Receiving unsolicted email claiming to be from VGuitar Forums or our Admins

Started by Slackjaw, January 12, 2010, 01:01:32 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Slackjaw

Loyal VGuitar Forums Subscribers:

Earlier this morning I recieved a private message from a subscriber that was upset about receiving an unsolicted spam-style email from me, Slackjaw.  I hope, to most, that it goes without saying that no such breach of trust has occurred.  As your host and admin, I would never intentionally sell-out the email list that has been entrusted to me.  So with that being said...

There is a known issue that has come up in the past couple of days with our forum software.  By default, the software uses a PHP emailer engine to pass around site notifications and private messages.  From my investigations thus far, it appears that it is this email engine that has been exploited. 

The fact that these emails came from "slackjaw" is a clear indicator that this was a targeted attack.  But all one has to do to figure out the "handle" of the forum administrator is just take a quick look.  If a recipient of one of these spams were to look at the actual email address that the email was sent from, they would see that it is clearly not from anyone here.

So basically what happens is:
An evildoer finds a worthwhile SMF boards with a large user population.  Like VGuitar Forums. 

They then take a few moments and find out the screen name of an admin.  In this case Slackjaw" (mistyped "slackjaw") as the sender.  The sending address and the return address are nonsense.

The PHP email engine is exploited and the spam is sent to all email users using that engine.  The evildoers have no record of individual subscriber email addresses.  Most recipients will not see this spam in thier inbox as most common spam filters kill it.

We are not alone.  I am currently following a thread in the SMF software support forums.

To stop this, I have turned off the PHP email engine.  I am reconfiguring our systems to use authenticated emails only.  This will take a bit of testing to find any glitches. 

Hang in there folks.  We've been online for a couple of solid years here and have had virtually zero bad stuff happen.  If this is it, then we are doing pretty good.

Rob (aka Slackjaw)
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

bob e

For tracking purposes, I received the spam as well.  I am quite happy to read your post.  Thank you.

Bob E. aka MIDIme

chipstar

Hey Slackjaw,
While I humorously noted in the Chat window that the 2 complaints leveled are from Australia, there may be something to that.

later,
Chipstar

Slackjaw

From what I can gather thus far, only one email was sent through this exploit.  It was then distributed to all 1,887 registered users using an "all users" default process that exists for admins (like me) to send an all points notification.  

The sample of the email I saw was really blatant spam...and thus would be trapped by most spam filters.  This is the only explanation thus far that fits.  Unless someone hacks our database, or hacks one of the two admin accounts, there is no way to collect the actual registered email addresses of members who had thier email set to hidden in thier user profile.  And I can see no evidence that any of those three things occurred.  Phew.

The PHP email pathway has been shut down.  The SMF software is now using an authenticated SMTP process.  Slower, clunkier, and more cumbersome...but more secure given the circumstances.  Damn you evildoers!  The Cosmos is gonna get you!

~RTB
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

MCK

Glad its over without more damage done. Look what happened to Harmony Central. Seems like music sites are being attacked more frequently for some reason. Gotta keep guards up. All the best

embers


Slackjaw

Interesting.  I really have no qualified theories if and why there would be a connection to Austrailia.   ???
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

Brent Flash


Slackjaw

It is my conclusion that the large majority of these emails would have been blocked along the way to the recipients...only some slipping through the cracks.

I am standing by for any reports of something new...but the hole that was suspected has been plugged by changing the method upon which our notification engine communicates.

Assuming that it was the right hole, and the plug is effective, I don't expect anything new.  But maybe some reports of the original email that have not been discovered in our subscribers' inboxes.

Onward!
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

Slackjaw

A mysterious new user had pointed out that if a member opts to not hide thier email address then any registered member could mouseover the envelope icon in the memberlist and see the actual email.  In other words, if you had your email set to hidden in your user profile then it cannot be seen by others.

I've edited the code so no emails will ever show during the mouseover.  I've also removed to option to not hide it during the registration process.  This will remove any confusion on the user's part on how they set thier profile preferences. 

Interestingly, the new user that had pointed this out had some conflicting info in thier account...and had only spent 13 minutes here, and made the one post.  To be on the safe side, I've removed a few peculiar accounts registered in the past few days.  Some things were just not lining up.  My apologies to you if I've axed your account in error.  But when your IP shows one side of the planet, and your self-designated country another, and your email is a hotmail or gmail account that has a different name than you registered...well...your just looking very out of place.
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

Slackjaw

I also just "upped" the validation during the registration process.  The image verification is now much stronger to hopefully obstruct bots from registering and all new users are required to validate thier email address before thier account is activated.

Small steps, but something. 
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

Slackjaw

It's a few minutes before 2am here in Northwestern Vermont.  It's zero out at two a.m.  I'm satisfied that we've taken some solid strides today in making this place just a little more secure than it was this morning.

Slackjaw out.
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

notnomiistakes

got one too Tues, 1/12 at 7:11pm Pacific Time.  Don't know if that's helpful.

Slackjaw

OK Great.  Less than four hours sleep.  Should make for a good day.   ;D  The good news is I have just one meeting at 10am with an easy client.  And the meeting is in my living room so I don't plan to even put shoes on today.  Anyways...

Thanks notnomiistakes.

I want to rephrase something that may not be totally clear.  We had at least three different angles of attack occur yesterday.  One of those angles might very well lead to lingering spam emails for some.  Here's why:

Fact 1 = Up until yesterday, each individual user had the ability to either show or hide thier registered email address from other users.  This was an option to select, just like your avatar, when you first registered here.

Fact 2 = Up until yesterday, registration was a simple process for anyone wanting to join us.  They would put in thier information, do the image verification step, and thier account would go active.  We've operated this way since day one...almost exactly two years ago.  Until now there has never been an issue.

Combine Fact 1 and Fact 2 = A new user could come along and register.  Once registered, they could login to thier account, display the memberlist, and pick out those users' email addresses that had opted to make thier email addresses visible to other registered users.  They could then make record of that email for future evildoing.  

The bottom line is that it's just another one of a million spammers with someones email address that wants to sell you .viag ra or cial is. or whatever.  But they have the added fun of making the email look like it came from here.
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

feloniouspunk

Lots of Gear. :)

notnomiistakes

slackjaw
Thanks for info.  Been trying to think of what to do about it.  The only thing I could think of is close my email that spammer is using and create a new one.  Then register here with new email.  Any better ideas?  So far it's only one spam mail.  If there's a new mail from them I could not open it and just view it in the reading pane.  I'm thinking if I never open one again they'll just stop sending them.

Slackjaw

I don't believe that any further action is required at this point.  Unless we all start getting spam after spam from these folks.  Let's just wait and see.

PM me if you see further activity.

Rob
My Rig: Brian Moore i2.13 > Guitar Rig 4 and Roland GR-09 > Ableton Live 8 Suite > Alesis  MasterControl > Little Dot 1+ > Allesandro MS-1 Headphones > My Head > My Soul

admin

Just a note - if you are currently receiving spam email that appears to be originating from VGuitarforums,
please send me a personal message and we will try to track down the cause.

papabuss

FENDER STRATOCASTER (1974); BRIAN MAY RED SPECIAL; VG 99; GR 55; Yamaha DX 7

Music was my first love and it will be my last (JOHN MILES)