I just got spam via the email address I gave this forum

[Suman]

I just got spam email via the email address I gave this forum. The sender was "operation jubilee", (screengrab attached).

 

If it's just me then it's no big deal, but if other's have had this spam email via their piriform email address then the database of this forum may have been hacked.

 

Just though I'd mention it.

[Andavari]

Do you remember if you've ever posted your email address on the forums in a post? Far too often people have did that, and by the time we notice it and edit it out of posts it could be too late and already grabbed by the gobs of spammers that look at forums.

[Suman]

Do you remember if you've ever posted your email address on the forums in a post? ...

 

I know about email harvesting so never post email addresses in any forum, and I have never used the piriform email address to send an email to piriform or anyone else. That email has only been used by this forum to send emails to me.

 

[ The email address I created seems too weird to be guessed by spammers ... https://en.wikipedia..._harvest_attack ]

 

If no-one else reports getting spam via their piriform forum email address then the hack is specific to me

[Super Fast]

So far, I am not getting spams via the forum. I get spams, but if you use Yahoo Chat, or any number of other services that expose your email, that is to be expected.

[Alan_B]

You registered here nearly 2 years ago.

 

Since then this forum has moved from one service provider to another.

I cannot help wondering if the previous service provider has disposed of recently redundant servers without first securely erasing their contents.

[Suman]

... if you use Yahoo Chat, or any number of other services that expose your email, that is to be expected.

 

The email address was a disposable one I created specifically for the piriform forum (see attachment on first post). I've never used it to send an email so it has never been exposed to anyone by myself. It's not in my email contacts list either , (as I've never sent a message using it), so contact-list-harvesting wouldn't explain how spammers got it either.

[Nergal]

my guess is that, if you look at the header it may confirm this, the email was sent to a number of addresses at the same isp. These addresses are usually contiguous usernames, it may well be that this is just a happenstance-based hit on a mass send.

 

 

[Super Fast]

The email address was a disposable one I created specifically for the piriform forum (see attachment on first post). I've never used it to send an email so it has never been exposed to anyone by myself. It's not in my email contacts list either , (as I've never sent a message using it), so contact-list-harvesting wouldn't explain how spammers got it either.

 

As Nergal states above, it is probably resultant from mass emailings.

 

There are 2 ways it can happen.

 

1) Using a program to scan for anything on the web with @ in it to harvest email addresses & save as plain text for mass email programs to bulk e-mail.

2) Using a random generator that generates random email addresses & sends emails to every possible letter/number combination up to a certain length.

[Suman]

my guess is that, if you look at the header it may confirm this, the email was sent to a number of addresses at the same isp. These addresses are usually contiguous usernames ...

 

I've attached part of the full header to this post, there are no other similar addresses on it, just the one I created for this forum, which I have never used to send an email, nor have I posted it anywhere other than the registration form for this forum.

 

... 2) Using a random generator that generates random email addresses & sends emails to every possible letter/number combination up to a certain length.

 

Hopefully it is just a random fluke coincidence, otherwise there is a leak of data somewhere.

 

 

[ BTW the email was apparently from a revolutionary political organisation, so they're probably not above doing something illegal to further their cause, e.g. hacking databases ]

[Super Fast]

There are also a few other possibilities.

 

1) They have (or have had) a member with that name in their database, therefore you are targeted. Deleted Yah email names recycle after a period of time.

2) They are targeting IP addresses of a similar range.

 

If this helps, I saw this about that IP:

 

74.122.121.162

 

The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and bad web host.

Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts.

 

Honey pots are computers set up to trick spammers & aid in catching them.

[Nergal]

based on the from you were definitely hit by some sort of mass mailer, the domain in in use by a (and this term is used with ethereal looseness)"group" of hacker and script-kids

based on the header you attached it was indeed a mass-mailer (says so right there)

based on the fact that you used a throw away email I'd look in the direction of those servers unless you are in charge of the domain for which you've used.

