Forums/Site leaked email address, got spam on email address only used here Options

[Zachariah]

I use msfn.org@[example].com (with my domain) as the email address for this site. Today I got a spam sent to that address.

I also got one to extensionsmirror.nl@[example].com -- and I think you guys use the same forum software.

I haven't checked with Invision Power Board, but that's probably your job since it's software you (bought?) got from them.

I'm betting I'm not the only one who got spam.

Here's the body of the message:

Hi, dossier

University Diplomas
No required tests, classes, books, or interviews.
Please call:
1-###-###-3737

threonine postposition thud alphonse andiron pennsylvania copyright arpeggio askew follow
lahore gibby, habeas istanbul luzon birefringent typhon wingmen firewood gsa dish mead
fain bubble .hypochlorite lanka metamorphism framework corrupt sw oodles britten miami
lyon! casual nh. crew freak permanent drain protrusion compressible. peal burglary pith cowpunch.

Your Joan

[Aegis]

Only know 21 words from that list. Anyone have any idea what's a cowpunch ?

Just checked my email I registered with MSFN and I got something similar:

Hi, galenite

University Diplomas
No required tests, classes, books, or interviews.
Please call:
1-206-338-3737

hardboard injustice forbidden philadelphia variac convulse electroencephalography veery mole expressway
obsolete vitamin, volunteer avocet setback pasteup careworn deanna agglutinin picket conclusive faint
brandt newsboy .adulterous delia incessant axial breccia polloi housebreak lim city
sentential! counterpoise bruno. adversary laborious barnyard myocardial spittle prize. max shelter sanchez gasoline.

Your Emile

"Electroencephalography." That's a good word to add to my vocabulary. I'm appalled that MSFN would spam my email!!!

EDIT: Let's start a collection of these!!! Post the spam email you got here!

This post has been edited by Aegis: Jul 12 2006, 11:07 PM

[gamehead200]

What was the subject of this e-mail?

I haven't received anything in my MSFN e-mail of this sort.

[Aegis]

Here's the header:

X-Gmail-Received: f99b6057a5eb7f8a995342c7c62c3bb5b042c498
Delivered-To: xxx@gmail.com
Received: by 10.48.242.20 with SMTP id p20cs2759nfh;
Wed, 12 Jul 2006 18:26:43 -0700 (PDT)
Received: by 10.36.140.3 with SMTP id n3mr359415nzd;
Wed, 12 Jul 2006 18:26:43 -0700 (PDT)
Return-Path: <Emile0@backwards.com>
Received: from 113-9.202-68.tampabay.res.rr.com (113-9.202-68.tampabay.res.rr.com [68.202.9.113])
by mx.gmail.com with SMTP id 17si1428871nzo.2006.07.12.18.26.42;
Wed, 12 Jul 2006 18:26:43 -0700 (PDT)
Received-SPF: neutral (gmail.com: 68.202.9.113 is neither permitted nor denied by domain of Emile0@backwards.com)
Received: from cluster2.eu.messagelabs.com by DSL212-235-70-yil.bb.netvision.net.il (8.9.3/8.9.3) with SMTP id KY0YWs8nkZtb for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000
Received: from qpqlnzxmjskj (HELO tkiog) ([227.124.218.gmw]) by cluster2.eu.messagelabs.com with Microsoft SMTPSVC(5.0.2195.5329) for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000
From: "Emile Couch" <chrfer102@hereinreality.com>
Reply-to: "Emile Couch" <chrfer102@hereinreality.com>
Message-ID: <0636487043.5934461808@hereinreality.com>
Date: Wed, 12 Jul 2006 21:48:21 +0000
To: xxx <xxx@gmail.com>
Subject: customhouse message from Emile Couch
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

[The Land of Smeg]

I can confirm that all of the email addresses have been harvested from MSFN (among others), possibly because of a recent exploit to take full control of a server through IPB 2.1.6

[xper]

Patch was applied immediately after release.

Patched 30/6 2006
Patched 20/6 2006
Patched 23/5 2006
Upgraded to 2.1.6

http://forums.invisionpower.com/index.php?showtopic=220787

I will investigate this.

[Sic]

I've also receive such a "mechanic message. I was wondering where it comes. Now I know

[xper]

OK. When this started. It's important to know.

