Forums/Site leaked email address

[Zachariah]

I use msfn.org@[example].com (with my domain) as the email address for this site. Today I got a spam sent to that address.

I also got one to extensionsmirror.nl@[example].com -- and I think you guys use the same forum software.

I haven't checked with Invision Power Board, but that's probably your job since it's software you (bought?) got from them.

I'm betting I'm not the only one who got spam.

Here's the body of the message:

Hi, dossier

University Diplomas

No required tests, classes, books, or interviews.

Please call:

1-###-###-3737

threonine postposition thud alphonse andiron pennsylvania copyright arpeggio askew follow

lahore gibby, habeas istanbul luzon birefringent typhon wingmen firewood gsa dish mead

fain bubble .hypochlorite lanka metamorphism framework corrupt sw oodles britten miami

lyon! casual nh. crew freak permanent drain protrusion compressible. peal burglary pith cowpunch.

Your Joan

[Aegis]

Only know 21 words from that list. Anyone have any idea what's a cowpunch ?

Just checked my email I registered with MSFN and I got something similar:

Hi, galenite

University Diplomas

No required tests, classes, books, or interviews.

Please call:

1-206-338-3737

hardboard injustice forbidden philadelphia variac convulse electroencephalography veery mole expressway

obsolete vitamin, volunteer avocet setback pasteup careworn deanna agglutinin picket conclusive faint

brandt newsboy .adulterous delia incessant axial breccia polloi housebreak lim city

sentential! counterpoise bruno. adversary laborious barnyard myocardial spittle prize. max shelter sanchez gasoline.

Your Emile

"Electroencephalography." That's a good word to add to my vocabulary. I'm appalled that MSFN would spam my email!!!

EDIT: Let's start a collection of these!!! Post the spam email you got here!

Edited July 13, 2006 by Aegis

[gamehead200]

What was the subject of this e-mail?

I haven't received anything in my MSFN e-mail of this sort.

[Aegis]

Here's the header:

X-Gmail-Received: f99b6057a5eb7f8a995342c7c62c3bb5b042c498

Delivered-To: xxx@gmail.com

Received: by 10.48.242.20 with SMTP id p20cs2759nfh;

Wed, 12 Jul 2006 18:26:43 -0700 (PDT)

Received: by 10.36.140.3 with SMTP id n3mr359415nzd;

Wed, 12 Jul 2006 18:26:43 -0700 (PDT)

Return-Path: <Emile0@backwards.com>

Received: from 113-9.202-68.tampabay.res.rr.com (113-9.202-68.tampabay.res.rr.com [68.202.9.113])

by mx.gmail.com with SMTP id 17si1428871nzo.2006.07.12.18.26.42;

Wed, 12 Jul 2006 18:26:43 -0700 (PDT)

Received-SPF: neutral (gmail.com: 68.202.9.113 is neither permitted nor denied by domain of Emile0@backwards.com)

Received: from cluster2.eu.messagelabs.com by DSL212-235-70-yil.bb.netvision.net.il (8.9.3/8.9.3) with SMTP id KY0YWs8nkZtb for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000

Received: from qpqlnzxmjskj (HELO tkiog) ([227.124.218.gmw]) by cluster2.eu.messagelabs.com with Microsoft SMTPSVC(5.0.2195.5329) for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000

From: "Emile Couch" <chrfer102@hereinreality.com>

Reply-to: "Emile Couch" <chrfer102@hereinreality.com>

Message-ID: <0636487043.5934461808@hereinreality.com>

Date: Wed, 12 Jul 2006 21:48:21 +0000

To: xxx <xxx@gmail.com>

Subject: customhouse message from Emile Couch

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

[The Land of Smeg]

I can confirm that all of the email addresses have been harvested from MSFN (among others), possibly because of a recent exploit to take full control of a server through IPB 2.1.6

[xper]

Patch was applied immediately after release.

Patched 30/6 2006

Patched 20/6 2006

Patched 23/5 2006

Upgraded to 2.1.6

http://forums.invisionpower.com/index.php?showtopic=220787

I will investigate this.

[Sic]

I've also receive such a "mechanic message. I was wondering where it comes. Now I know

[xper]

OK. When this started. It's important to know.

[Sic]

I have unfortunately deleted permantely this message. I seen it this morning when I launched Outlook. So it have been sent between yesterday 6:00 PM and tomorrow 8:00 AM.

[XPerties]

Here's the header:

X-Gmail-Received: f99b6057a5eb7f8a995342c7c62c3bb5b042c498

Delivered-To: xxx@gmail.com

Received: by 10.48.242.20 with SMTP id p20cs2759nfh;

Wed, 12 Jul 2006 18:26:43 -0700 (PDT)

Received: by 10.36.140.3 with SMTP id n3mr359415nzd;

Wed, 12 Jul 2006 18:26:43 -0700 (PDT)

Return-Path: <Emile0@backwards.com>

Received: from 113-9.202-68.tampabay.res.rr.com (113-9.202-68.tampabay.res.rr.com [68.202.9.113])

by mx.gmail.com with SMTP id 17si1428871nzo.2006.07.12.18.26.42;

Wed, 12 Jul 2006 18:26:43 -0700 (PDT)