 

also interesting though I have no headers to compare to whether your server does the same for all

http://www.openspf.org/SPF_Received_Header

 

as well it should be said that's not the full header so I can only educated-ly guess, and if indeed it is anonymous based (which may or not be likely) it is unlikely any answer can ever be guaranteed.

Edited September 24, 2012 by Nergal
added information

[Suman]

... based on the fact that you used a throw away email I'd look in the direction of those servers

 

If someone has hacked my email provider to obtain addresses to spam, why should they choose a disposable email account which has been unused for over a year, rather than more recent disposable email, or better still use my primary email ?.

 

[ a quick Google reveals this particular spam email is not specific to my email provider, e.g. header posted here ...

http://pastebin.com/YJiDrq4Y ]

[Nergal]

yeah, I'm still going with the mass send using a random character range address generator. I'd assume like one of my my mail hosts (earthlink) that O2.pl (a well know isp email provider) gets hit with these fairly often

[Corona]

Earthlink? Wow, that brings me back.

[Nergal]

lol

I keep it, funny enough, because of it's friggin' awesome spamblocker which I've yet to find better

[everthewatcher]

I got exactly the same spam email, and just like the OP it was sent to a unique address (piriform.mail@mydomain) that used to register here back in April this year.

 

So I'd say the address list has been leaked or hacked.

[Suman]

I got exactly the same spam email, and just like the OP it was sent to a unique address (piriform.mail@mydomain) that used to register here back in April this year.

 

So I'd say the address list has been leaked or hacked.

 

 

“ piriform.mail ” is guessable with a dictionary attack, (both words in dictionary).

Maybe the spammers have done the numbers-for-letters thing too: I (the OP) used “p1r14m” (piriform) as part of the email address.

[everthewatcher]

@suman

If that were the case I'd be getting loads of spam to randomword.randomword@mydomain addresses but I don't. But I did get the same spam as you sent to the unique address used just once to sign up to this forum in April this year.

 

The reason is simple - the data has been leaked, hacked or sold. What do the moderators have to say?

[Andavari]

The reason is simple - the data has been leaked, hacked or sold. What do the moderators have to say?

 

We are not of any official capacity on here because we don't work for Piriform so we couldn't tell you what's going on, and we're only regular volunteers like everybody else that posts on here - i.e.; in the dark like everyone else is.

[TheWebAtom]

The reason is simple - the data has been leaked, hacked or sold. What do the moderators have to say?

 

I doubt it. Lets look at this logically for a second.

 

- The forum has ~48,000 registered members; you can currently buy email addresses at 0.40c/1000, which means that whoever sold them would be ~$19 richer. Hardly worth the effort.

- If the database was compromised there are far more interesting things that the hacker could do than send email spam. Think rainbow tables, birthday attacks and SQLi fun.

- If the email database table (or a dump of said table) had been leaked; this would be a far more common issue. There are ~47,998 who have not received this spam message. That's 99.9958% of the userbase unaffected.

 

I think this needs to be attributed to some sort of cryptographic anomaly and left to die. (There is another possibility to explain this; but it's a little far fetched. Perhaps the domain that your email addresses use at some point transverses a poisoned DNS server; which is extracting email information from the SMTP packet header and using them for spam. Now that would be worth talking about!)

[Alan_B]

Sorry

 

I did not understand the basis for conclusion I commented on.

[TheWebAtom]

Alan, mydomain.com is obviously a placeholder for a domain name that he owns. They won't actually work. If you own a custom domain (such as mydomain.com) you can create as many prefixes as you want.

[Alan_B]

Alan, mydomain.com is obviously a placeholder for a domain name that he owns. They won't actually work. If you own a custom domain (such as mydomain.com) you can create as many prefixes as you want.

You may be correct.

It is a possibility I had not considered.

Suman stated "The email address was a disposable one"

EvertheWatcher did not indicate that he did otherwise.

[Nergal]

yes Alan,I am 100% sure that they were using placeholders

so

1) they didn't get more spam

2) understand that the exact emails are not needed for this discussion

[qsdewa]

I got spam too from anonymous@operationjubilee.in but with no content at all. The mail was in Junk-E-Mail folder. In the subject is something about protests in greece.