XPerties Posted July 13, 2006 Share Posted July 13, 2006 I have still yet to see any headers that indicate mail had been sent from MSFN to any members on this board and for those who have address in their profile that are not protected and/or have been used in threads on MSFN any bot/spider can pick those up.I'll repeat it - the mail did not originate from the MSDN forum servers, the addresses have been harvested from within the user database - mine has been hidden since signup so cannot have been harvested through browsing my profile.You're assuming it was harvested. I've spoken with IPB and there is no know exploit or security related issue with accessing the database of any IPB scripts on any updated version and MSFN is updated continuously.It's also advisable you ask before making direct statements toward any company especially such comments as "harvested/hacked/leaked or spam". Link to comment Share on other sites More sharing options...
Aegis Posted July 13, 2006 Share Posted July 13, 2006 (edited) The email header I posted is the full header, although the header is useless since everything's spoofed. For example, one email was "from localhost (linux139 [127.0.0.1])". Doesn't take a genius to realize that you can't use the internet with an IP address of 127.0.0.1 (that's the loopback interface). Mine had an IP address of 227.124.218.gmw, which is not valid. From as much as I can gather, there's nothing we can do to trace it.However, it is worth noting that the users I've talked to who didn't receive such emails were members of a special group, such as Mod or Sponsor. Members in these categories also don't see the new ads that are placed under the first post, so that's got me thinking. I've got two theories on how these are related. One is that the code Martin L used to display ads to only the Members group had a flaw in it that exposed the user's email. The other is that they're not related .EDIT: This sucks . I got more spam:Get Laid Tonight.Meet Women In Your AreaLooking for an Intimate Partnerhttp://yuorte.com/fhh/fender pile emperor boa coachwhip bird grave-riven chest notewarp knitting granule gravel rough-footed steering bridge reserve officerdie fitting hidden-veined broad-bosomed flat-footednessbeta iron olive-sided pied-coloredtradition-following tooth-bred sand casterrood goose barren brome grass singles courtyacht racing track boat bog pine chocolate coverer tool-usingopera box main road tender-consciencedbear huckleberry Admiralty constants veto power all-turned Edited July 13, 2006 by Aegis Link to comment Share on other sites More sharing options...
Aegis Posted July 13, 2006 Share Posted July 13, 2006 (edited) Complete header information, along with the HTML message code. I am beginning to lean on the theory that the emails were harvested, since this one appears to be from a different spammer, based on the fact that he/she used OE (X-Mailer: Microsoft Outlook Express 6.00.2800.1106).X-Gmail-Received: 53741dc72db65e9220307764736b380ec60246e7Delivered-To: xxx@gmail.comReceived: by 10.48.242.20 with SMTP id p20cs2192nfh; Wed, 12 Jul 2006 18:01:58 -0700 (PDT)Received: by 10.36.77.2 with SMTP id z2mr343257nza; Wed, 12 Jul 2006 18:01:55 -0700 (PDT)Return-Path: <elisacisneros@verizon.com>Received: from BABY ([62.69.93.61]) by mx.gmail.com with ESMTP id 10si1526164nzo.2006.07.12.18.01.55; Wed, 12 Jul 2006 18:01:55 -0700 (PDT)Received-SPF: neutral (gmail.com: 62.69.93.61 is neither permitted nor denied by best guess record for domain of elisacisneros@verizon.com)Message-Id: <009d01c6a615$0d0b3480$230b9653@nzouk>From: "maddy cox" <elisacisneros@verizon.com>To: "charlene medeiros" <xxx@gmail.com>Subject: Let's be having you!Date: Wed, 12 Jul 2006 20:41:51 -0400MIME-Version: 1.0Content-Type: multipart/alternative; boundary="----=_NextPart_000_009D_01C6A615.0D0B3480"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2800.1106X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106This is a multi-part message in MIME format.------=_NextPart_000_009D_01C6A615.0D0B3480Content-Type: text/plain; charset="Windows-1252"Content-Transfer-Encoding: quoted-printableGet Laid Tonight.Meet Women In Your Area=20Looking for an Intimate Partner[url="http://yuorte.com/fhh/"]http://yuorte.com/fhh/[/url]fender pile emperor boa coachwhip bird grave-riven chest notewarp knitting granule gravel rough-footed steering bridge reserve officerdie fitting hidden-veined broad-bosomed flat-footednessbeta iron olive-sided pied-coloredtradition-following tooth-bred sand casterrood goose barren brome grass singles courtyacht racing track boat bog pine chocolate coverer tool-usingopera box main road tender-consciencedbear huckleberry Admiralty constants veto power all-turned------=_NextPart_000_009D_01C6A615.0D0B3480Content-Type: text/html; charset="Windows-1252"Content-Transfer-Encoding: quoted-printable<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><META http-equiv=3DContent-Type content=3D"text/html; =charset=3DWindows-1252"><META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR><STYLE></STYLE></HEAD><BODY><DIV><FONT face=3DArial size=3D2><p>Get Laid Tonight.<BR></p><p>Meet Women In Your Area <BR></p><p>Looking for an Intimate Partner<BR></p><A HREF=3D"http://yuorte.com/fhh/">http://yuorte.com/fhh/</A><BR><BR>fender pile emperor boa coachwhip bird grave-riven chest note<BR>warp knitting granule gravel rough-footed steering bridge reserve officer<B=R>die fitting hidden-veined broad-bosomed flat-footedness<BR>beta iron olive-sided pied-colored<BR>tradition-following tooth-bred sand caster<BR>rood goose barren brome grass singles court<BR>yacht racing track boat bog pine chocolate coverer tool-using<BR>opera box main road tender-conscienced<BR>bear huckleberry Admiralty constants veto power all-turned<BR></FONT></DIV></BODY>=</HTML>------=_NextPart_000_009D_01C6A615.0D0B3480-- Edited July 14, 2006 by xper Link to comment Share on other sites More sharing options...
