Skip to content

Instantly share code, notes, and snippets.

@dewey

dewey/mail.md

Last active August 14, 2018 03:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dewey/050e0b7a818d0f76b959a058da4c5ee9 to your computer and use it in GitHub Desktop.
Save dewey/050e0b7a818d0f76b959a058da4c5ee9 to your computer and use it in GitHub Desktop.
Download ZIP
Gitlab Vulnerability Spam
Raw
mail.md

Update: Seems to be real https://news.ycombinator.com/item?id=11587416

Original Message:

I received this message on Wednesday, April 27, 2016 7:35 PM. Couldn't find anything about it on Gitlab's Blog or Twitter so I asked for clarification here: https://twitter.com/tehwey/status/725612585886842880

Anyone else got one of these, maybe to an address that's exclusively used on Gitlab? There also seems to be a huge spam issue going on in their issue tracker right now:

https://gitlab.com/gitlab-org/gitlab-ce/issues?page=5&scope=all&sort=id_desc&state=opened

We have discovered a critical security issue in all GitLab CE and EE versions from 8.2 to 8.7.

On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish new GitLab patch releases for all affected versions. We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible after the release. Please forward this alert to the appropriate person at your organization and have them subscribe to Security Notices

The following versions are affected:

8.7.0
8.6.0 through 8.6.7 
8.5.0 through 8.5.11 
8.4.0 through 8.4.9 
8.3.0 through 8.3.8 
8.2.0 through 8.2.4 
You (mail@notmyhostna.me) were sent this security alert because our records indicate you may use GitLab CE or EE. If we are mistaken, we apologize and kindly ask you to opt out of security alerts.

Raw

Return-Path: <194-VVC-221.0.2265.0.0.1792.7.3306229@potomac1050.mktomail.com>
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	 by sloti29t02 (Cyrus 3.0.0-beta2-git-fastmail-13357) with LMTPA;
	 Wed, 27 Apr 2016 13:35:52 -0400
X-Sieve: CMU Sieve 2.4
X-Spam-score: 0.0
X-Spam-hits: BAYES_00 -1.9, HTML_IMAGE_ONLY_20 1.546, HTML_MESSAGE 0.001,
  RCVD_IN_DNSWL_NONE -0.0001, RP_MATCHES_RCVD -0.001, SPF_HELO_PASS -0.001,
  SPF_PASS -0.001, LANGUAGES en, BAYES_USED user, SA_VERSION 3.3.2
X-Spam-source: IP='199.15.213.51', Host='potomac1051.mktomail.com', Country='US',
  FromHeader='com', MailFrom='com'
X-Spam-charsets: plain='UTF-8', html='UTF-8'
X-Resolved-to: exampleuser@fastmail.fm
X-Delivered-to: mail@example.com
X-Mail-from: 194-VVC-221.0.2265.0.0.1792.7.3306229@potomac1050.mktomail.com
Received: from mx4 ([10.202.2.203])
  by compute5.internal (LMTPProxy); Wed, 27 Apr 2016 13:35:52 -0400
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
	by mx4.nyi.internal (Postfix) with ESMTP id 405E65C0FC4
	for <mail@example.com>; Wed, 27 Apr 2016 13:35:52 -0400 (EDT)
Received: from mx4.nyi.internal (localhost [127.0.0.1])
    by mx4.messagingengine.com (Authentication Milter) with ESMTP
    id ABD1458C1AA.0C2925C0F62;
    Wed, 27 Apr 2016 13:35:52 -0400
Authentication-Results: mx4.messagingengine.com;
    dkim=pass (1024-bit rsa key) header.d=gitlab.com header.i=@gitlab.com header.b=Beiwd8Dv;
    dmarc=pass header.from=gitlab.com;
    spf=pass smtp.mailfrom=194-VVC-221.0.2265.0.0.1792.7.3306229@potomac1050.mktomail.com smtp.helo=potomac1051.mktomail.com
Received-SPF: pass (potomac1050.mktomail.com: Sender is authorized to use '194-VVC-221.0.2265.0.0.1792.7.3306229@potomac1050.mktomail.com' in 'mfrom' identity (mechanism 'include:mktomail.com' matched)) receiver=mx4.messagingengine.com; identity=mailfrom; envelope-from="194-VVC-221.0.2265.0.0.1792.7.3306229@potomac1050.mktomail.com"; helo=potomac1051.mktomail.com; client-ip=199.15.213.51
Received: from potomac1051.mktomail.com (potomac1051.mktomail.com [199.15.213.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx4.messagingengine.com (Postfix) with ESMTPS id 0C2925C0F62
	for <mail@example.com>; Wed, 27 Apr 2016 13:35:52 -0400 (EDT)
X-MSFBL: bWFpbEBub3RteWhvc3RuYS5tZUBkdnAtMTk5LTE1LTIxMy01MUBiZy1hYi0wMUAx
	OTQtVlZDLTIyMTo2OTk6MjI2NTo1Mjk3OjA6MTc5Mjo3OjMzMDYyMjk=
Received: from [10.1.8.1] ([10.1.8.1:57051] helo=abmas02.marketo.org)
	by abmta02.marketo.org (envelope-from <securityalerts@gitlab.com>)
	(ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTP
	id F7/C3-08010-678F0275; Wed, 27 Apr 2016 12:35:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1461778550;
	s=m1; d=gitlab.com; i=@gitlab.com;
	h=Date:From:To:Subject:MIME-Version:Content-Type;
	bh=Np8xqxQbPLnTKLkuAYU5No3SmoX4mz0hynuSVKTc4r8=;
	b=Beiwd8DvHOCrsq1PsbwtkOrxWGSd8wdOm4VPE8jaklQeAq2iisj7EyDEz0frCod4
	8tB2hkhY1zLN5G7UszdhAMJhxoKXdDR0M/JXeql46D6TrxxcIv7KssXq9N8WG8caUhd
	BfmgFUhEfMpRxzURZxY+BkgqBzDyny+gpEtMqkcM=
Date: Wed, 27 Apr 2016 12:35:50 -0500 (CDT)
From: GitLab Security <securityalerts@gitlab.com>
Reply-To: securityalerts@gitlab.com
To: mail@example.com
Message-ID: <1755089477.1819760797.1461778550878.JavaMail.root@abmas02.marketo.org>
Subject: Major Security Update Coming Monday
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_1819760796_447439993.1461778550878"
X-Binding: bg-ab-01
X-MarketoID: 194-VVC-221:699:2265:5297:0:1792:7:3306229
X-MktArchive: false
X-Mailfrom: 194-VVC-221.0.2265.0.0.1792.7.3306229@potomac1050.mktomail.com
X-MSYS-API: {"options":{"open_tracking":false,"click_tracking":false}}
X-MktMailDKIM: true