[Sic]

I have unfortunately deleted permantely this message. I seen it this morning when I launched Outlook. So it have been sent between yesterday 6:00 PM and tomorrow 8:00 AM.

[XPerties]

Here's the header:

X-Gmail-Received: f99b6057a5eb7f8a995342c7c62c3bb5b042c498
Delivered-To: xxx@gmail.com
Received: by 10.48.242.20 with SMTP id p20cs2759nfh;
Wed, 12 Jul 2006 18:26:43 -0700 (PDT)
Received: by 10.36.140.3 with SMTP id n3mr359415nzd;
Wed, 12 Jul 2006 18:26:43 -0700 (PDT)
Return-Path: <Emile0@backwards.com>
Received: from 113-9.202-68.tampabay.res.rr.com (113-9.202-68.tampabay.res.rr.com [68.202.9.113])
by mx.gmail.com with SMTP id 17si1428871nzo.2006.07.12.18.26.42;
Wed, 12 Jul 2006 18:26:43 -0700 (PDT)
Received-SPF: neutral (gmail.com: 68.202.9.113 is neither permitted nor denied by domain of Emile0@backwards.com)
Received: from cluster2.eu.messagelabs.com by DSL212-235-70-yil.bb.netvision.net.il (8.9.3/8.9.3) with SMTP id KY0YWs8nkZtb for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000
Received: from qpqlnzxmjskj (HELO tkiog) ([227.124.218.gmw]) by cluster2.eu.messagelabs.com with Microsoft SMTPSVC(5.0.2195.5329) for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000
From: "Emile Couch" <chrfer102@hereinreality.com>
Reply-to: "Emile Couch" <chrfer102@hereinreality.com>
Message-ID: <0636487043.5934461808@hereinreality.com>
Date: Wed, 12 Jul 2006 21:48:21 +0000
To: xxx <xxx@gmail.com>
Subject: customhouse message from Emile Couch
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

The above headers don't show it was sent from MSFN mail server. Does anyone have the FULL headers showing the mail server from which it was sent from?


DO NOT be so fast to say it was MSFN or that MSFN was hacked.

[Mr Snrub]

Random subject, different sender addresses and routes - the email addresses of the users on the forum have been harvested and will be in circulation on spam engines all over the place by now.

If the forum mailer daemon had been compromised, the message would be the same, would appear to come from MSFN and would be traceable back to the same origin.

I received an email with this header addressed to a unique address used only for MSFN (so I can track when addresses get leaked like this):
From: - Thu Jul 13 18:42:06 2006
X-Account-Key: account3
X-UIDL: UID4263-1116176773
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <KermitWilkerson34@animail.net>
Envelope-to: [mymailbox]
Delivery-date: Thu, 13 Jul 2006 02:21:56 +0100
Received: from [195.224.48.118] (helo=nine.mx.123-reg.co.uk) by pophost.123-reg.co.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.43) id 1G0pts-0000rn-8y for [mymailbox]; Thu, 13 Jul 2006 02:21:56 +0100
Received: from 163.red-81-36-192.dynamicip.rima-tde.net ([81.36.192.163]) by nine.mx.123-reg.co.uk with smtp (Exim 4.50) id 1G0ptr-0001x3-SH for [me]; Thu, 13 Jul 2006 02:21:56 +0100
Received: from localhost (linux139 [127.0.0.1]) by handler.bolt.com (Postfix) with ESMTP id 0-9A-ZA-Z0-9A-Z0-9A-Z0-90-9A-ZA-Z for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT)
Received: from handler.bolt.com ([127.0.0.1]) by localhost (amavis.boltstaff.com [127.0.0.1]) (amavisd-new, port 10099) with ESMTP id 48882-13 for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT)
Received: from boltfolio08 (unknown [10.70.15.87]) by handler.bolt.com (Postfix) with ESMTP id A-Z0-9A-ZA-ZA-Z0-9A-Z0-9A-ZA-Z0-9 for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT)
Message-ID: <14083443.1185289068282.JavaMail.confirm@boltinc.com>
From: Kermit Wilkerson <srayford73@boltfolio.com>
To: [me]
Subject: lawmake message from Kermit Wilkerson
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Date: Wed, 12 Jul 2006 22:10:25 +0000 (EDT)
X-Virus-Scanned: amavisd-new at boltstaff.com
X-Antivirus: avast! (VPS 0628-3, 2006-07-12), Inbound message
X-Antivirus-Status: Clean

Time to change my email address for MSFN...

