Has your MSE forum email address been spammed.

pitkin2020

this is why its worth having your own domain and using specific emails for different forums/businesses, i have no doubt that the loss of people emails was unintenional and i hope you get it sorted soon, thankfully i dont think i have received anything i shouldn't have from MSE, but it would be hard for me to tell as im getting 7000+ emails per day at the moment as my domain is being super spammed, as fast as i put a rule in for the email they are using they change the address again, its bloody annoying to say the least

fermi

MSE_Martin wrote: »

SORRY ABOUT THIS - I TRIED TO MERGE THE THREAD ABOUT MSE EMAILS WITH THE EXISTING ONE BUT DID IT WITH THE WRONG THREAD. SADLY I DONT KNOW HOW TO UNMERGE IT (NOT AS SIMPLE) SO ITS STUCK. HUGE APOLOGIES

Oops!

- Select the posts you want to move using the tick boxes in the top right of the posts (next to post number).
- On the drop down menu under the bottom right of the last post in the page, select "move posts".
- Click the "go" button next to it.
- The forum will then ask you for the url of the thread you want to move those selected posts to.

- May need to remove the redirect you created as well.

fed_up_with_wbankers

Hello Martin,

Thanks for the feedback. I do have my own Server(s), so I am able to create unique emails for most things I sign up to. Been doing this for too long not to know how easily email addresses can go down hill if they end up on a Spam List.

We had to dump a Domain because it was an early one when everyone was much more open and had not realised how Spam would grow into the problem it is.

I can say it does look like the MSE Forum Server has been compromised, because I'm not the only person who has taken these precautions, and it is too coincidental that others are reporting the MSE email addresses have just been Spammed out of the blue.

I do fully appreciate this was not deliberate. It is the Wild West out there, and the Spammers and Hackers never seem to sleep.

I'll email the Header, but will change my outbound email to match the MSE email, just in case. Sorry to seem paranoid, but it's my main email address I am trying to protect, so was not too keen to send an email reporting this if it meant my main email would be compromised doing so.

FUWW

Sailor_Sam

Only a few days ago i wondered had my account here on Mse been hijacked.
When i logged on there was a PM asking me to take part in a survey about benefits. I checked the sender and it was a newie with a total post count of one, so i never replied.
The next time i logged on, i use RoboForm so log in automatically, i came in as a visitor, my name and password did not register.
Something strange, was it just a coincidence the PM.
Because i'd been using Robo, i did not have a record of my password i had to ask for it again and was given one for my account when i first joined but stopped using because i had lost the origional password.
I had been SailorSam but now reverted back to Sailor Sam (two words).
Has anyone else had suspicious PMs which you suspect may be spam.

lorweld

MSE_Martin wrote: »

SORRY ABOUT THIS - I TRIED TO MERGE THE THREAD ABOUT MSE EMAILS WITH THE EXISTING ONE BUT DID IT WITH THE WRONG THREAD. SADLY I DONT KNOW HOW TO UNMERGE IT (NOT AS SIMPLE) SO ITS STUCK. HUGE APOLOGIES

As for emailing the MSE team - there is absolutely no problem (not that we think there is a problem with the forum email - but either way the MSE emails are on an entirely different server at an entirely different location.)

I'll unmerge them :rotfl:

fed_up_with_wbankers

Hello Martin.

Full Spam email header now sent to your Abuse email address.

FUWW

uncas

Another 'victim' for the list, spammed at an address used solely for this forum.

Headers and details have been e-mailed to the requested address. Interestingly my junk mail was from a different faked address -- supposedly the FBI! -- than those mentioned earlier in the thread. It also contained an executable file that, for obvious reasons, I have not investigated further.

I hope the source of this problem is located soon. It's looking very much as though something has been compromised at MSE. Let's hope it's only some forum addresses.

Leonichol

MSE_Martin wrote: »

The numbers of reports are very limited (thankfully) and the only data we hold is email addresses (and teh forum registered ones are seperate to the big weekly email list). Still we don't like even the remotest possibility and behind the scenes are putting resource into checking there's no hole.

Having just received one of these emails myself on my unique MSE address, I too have cause for concern. Especially as it contained an infected executable.

You have quite an amount of services to consider;
-Old version of Apache server (from 1999?!)
-Database server
-vBulletin forum
-FreeBSD OS
...and these are just the ones I know about.

Any of the above could have been compromised, in a way that has yet to be released publically. As has been previously said, it is unlikely that someone has targeted this forum specifically. What is likely, is that such a vulnerability is now being used across the internet on sites hosting similar services. For example, remote execution on your old Apache server.

Unless you do extensive logging of all traffic (regular logs will unlikely reveal anything), there will probably be little you can do. Start with the obvious - such as external entry to your DB server, and logins to any sort of console which runs on your server (SSH?). Then it gets messy. Apache logs may reveal unusual requests to your vBulletin forum - especially if there is a new vulnerability. But this is a mammoth task to do on such a huge forum with all its requests! Perhaps search all logs for the IP addresses which have sent us the emails. Although looking at the header of my message, seems it came from a UK ISP, which would be of little help.

I think the safest thing you can do at the moment, is upgrade everything you can to the latest version - and limit the acceptable access ranges (at host level, not just in the forums) to the UK only (or another small area).

Let me know if there is anything I can do to help.

fed_up_with_wbankers

Hello Uncas!

Interestingly my junk mail was from a different faked address -- supposedly the FBI!

Same here, the Spammer had spoofed the sender's address to show one related to the FBI. The Title of the email related to DHS.

I've checked the email header, and it doesn't say a lot, other than the header was spoofed badly so it was doubled up, and the sending IP appeared to be one based in the USA...but that was either Spoofed as well or, quite probably, was just a machine they had infected earlier and was being used to relay the Spam.

Our anti-virus had already removed the attached file, but there was a file attached at some stage, as our AV had substituted a plain text warning file in its place. The original would've been identified as malicious in that case.

I agree with Leonichol that the vulnerability is going to be a tough one to track down, but it would be a good idea to sort that, even if it is closing the door after the horse has bolted...no point leaving the door open!

FUWW

alanwsg

Yeah, I just got the FBI one as well,
Forwarded to your spamreport address.