em.secureserver.net);
    spf=pass
    smtp.mailfrom=
    sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net
    smtp.helo=m327.em.secureserver.net
X-ME-Authentication-Results: mx6.messagingengine.com;
    x-aligned-from=fail;
    x-return-mx=pass header.domain=reservandonos.com policy.is_org=yes
      (MX Records found: reservandonos-com.mail.protection.outlook.com,mail.reservandonos.com,us-west-2.amazonses.com);
    x-return-mx=pass smtp.domain=bounces.em.secureserver.net
      policy.org_domain=secureserver.net policy.is_org=no
      (MX Records found: incoming.gem.godaddy.com);
    x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
      smtp.bits=256/256;
    x-vs=clean score=0 state=0
Authentication-Results: mx6.messagingengine.com;
    x-csa=none;
    x-me-sender=none;
    x-ptr=pass smtp.helo=m327.em.secureserver.net
      policy.ptr=m327.em.secureserver.net
Authentication-Results: mx6.messagingengine.com;
    bimi=skipped (DMARC did not pass)
Authentication-Results: mx6.messagingengine.com;
    arc=none (no signatures found)
Authentication-Results: mx6.messagingengine.com;
    dkim=pass (1024-bit rsa key sha256) header.d=em.secureserver.net
      header.i=@em.secureserver.net header.b=dXfxc4NV header.a=rsa-sha256
      header.s=aug05em x-bits=1024;
    dmarc=fail policy.published-domain-policy=none
      policy.applied-disposition=none policy.evaluated-disposition=none
      policy.arc-aware-result=fail
      (p=none,d=none,d.eval=none,arc_aware_result=fail) policy.policy-from=p
      header.from=reservandonos.com;
    iprev=pass smtp.remote-ip=198.71.244.90 (m327.em.secureserver.net);
    spf=pass
      smtp.mailfrom=
      sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net
      smtp.helo=m327.em.secureserver.net
X-ME-VSSU: VW5zdWI9aHR0cHM6Ly9nby5tYWRtaW1pLmNvbS9vcHRfb3V0P3BhY3Q9MjE0MzI2LTE3Mj
    I0NzY2NS0xNDMzMTQ5NjE0Ny1kMjkyZWUzMzhiZjFiZDAyYjUxNzU4N2I1YTk5MzBmMDMw
    OTEwODM1
X-ME-VSSU: VW5zdWI9bWFpbHRvOnNwXzIwMzc2Ni4yMTQzMjYuMS5lYmY5ZGZlYjk4ZjQ3OGRlMDcwYj
    M2NmRlMzgwZmU3M0B1bnN1YnNjcmliZXMuZW0uc2VjdXJlc2VydmVyLm5ldD9zdWJqZWN0
    PVVuc3Vic2NyaWJlIDIwMzc2Ni4yMTQzMjYuMS5lYmY5ZGZlYjk4ZjQ3OGRlMDcwYjM2Nm
    RlMzgwZmU3Mw
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddugedgjedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvkf
    fugggtgfhpjfesrgejreertddtjeenucfhrhhomheptegtthhiohhnucftvghquhhirhgv
    ugcuoehhohhlrgesrhgvshgvrhhvrghnughonhhoshdrtghomheqnecuggftrfgrthhtvg
    hrnhepgeffgeeuvdduheelheelgeetffevteegjedvleetkeetgeekkeeijeefteefgffg
    necuffhomhgrihhnpehslhhiuggvthhouhhrshdrtghomhdpmhgrughmihhmihdrtghomh
    enucfkphepudelkedrjedurddvgeegrdeltdenucevlhhushhtvghrufhiiigvpedufeen
    ucfrrghrrghmpehinhgvthepudelkedrjedurddvgeegrdeltddphhgvlhhopehmfedvje
    drvghmrdhsvggtuhhrvghsvghrvhgvrhdrnhgvthdpmhgrihhlfhhrohhmpeeoshhppgdv
    tdefjeeiiedrvddugeefvdeirddurdgvsghflegufhgvsgelkehfgeejkeguvgdtjedtsg
    efieeiuggvfeektdhfvgejfeessghouhhntggvshdrvghmrdhsvggtuhhrvghsvghrvhgv
    rhdrnhgvtheq
X-ME-VSScore: 0
X-ME-VSCategory: clean
X-ME-CSA: none
Received-SPF: pass
    (bounces.em.secureserver.net: Sender is authorized to use 'sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net' in 'mfrom' identity (mechanism 'include:spf.gem.godaddy.com' matched))
    receiver=mx6.messagingengine.com;
    identity=mailfrom;
    envelope-from="sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net";
    helo=m327.em.secureserver.net;
    client-ip=198.71.244.90
Received: from m327.em.secureserver.net (m327.em.secureserver.net [198.71.244.90])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by mx6.messagingengine.com (Postfix) with ESMTPS
    for <[redacted, appscode-unique e-mail address]>; Wed,  8 Mar 2023 23:50:13 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=aug05em; d=em.secureserver.net;
 h=Date:From:To:Message-ID:Subject:Mime-Version:Content-Type:
 Content-Transfer-Encoding:List-Unsubscribe;
 bh=iOD/Pn2xDhji269SUmnCQhdIkWwPixDcnC51pMMGRr0=;
 b=dXfxc4NVa2tZNiM1OR+MOI24ASrIOOUnlPxYJDYtQMBWTpCZO8K6x3PTg2psAkkihswwWd/oD0qA
   SuagGjFH6MiTY1LJf0jrKuTQ8vC5pz4IDrXhXUY6FKqjhi+B27cq2gmGz/9oWV7dQYrRVIXYVGgp
   9wmNglM9+Ocyi+mILEI=
Received: by m327.em.secureserver.net id h15io832vekj for <[redacted, appscode-unique e-mail address]>; Wed, 8 Mar 2023 21:50:12 -0700 (envelope-from <sp_203766.21[redacted, tracking id]@bounces.em.secureserver.net>)
Date: Wed, 08 Mar 2023 21:50:12 -0700
From: Action Required <hola@reservandonos.com>
To: [redacted, appscode-unique e-mail address]
Message-ID: <UJd.203766.52818.214326.1678337412.3753836.R0y@a2plmmsworker02.prod.iad2.gdg.mail>
Subject: Request updated - [ ticket number: 235569 ]
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_64096584558ae_108bf03c25116b2"
Content-Transfer-Encoding: 7bit
X-Personalized-By: Temple
X-Mimiaid: 214326-172247665-14331496147-d292ee338bf1bd02b517587b5a9930f030910835
X-Member-ID: 14331496147
Feedback-ID: u4503546:m172247665:madmimi
Precedence: bulk
X-Sable-ID: sp_203766.21[redacted, tracking id]
X-Report-Abuse: You can also report abuse here:
 https://sable.madmimi.com/abuse/new?id=203766.21[redacted, tracking id]
X-Virtual-MTA: m327
List-Unsubscribe: <mailto:sp_203766.21[redacted, tracking id]@unsubscribes.em.secureserver.net?subject=Unsubscribe
 203766.21[redacted, tracking id]>