[xper]

Does any of you has msfn in mail address? Like msfn@ or msfn.org@?

[XPerties]

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

[Zachariah]

...

The above headers don't show it was sent from MSFN mail server. Does anyone have the FULL headers showing the mail server from which it was sent from?


DO NOT be so fast to say it was MSFN or that MSFN was hacked.

I don't think anyone said that the mail was sent from MSFN's servers. I was under the impression that a flaw in the forum software allowed member's email addresses to be harvested.

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

it does appear that I didn't have "Hide my email address from other members" checked -- I would have thought that that was checked by default -- arg!

(though on extensionsmirror.nl my address was leaked even though I had that checked)

This post has been edited by Zachariah: Jul 13 2006, 02:50 PM

[Mr Snrub]

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

I'll repeat it - the mail did not originate from the MSFN forum servers, the addresses have been harvested from within the user database - mine has been hidden since signup so cannot have been harvested through browsing my profile.

Edit:
MSDN != MSFN (need more coffee)

Of course I'm assuming it's harvested, and here is why:
1. The email address used is unique for MSFN
2. I have never sent an email from this address or replied to a mail addressed to it
3. The email address is hidden from viewing my profile
4. The email address has not changed since I signed up, and I have not viewed my profile for months
5. A number of other users of the MSFN forum received identically-formatted spam on the very same night
6. The mails were not sent from MSFN's mailer daemon (it was generated on the regular spam network worldwide), so this was not the compromised component

It's hardly rocket science to come to the conclusion that the profile information, even that which was marked as private, has therefore been compromised - either by accessing the user database or injecting code into a script or applet delivered to clients that they execute when visitng the board.

This post has been edited by Mr Snrub: Jul 14 2006, 01:13 AM

[XPerties]

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

I'll repeat it - the mail did not originate from the MSDN forum servers, the addresses have been harvested from within the user database - mine has been hidden since signup so cannot have been harvested through browsing my profile.

You're assuming it was harvested. I've spoken with IPB and there is no know exploit or security related issue with accessing the database of any IPB scripts on any updated version and MSFN is updated continuously.

It's also advisable you ask before making direct statements toward any company especially such comments as "harvested/hacked/leaked or spam".

[Aegis]

The email header I posted is the full header, although the header is useless since everything's spoofed. For example, one email was "from localhost (linux139 [127.0.0.1])". Doesn't take a genius to realize that you can't use the internet with an IP address of 127.0.0.1 (that's the loopback interface). Mine had an IP address of 227.124.218.gmw, which is not valid. From as much as I can gather, there's nothing we can do to trace it.

However, it is worth noting that the users I've talked to who didn't receive such emails were members of a special group, such as Mod or Sponsor. Members in these categories also don't see the new ads that are placed under the first post, so that's got me thinking. I've got two theories on how these are related. One is that the code Martin L used to display ads to only the Members group had a flaw in it that exposed the user's email. The other is that they're not related .

EDIT: This sucks . I got more spam:

Get Laid Tonight.

Meet Women In Your Area

Looking for an Intimate Partner
http://yuorte.com/fhh/

fender pile emperor boa coachwhip bird grave-riven chest note
warp knitting granule gravel rough-footed steering bridge reserve officer
die fitting hidden-veined broad-bosomed flat-footedness
beta iron olive-sided pied-colored
tradition-following tooth-bred sand caster
rood goose barren brome grass singles court
yacht racing track boat bog pine chocolate coverer tool-using
opera box main road tender-conscienced
bear huckleberry Admiralty constants veto power all-turned

This post has been edited by Aegis: Jul 13 2006, 05:33 PM

[Aegis]

Complete header information, along with the HTML message code. I am beginning to
lean on the theory that the emails were harvested, since this one appears to be from a
different spammer, based on the fact that he/she used OE (X-Mailer: Microsoft Outlook Express 6.00.2800.1106).

