Spam To Dnf Account Emails

[Theo]

After 10+ years of using a particular email just to receive DNForum notifications, it started getting both spam and hacking attempts. Since I don't use that email anywhere else, nor do I reply anywhere with that email, that can only mean that the DNForum email database has been compromised or otherwise shared. I'd advise everyone to change their email password, or email altogether.

 

[Theo]

It's surprising that the e-mails you're receiving are generic and not domain-related. Perhaps 10 years ago a link to your e-mail was posted on the net, and it was just recently scraped? Or years ago somebody added you to their address book, and later got a virus or their account was compromised.

If the database was compromised, I doubt this is the last we'll hear of it. It's always a good idea to choose a complex-enough password to not be brute-forced anyways.

Did you pay attention to the fact that it's not just me receiving these emails? And who cares if they are domain related or not, they are spam. No, the email that I used was never used elsewhere, nor communicated elsewhere, simply because the system messages sent to that email cannot be responded to.

I've sent Adam a link to this thread.

 

[GeorgeK]

Did you pay attention to the fact that it's not just me receiving these emails?

I have 9 different email accounts (i.e. real accounts, not counting aliases), across multiple ISPs/providers. I often see the same spam across different accounts. It doesn't mean a thing, unless those spams were sent only to DNForum members, and not anyone else (and I've still not received those particular spams).

Right now I've got spam about solar panels to the rescue, part time jobs, gamers will love this, satellite internet, and high speed internet sitting in my junk folder. I imagine others here get them too, to accounts that have nothing to do with DNForum. Spammers send out millions of these, so there's going to be overlap, regardless of whether the accounts are related to DNForum.

 

[Theo]

George, the odds that someone started to spam the same emails (at least the 'urghhhh!' one) to DNForum accounts at the same time, can't be a coincidence. I am not complaining about the spam per se, but rather warning that there might be a security issue as I received dictionary attacks at that email for the first time. Therefore: people should chance these emails and passwords.

 

[TheLegendaryJP]

That is possible George, Josh from Canada received the same spam as Theo in Florida and Jane in Seattle all of whom belong to the same forum.

Now if we all started receiving the same 2-3 spam emails at the same time I would say the odds of that are slim to zero in terms of coincidence. That to me would point to the forum being the key.

 

[Chuck]

I have disabled the add for now, as we look further into it.

 

[Theo]

Thanks Chuck!

 

[A D]

There has been no database compromise.

I have been looking into the situation for a couple days now.

 

[Theo]

The new email I created a week ago, is already being tested. Somehow, someone is able to gather email addresses of DNForum users. I suggest contacting the forum software makers for info about how this list is being exposed, to a member or to anyone.

 

[katherine]

This forum was also leaking user IP addresses until last week but apparently somebody took down that unwanted feature.

 

[Theo]

Yes, I mentioned it to Chuck and he disabled that one.

 

[Theo]

Today I received the first spam in my new email address. It's clear to me, that someone is taking advantage of a setting or other issue with the forum software and is harvesting email addresses of users.

I've included the headers below, removing my info.

From - Tue Feb 17 12:17:19 2015
X-Account-Key: account6
X-UIDL: UID32-1423350832
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <[email protected]>
Envelope-to: *******
Delivery-date: Tue, 17 Feb 2015 10:13:16 -0500
Received: from [211.239.126.50] (port=35084 helo=mail.mnshome.com)
by ************* with esmtps (TLSv1HE-RSA-AES256-SHA:256)
(Exim 4.84)
(envelope-from <[email protected]>)
id 1YNjps-0005JA-G7
for *************; Tue, 17 Feb 2015 10:13:16 -0500
Received: from User ([37.49.224.206])
(authenticated bits=0)
by mail.mnshome.com (8.12.8/8.12.8) with ESMTP id t1HFB9cI011495;
Wed, 18 Feb 2015 00:11:17 +0900
Message-Id: <[email protected]>
Reply-To: <[email protected]>
From: "Barrister Jim Adam"<[email protected]>
Subject: HAPPY NEW YEAR TO YOU
Date: Tue, 17 Feb 2015 15:12:52 -0000
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus: avast! (VPS 150217-1, 02/17/2015), Inbound message
X-Antivirus-Status: Clean

 

[Theo]

Two more spam emails received today, both titled "Your account has been limited until we hear from you" - from fake PayPal sites: wsswwsss dot net and wwsawwssww dot net

 

[katherine]

I have set up a unique forwarder E-mail address for DNF, but so far I haven't seen spam to it on my end.
But spam may have been caught and killed before it gets to my mailbox.
Or the database 'leakage' has stopped.

 

[Theo]

Katherine, a member would not notice the attempts to access that particular mailbox, unless they set up a server and used a firewall, to get alerts . I've now gotten at least 5 attempts to access that account, from different IP addresses.

 

[TheLegendaryJP]

At this point Theo I have to call it, stop visiting pron LOL

 

[Theo]

You can joke all you want but this email is used only on DNForum. Since others received the same spam emails, I am confident their email accounts are also being targeted - they just don't know it.

 

[TheLegendaryJP]

I believe you T, just lightening the mood.

 

[Spex]

Definitely something fishy going on

Don't know if there have been any attempts to guess my password, but I've been getting LOADS of span on my DNF-only email address lately. Some of the Subject lines...

• RE: Business Capital from 5k to 500k
• URGENT!!URGENT!!URGENT!!
• Do you want to gratify your babe at night?
• New Single from StormyNpize 'Wolf' | Out Now on all Major Stores
• Bulletin for Sunday - Can you send please!
• Your account has been limited until we hear from you
• Invoices for Chrissie Elliott
• Donation
• Payment instruction to credit your account
• FW: Job Offer
• We can help your Business Grow 2015

And that's just from the last week or so

 

[katherine]

I have reviewed the logs and I found one failed attempt at SMTP authentication against our servers. The attack used a forwarder E-mail address that is only used at DNF and nowhere else. It was set up very recently.

Conclusion: No coincidence here, there has been a breach. This could be a flaw in the forum code.

Also, the pattern of the attack is apparently related to an SMTP auth brute force that has been going on for a long time.
The purpose of that kind of attack is usually to send spam exploiting your servers as an open relay.
While most of those attacks come from China, the offending IP address was Irish. But it is almost certain this is yet another zombie machine.

 

[katherine]

So I changed the forwarder address. Let's see if this one is going to be compromised as well.