Received-SPF: neutral (gmail.com: 68.202.9.113 is neither permitted nor denied by domain of Emile0@backwards.com)

Received: from cluster2.eu.messagelabs.com by DSL212-235-70-yil.bb.netvision.net.il (8.9.3/8.9.3) with SMTP id KY0YWs8nkZtb for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000

Received: from qpqlnzxmjskj (HELO tkiog) ([227.124.218.gmw]) by cluster2.eu.messagelabs.com with Microsoft SMTPSVC(5.0.2195.5329) for <xxx@gmail.com>; Wed, 12 Jul 2006 21:48:21 +0000

From: "Emile Couch" <chrfer102@hereinreality.com>

Reply-to: "Emile Couch" <chrfer102@hereinreality.com>

Message-ID: <0636487043.5934461808@hereinreality.com>

Date: Wed, 12 Jul 2006 21:48:21 +0000

To: xxx <xxx@gmail.com>

Subject: customhouse message from Emile Couch

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

The above headers don't show it was sent from MSFN mail server. Does anyone have the FULL headers showing the mail server from which it was sent from?

DO NOT be so fast to say it was MSFN or that MSFN was hacked.

[Mr Snrub]

Random subject, different sender addresses and routes - the email addresses of the users on the forum have been harvested and will be in circulation on spam engines all over the place by now.

If the forum mailer daemon had been compromised, the message would be the same, would appear to come from MSFN and would be traceable back to the same origin.

I received an email with this header addressed to a unique address used only for MSFN (so I can track when addresses get leaked like this):

From: - Thu Jul 13 18:42:06 2006

X-Account-Key: account3

X-UIDL: UID4263-1116176773

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-path: <KermitWilkerson34@animail.net>

Envelope-to: [mymailbox]

Delivery-date: Thu, 13 Jul 2006 02:21:56 +0100

Received: from [195.224.48.118] (helo=nine.mx.123-reg.co.uk) by pophost.123-reg.co.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.43) id 1G0pts-0000rn-8y for [mymailbox]; Thu, 13 Jul 2006 02:21:56 +0100

Received: from 163.red-81-36-192.dynamicip.rima-tde.net ([81.36.192.163]) by nine.mx.123-reg.co.uk with smtp (Exim 4.50) id 1G0ptr-0001x3-SH for [me]; Thu, 13 Jul 2006 02:21:56 +0100

Received: from localhost (linux139 [127.0.0.1]) by handler.bolt.com (Postfix) with ESMTP id 0-9A-ZA-Z0-9A-Z0-9A-Z0-90-9A-ZA-Z for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT)

Received: from handler.bolt.com ([127.0.0.1]) by localhost (amavis.boltstaff.com [127.0.0.1]) (amavisd-new, port 10099) with ESMTP id 48882-13 for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT)

Received: from boltfolio08 (unknown [10.70.15.87]) by handler.bolt.com (Postfix) with ESMTP id A-Z0-9A-ZA-ZA-Z0-9A-Z0-9A-ZA-Z0-9 for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT)

Message-ID: <14083443.1185289068282.JavaMail.confirm@boltinc.com>

From: Kermit Wilkerson <srayford73@boltfolio.com>

To: [me]

Subject: lawmake message from Kermit Wilkerson

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

Date: Wed, 12 Jul 2006 22:10:25 +0000 (EDT)

X-Virus-Scanned: amavisd-new at boltstaff.com

X-Antivirus: avast! (VPS 0628-3, 2006-07-12), Inbound message

X-Antivirus-Status: Clean

Time to change my email address for MSFN...

[xper]

Does any of you has msfn in mail address? Like msfn@ or msfn.org@?

[XPerties]

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

[Zachariah]

...

The above headers don't show it was sent from MSFN mail server. Does anyone have the FULL headers showing the mail server from which it was sent from?

DO NOT be so fast to say it was MSFN or that MSFN was hacked.

I don't think anyone said that the mail was sent from MSFN's servers. I was under the impression that a flaw in the forum software allowed member's email addresses to be harvested.

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

it does appear that I didn't have "Hide my email address from other members" checked -- I would have thought that that was checked by default -- arg!

(though on extensionsmirror.nl my address was leaked even though I had that checked)

Edited July 13, 2006 by Zachariah

[Mr Snrub]

I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.

I'll repeat it - the mail did not originate from the MSFN forum servers, the addresses have been harvested from within the user database - mine has been hidden since signup so cannot have been harvested through browsing my profile.

Edit:

MSDN != MSFN (need more coffee)

Of course I'm assuming it's harvested, and here is why:

1. The email address used is unique for MSFN

2. I have never sent an email from this address or replied to a mail addressed to it

3. The email address is hidden from viewing my profile

4. The email address has not changed since I signed up, and I have not viewed my profile for months

5. A number of other users of the MSFN forum received identically-formatted spam on the very same night

6. The mails were not sent from MSFN's mailer daemon (it was generated on the regular spam network worldwide), so this was not the compromised component

It's hardly rocket science to come to the conclusion that the profile information, even that which was marked as private, has therefore been compromised - either by accessing the user database or injecting code into a script or applet delivered to clients that they execute when visitng the board.

Edited July 14, 2006 by Mr Snrub