[Tools-discuss] fwd: (harmless?) Incident on IETF.ORG (fwd)

Paul Wouters <paul@nohats.ca> Fri, 16 July 2021 13:57 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tools-discuss@ietfa.amsl.com
Delivered-To: tools-discuss@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A438E3A3814 for <tools-discuss@ietfa.amsl.com>; Fri, 16 Jul 2021 06:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id sU5hi77iCvH6 for <tools-discuss@ietfa.amsl.com>; Fri, 16 Jul 2021 06:57:01 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01563A3815 for <tools-discuss@ietf.org>; Fri, 16 Jul 2021 06:57:00 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4GRCTd1QYqz3CL for <tools-discuss@ietf.org>; Fri, 16 Jul 2021 15:56:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1626443813; bh=ZYMjFYR+KktMXNy42JLFzGC3hsUMeLnUSoMrtWPIxSw=; h=Date:From:To:Subject; b=NFiPGw4uasd014vGgPC1SZCdss+COpLBGPthXPMnh4OnBiRAQFOwHvkp54rXFZvJ8 AdSl5WW09owZ6mdDQOBQkq49aRdLiV7BgiY5tzg0HZL+y1avoDw1W9mQ1nK9F4wGjm 5W2bGuaa3J7/nRfCBp5qfYykQTrJqgRJI9WIKu88=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id EQnFyoDSYqjI for <tools-discuss@ietf.org>; Fri, 16 Jul 2021 15:56:52 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <tools-discuss@ietf.org>; Fri, 16 Jul 2021 15:56:51 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id AD233CA111; Fri, 16 Jul 2021 09:56:50 -0400 (EDT)
Received: from localhost (localhost []) by bofh.nohats.ca (Postfix) with ESMTP id A9A3FCA110 for <tools-discuss@ietf.org>; Fri, 16 Jul 2021 09:56:50 -0400 (EDT)
Date: Fri, 16 Jul 2021 09:56:50 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: tools-discuss@ietf.org
Message-ID: <261bdc5b-ff6d-2f9e-b997-7c1f933fbd87@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; CHARSET=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-discuss/jXBlak7ULE72jaEO2gFTYeEEByw>
Subject: [Tools-discuss] fwd: (harmless?) Incident on IETF.ORG (fwd)
X-BeenThere: tools-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Tools Discussion <tools-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-discuss/>
List-Post: <mailto:tools-discuss@ietf.org>
List-Help: <mailto:tools-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 13:57:06 -0000

Just forwarding this message. Not sure why they reached out to me
personally. Removed personal details from sender to not publish
those to the archive - I can relay a message back if desired.

[omited large included screenshots]

---------- Forwarded message ----------
Date: Fri, 16 Jul 2021 04:54:54
From: Support 
To: Paul Wouters <paul@nohats.ca>
Subject: (harmless?) Incident on IETF.ORG

Dear Mr. Wouters,

as an involved in the ietf security, i think i should inform you about this.

Instead of the normal tools.ietf.org website with the rfcs, i got content of the
homepage of Hendrik Levkowetz.

I know hes  involved in the ietf and i assume his homepage is hosted on the same
server. This leads me to the assumption,
that the IETF Webservice had a breakdown, something your webmaster should know

Time: ~10:45 CEST

I can't reproduce it at the moment, so the browser history has to prove my words

Mit freundlichem Gruß