----==_mimepart_64096584558ae_108bf03c25116b2
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

\*\*Action Required:\*\*

( https://slidetours.com/inf )

All rights reserved

Unsubscribe instantly from these emails by clicking here ( https://go.madmimi.com/opt_out?pact=214[redacted, tracking id] ).

Preferences ( https://go.madmimi.com/subscription/edit?pact=2143[redacted, tracking id] ).

----==_mimepart_64096584558ae_108bf03c25116b2
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html><head></head><body>
<p dir="auto" style="text-align: center;"><strong>Action Required:</strong></p>
<p dir="auto" style="text-align: center;"><a href="https://slidetours.com/inf"><img src="https://slidetours.com/photo_2023.jpg" alt="" width="540" height="703"></a></p>
<p dir="auto" style="text-align: center;">All rights reserved</p>
<p dir="auto">Unsubscribe instantly from these emails by <a title="One click unsubscribe" href="https://go.madmimi.com/opt_out?pact=21[redacted, tracking id]">clicking here</a>.</p>
<p dir="auto"><a href="https://go.madmimi.com/subscription/edit?pact=21[redacted, tracking id]">Preferences</a>.</p>
</body></html>
----==_mimepart_64096584558ae_108bf03c25116b2--

[tamalsaha]

@sgielen , we store the emails downloading license in a self-hosted listmonk.app instance. Our listmonk instance was accessed and vandalized in unauthorized manner few months ago. We changed our listmonk password and rotated email credentials as soon we found out. My guess is that your unique email was stolen at that time and used to send spam.

Is there anything more we can do here to help you?

[sgielen]

Thank you for the quick and honest reply & explanation @tamalsaha. Such things can happen, I'm glad to hear it was an unfortunate incident that you already knew about and had rotated credentials for. That raises confidence. Closing this issue then.