CODE

X-Gmail-Received: 53741dc72db65e9220307764736b380ec60246e7
Delivered-To: xxx@gmail.com
Received: by 10.48.242.20 with SMTP id p20cs2192nfh;
Wed, 12 Jul 2006 18:01:58 -0700 (PDT)
Received: by 10.36.77.2 with SMTP id z2mr343257nza;
Wed, 12 Jul 2006 18:01:55 -0700 (PDT)
Return-Path: <elisacisneros@verizon.com>
Received: from BABY ([62.69.93.61])
by mx.gmail.com with ESMTP id 10si1526164nzo.2006.07.12.18.01.55;
Wed, 12 Jul 2006 18:01:55 -0700 (PDT)
Received-SPF: neutral (gmail.com: 62.69.93.61 is neither permitted nor denied by best guess
record for domain of elisacisneros@verizon.com)
Message-Id: <009d01c6a615$0d0b3480$230b9653@nzouk>
From: "maddy cox" <elisacisneros@verizon.com>
To: "charlene medeiros" <xxx@gmail.com>
Subject: Let's be having you!
Date: Wed, 12 Jul 2006 20:41:51 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_009D_01C6A615.0D0B3480"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_009D_01C6A615.0D0B3480
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable



Get Laid Tonight.

Meet Women In Your Area=20

Looking for an Intimate Partner

http://yuorte.com/fhh/

fender pile emperor boa coachwhip bird grave-riven chest note
warp knitting granule gravel rough-footed steering bridge reserve officer
die fitting hidden-veined broad-bosomed flat-footedness
beta iron olive-sided pied-colored
tradition-following tooth-bred sand caster
rood goose barren brome grass singles court
yacht racing track boat bog pine chocolate coverer tool-using
opera box main road tender-conscienced
bear huckleberry Admiralty constants veto power all-turned

------=_NextPart_000_009D_01C6A615.0D0B3480
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3DWindows-1252">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>
<p>Get Laid Tonight.<BR></p>
<p>Meet Women In Your Area <BR></p>
<p>Looking for an Intimate Partner<BR></p>
<A HREF=3D"http://yuorte.com/fhh/">http://yuorte.com/fhh/</A><BR>
<BR>
fender pile emperor boa coachwhip bird grave-riven chest note<BR>
warp knitting granule gravel rough-footed steering bridge reserve officer<B=
R>
die fitting hidden-veined broad-bosomed flat-footedness<BR>
beta iron olive-sided pied-colored<BR>
tradition-following tooth-bred sand caster<BR>
rood goose barren brome grass singles court<BR>
yacht racing track boat bog pine chocolate coverer tool-using<BR>
opera box main road tender-conscienced<BR>
bear huckleberry Admiralty constants veto power all-turned<BR>
</FONT></DIV></BODY>=
</HTML>

------=_NextPart_000_009D_01C6A615.0D0B3480--

This post has been edited by xper: Jul 14 2006, 02:38 AM

[XPerties]

The email header I posted is the full header, although the header is useless since everything's spoofed. For example, one email was "from localhost (linux139 [127.0.0.1])". Doesn't take a genius to realize that you can't use the internet with an IP address of 127.0.0.1 (that's the loopback interface). Mine had an IP address of 227.124.218.gmw, which is not valid. From as much as I can gather, there's nothing we can do to trace it.

However, it is worth noting that the users I've talked to who didn't receive such emails were members of a special group, such as Mod or Sponsor. Members in these categories also don't see the new ads that are placed under the first post, so that's got me thinking. I've got two theories on how these are related. One is that the code Martin L used to display ads to only the Members group had a flaw in it that exposed the user's email. The other is that they're not related .

The 127.0.0.1 would indicate someone is using a local server or pc at their house to send mail. This is common and would show the 127.0.0.1 IP.

Now regarding your theory about the mod Martin put into place, this could be true as the mod was outdated (well over a year if not longer) and was not meant for the latest version of IPB (version MSFN is using). Now don't get me wrong, the theory might be wrong but it seems to be and good point.


BTW anyone take the subject line and do a google search? You would be amazed at what google will find for you such as the source or possible solution regarding how e-mails were used.

[Aegis]

Yup, found out that the quote "Let's be having you!" was popularized by Delia Smith during a football game. And I edited my message, since I've just found out that I got some more spam. And just curious, but which members have access to the email database?