------=_Part_1819760796_447439993.1461778550878
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

We have discovered a critical security issue in all GitLab CE and EE versions from 8.2 to 8.7.

On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish new GitLab patch releases for all affected versions. We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible after the release. Please forward this alert to the appropriate person at your organization and have them subscribe to Security Notices <http://email.gitlab.com/ZVwdh00cO0000S06N00BCVA>

The following versions are affected:

- 8.7.0
- 8.6.0 through 8.6.7 
- 8.5.0 through 8.5.11 
- 8.4.0 through 8.4.9 
- 8.3.0 through 8.3.8 
- 8.2.0 through 8.2.4 

You (mail@example.com) were sent this security alert because our records indicate you may use GitLab CE or EE. If we are mistaken, we apologize and kindly ask you to opt out of security alerts <http://email.gitlab.com/a0000B00SV0600dCOVwAdhO>.

------=_Part_1819760796_447439993.1461778550878
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>

<body ><div ><div class="mktEditable" id="edit_text_1" ><p style="font-family: helvetica, sans-serif; font-size: 14px;">We have discovered a critical security issue in all GitLab CE and EE versions from 8.2 to 8.7.<br /><br />On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish new GitLab patch releases for all affected versions. We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible after the release. <strong>Please forward this alert to the appropriate person at your organization and have them subscribe to <a href=
"http://email.gitlab.com/ZVwdh00cO0000S06N00BCVA" target="_blank"
>Security Notices</a></strong><br /><br />The following versions are affected:</p>
<ul style="font-family: helvetica, sans-serif; font-size: 14px;">
<li>8.7.0<br /></li>
<li>8.6.0 through 8.6.7&nbsp;<br /></li>
<li>8.5.0 through 8.5.11&nbsp;<br /></li>
<li>8.4.0 through 8.4.9&nbsp;<br /></li>
<li>8.3.0 through 8.3.8&nbsp;<br /></li>
<li>8.2.0 through 8.2.4&nbsp;</li>
</ul>
<p style="font-family: helvetica, sans-serif; font-size: 14px;">You (mail@example.com) were&nbsp;sent this security alert because our records indicate you may use GitLab CE or EE. If we are mistaken, we apologize and kindly ask you to <a href=
"http://email.gitlab.com/a0000B00SV0600dCOVwAdhO" target="_blank"
>opt out of security alerts</a>.</p></div>
</div>

<img src="http://email.gitlab.com/trk?t=1&mid=MTk0LVZWQy0yMjE6Njk5OjIyNjU6NTI5NzowOjE3OTI6NzozMzA2MjI5Om1haWxAbm90bXlob3N0bmEubWU%3D" width="1" height="1" style="display:none !important;" alt="" />
</body>
</html>
------=_Part_1819760796_447439993.1461778550878--
@alphaCTzo7G
Copy link

I recently also received a similar email not from Gitlab but seemingly from Lenovo. I was initially fooled thinking that it was directly from Lenovo.. but if you check the header carefully, you will notice that its actually probably coming from abas2.marketo.org which is posing as gitlab. If you search online marketo is a legit company. My guess is that Gitlab has hired marketo for marketing purposes.. so thats why they can use the Gitlab email address in the from field?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment