Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Domain summit 2024

Spam To Dnf Account Emails

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
After 10+ years of using a particular email just to receive DNForum notifications, it started getting both spam and hacking attempts. Since I don't use that email anywhere else, nor do I reply anywhere with that email, that can only mean that the DNForum email database has been compromised or otherwise shared. I'd advise everyone to change their email password, or email altogether.
 
Upvote 0

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
It's surprising that the e-mails you're receiving are generic and not domain-related. Perhaps 10 years ago a link to your e-mail was posted on the net, and it was just recently scraped? Or years ago somebody added you to their address book, and later got a virus or their account was compromised.

If the database was compromised, I doubt this is the last we'll hear of it. It's always a good idea to choose a complex-enough password to not be brute-forced anyways.

Did you pay attention to the fact that it's not just me receiving these emails? And who cares if they are domain related or not, they are spam. No, the email that I used was never used elsewhere, nor communicated elsewhere, simply because the system messages sent to that email cannot be responded to.

I've sent Adam a link to this thread.
 
Domain summit 2024

GeorgeK

Leap.com
Legacy Exclusive Member
Joined
May 17, 2002
Messages
2,248
Reaction score
64
Feedback: 3 / 0 / 0
Did you pay attention to the fact that it's not just me receiving these emails?

I have 9 different email accounts (i.e. real accounts, not counting aliases), across multiple ISPs/providers. I often see the same spam across different accounts. It doesn't mean a thing, unless those spams were sent only to DNForum members, and not anyone else (and I've still not received those particular spams).

Right now I've got spam about solar panels to the rescue, part time jobs, gamers will love this, satellite internet, and high speed internet sitting in my junk folder. I imagine others here get them too, to accounts that have nothing to do with DNForum. Spammers send out millions of these, so there's going to be overlap, regardless of whether the accounts are related to DNForum.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
George, the odds that someone started to spam the same emails (at least the 'urghhhh!' one) to DNForum accounts at the same time, can't be a coincidence. I am not complaining about the spam per se, but rather warning that there might be a security issue as I received dictionary attacks at that email for the first time. Therefore: people should chance these emails and passwords.
 

TheLegendaryJP

Level 9
Legacy Exclusive Member
Joined
Jul 12, 2005
Messages
4,335
Reaction score
171
Feedback: 51 / 0 / 0
That is possible George, Josh from Canada received the same spam as Theo in Florida and Jane in Seattle all of whom belong to the same forum.

Now if we all started receiving the same 2-3 spam emails at the same time I would say the odds of that are slim to zero in terms of coincidence. That to me would point to the forum being the key.
 

Chuck

Level 9
Legacy Exclusive Member
Joined
Oct 1, 2005
Messages
2,820
Reaction score
161
Feedback: 4 / 0 / 0
I have disabled the add for now, as we look further into it.
 

A D

Level 14
Legacy Exclusive Member
Joined
Feb 20, 2003
Messages
15,040
Reaction score
1,189
Feedback: 61 / 0 / 0
There has been no database compromise.

I have been looking into the situation for a couple days now.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
The new email I created a week ago, is already being tested. Somehow, someone is able to gather email addresses of DNForum users. I suggest contacting the forum software makers for info about how this list is being exposed, to a member or to anyone.
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,428
Reaction score
1,290
Feedback: 65 / 0 / 0
This forum was also leaking user IP addresses until last week but apparently somebody took down that unwanted feature.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
Today I received the first spam in my new email address. It's clear to me, that someone is taking advantage of a setting or other issue with the forum software and is harvesting email addresses of users.

I've included the headers below, removing my info.

From - Tue Feb 17 12:17:19 2015
X-Account-Key: account6
X-UIDL: UID32-1423350832
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <geoff@custombathrooms.com.au>
Envelope-to: *******
Delivery-date: Tue, 17 Feb 2015 10:13:16 -0500
Received: from [211.239.126.50] (port=35084 helo=mail.mnshome.com)
by ************* with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.84)
(envelope-from <geoff@custombathrooms.com.au>)
id 1YNjps-0005JA-G7
for *************; Tue, 17 Feb 2015 10:13:16 -0500
Received: from User ([37.49.224.206])
(authenticated bits=0)
by mail.mnshome.com (8.12.8/8.12.8) with ESMTP id t1HFB9cI011495;
Wed, 18 Feb 2015 00:11:17 +0900
Message-Id: <201502171511.t1HFB9cI011495@mail.mnshome.com>
Reply-To: <rosejohnson01@e-mail.ua>
From: "Barrister Jim Adam"<geoff@custombathrooms.com.au>
Subject: HAPPY NEW YEAR TO YOU
Date: Tue, 17 Feb 2015 15:12:52 -0000
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus: avast! (VPS 150217-1, 02/17/2015), Inbound message
X-Antivirus-Status: Clean
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
Two more spam emails received today, both titled "Your account has been limited until we hear from you" - from fake PayPal sites: wsswwsss dot net and wwsawwssww dot net
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,428
Reaction score
1,290
Feedback: 65 / 0 / 0
I have set up a unique forwarder E-mail address for DNF, but so far I haven't seen spam to it on my end.
But spam may have been caught and killed before it gets to my mailbox.
Or the database 'leakage' has stopped.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
Katherine, a member would not notice the attempts to access that particular mailbox, unless they set up a server and used a firewall, to get alerts . I've now gotten at least 5 attempts to access that account, from different IP addresses.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
You can joke all you want but this email is used only on DNForum. Since others received the same spam emails, I am confident their email accounts are also being targeted - they just don't know it.
 

Spex

Level 6
Legacy Exclusive Member
Joined
Jul 15, 2008
Messages
652
Reaction score
30
Feedback: 29 / 0 / 0
Definitely something fishy going on

Don't know if there have been any attempts to guess my password, but I've been getting LOADS of span on my DNF-only email address lately. Some of the Subject lines...

  • RE: Business Capital from 5k to 500k
  • URGENT!!URGENT!!URGENT!!
  • Do you want to gratify your babe at night?
  • New Single from StormyNpize 'Wolf' | Out Now on all Major Stores
  • Bulletin for Sunday - Can you send please!
  • Your account has been limited until we hear from you
  • Invoices for Chrissie Elliott
  • Donation
  • Payment instruction to credit your account
  • FW: Job Offer
  • We can help your Business Grow 2015

And that's just from the last week or so
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,428
Reaction score
1,290
Feedback: 65 / 0 / 0
I have reviewed the logs and I found one failed attempt at SMTP authentication against our servers. The attack used a forwarder E-mail address that is only used at DNF and nowhere else. It was set up very recently.

Conclusion: No coincidence here, there has been a breach. This could be a flaw in the forum code.

Also, the pattern of the attack is apparently related to an SMTP auth brute force that has been going on for a long time.
The purpose of that kind of attack is usually to send spam exploiting your servers as an open relay.
While most of those attacks come from China, the offending IP address was Irish. But it is almost certain this is yet another zombie machine.
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,428
Reaction score
1,290
Feedback: 65 / 0 / 0
So I changed the forwarder address. Let's see if this one is going to be compromised as well.
 

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Sedo - it.com Premiums

IT.com

Premium Members

AucDom
UKBackorder
Be a Squirrel
MariaBuy

New Threads

Our Mods' Businesses

UrlPick.com
Free QR Code Generator by MerchArts

*the exceptional businesses of our esteemed moderators

Top Bottom