XPerties Posted July 13, 2006 Share Posted July 13, 2006 The email header I posted is the full header, although the header is useless since everything's spoofed. For example, one email was "from localhost (linux139 [127.0.0.1])". Doesn't take a genius to realize that you can't use the internet with an IP address of 127.0.0.1 (that's the loopback interface). Mine had an IP address of 227.124.218.gmw, which is not valid. From as much as I can gather, there's nothing we can do to trace it.However, it is worth noting that the users I've talked to who didn't receive such emails were members of a special group, such as Mod or Sponsor. Members in these categories also don't see the new ads that are placed under the first post, so that's got me thinking. I've got two theories on how these are related. One is that the code Martin L used to display ads to only the Members group had a flaw in it that exposed the user's email. The other is that they're not related .The 127.0.0.1 would indicate someone is using a local server or pc at their house to send mail. This is common and would show the 127.0.0.1 IP. Now regarding your theory about the mod Martin put into place, this could be true as the mod was outdated (well over a year if not longer) and was not meant for the latest version of IPB (version MSFN is using). Now don't get me wrong, the theory might be wrong but it seems to be and good point.BTW anyone take the subject line and do a google search? You would be amazed at what google will find for you such as the source or possible solution regarding how e-mails were used. Link to comment Share on other sites More sharing options...
Aegis Posted July 14, 2006 Share Posted July 14, 2006 Yup, found out that the quote "Let's be having you!" was popularized by Delia Smith during a football game. And I edited my message, since I've just found out that I got some more spam. And just curious, but which members have access to the email database? Link to comment Share on other sites More sharing options...
XPerties Posted July 14, 2006 Share Posted July 14, 2006 Yup, found out that the quote "Let's be having you!" was popularized by Delia Smith during a football game. And I edited my message, since I've just found out that I got some more spam. And just curious, but which members have access to the email database?admins and super mods but xper could disallow access to clients informaiton in the backend so it might just be xper/admin having the only access. Link to comment Share on other sites More sharing options...
Mr Snrub Posted July 14, 2006 Share Posted July 14, 2006 The use of the loopback address for an SMTP relay from regular ISP users would imply that this is a bot network of trojans used for spamming - the senders are most likely unaware they are being used to distribute this garbage.That is also why the headers are not consistent - you won't trace the individual mails back to a specific source and the only significant clue is the addresses to which they are sent.The purpose of me using unique addresses for every site I register on is so that I can see when this occurs and know which source it was lifted from. Link to comment Share on other sites More sharing options...
Innocent Devil Posted July 14, 2006 Share Posted July 14, 2006 me tooo i got the same email from some "Shelton Woodward"with same content Link to comment Share on other sites More sharing options...
xper Posted July 14, 2006 Share Posted July 14, 2006 I found some indications that some of members mail addresses (through IPB forum software) was leaked somehow. Please change your mail address immediately.I will continue with investigation.On behalf of MSFN I apologize for inconvience. Link to comment Share on other sites More sharing options...
Zachariah Posted July 14, 2006 Author Share Posted July 14, 2006 (edited) thanks xper for the updatejust to make it clear: I'm not upset about this (these things happen) -- mostly I just wanted to make sure you guys (and Invision, too) knew about it Edited July 14, 2006 by Zachariah Link to comment Share on other sites More sharing options...
the-matrix Posted July 14, 2006 Share Posted July 14, 2006 I got this one :Hi, whaleUniversity DiplomasNo required tests, classes, books, or interviews.Please call:1-206-338-3737sheep mortal nuisance pavlov brock swim distributor raoul bootes lumenredound licensor, electorate nil catnip seasonal contaminate mcdowell crisp analogous one appositionexcelsior md .oases bowman oleomargarine supplicate wharf smokestack squill satyr hitchcockinto! idol malden. fried punctual elite instillation donovan arbutus. affricate megohm peptide chorine.Your Boyd Link to comment Share on other sites More sharing options...
Aegis Posted July 14, 2006 Share Posted July 14, 2006 I'm a bit confused. Do you mean changing the email address registered with MSFN? Because if the emails were already harvested, we'd still receive the spam. Link to comment Share on other sites More sharing options...
the-matrix Posted July 14, 2006 Share Posted July 14, 2006 (edited) I have already change my email address , is there any chance that oure passwords has being decrypted and leak to? i habe seen that another forum that use Invision Power Board software v2.1.5 as the present version, what version dos msfn use? Edited July 15, 2006 by the-matrix Link to comment Share on other sites More sharing options...
XPerties Posted July 15, 2006 Share Posted July 15, 2006 Passwords were not decrypted. IPB does not encrypt e-mail address and that is all that was exported. Link to comment Share on other sites More sharing options...
the-matrix Posted July 15, 2006 Share Posted July 15, 2006 Thanks XPerties! Link to comment Share on other sites More sharing options...
Recommended Posts