Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zwei]

So, I go this curious email:

from   qezetn@dwxjhn.com <toadyone@bay12games.com>
reply-to   qezetn@dwxjhn.com
to   (my email)
date   7 July 2010 02:52
subject   qFAVluhxQPtGrQJV
mailed-by   bay12forums.com
   

Code: [Select]

9Cw2Ln  <a href="http://iwqmcffcfwzr.com/">iwqmcffcfwzr</a>, [url=http://gfiketnbzvwx.com/]gfiketnbzvwx[/url], [link=http://grruyjobnalo.com/]grruyjobnalo[/link], http://mvffwwowtnus.com/
Anyone got something similar?

I get feeling that there is some security slip-up, or did Creator just go mad?

[smjjames]

Just checked myself and don't see anything. Should alert Toady as to whats going on with this though.

[Googolplexed]

Changing a couple of headers can make an email appear like it was send from anywhere
If you post the rest of the header info (if you can get it) then you might be able to see where it was actually sent from

[zwei]

Changing a couple of headers can make an email appear like it was send from anywhere
If you post the rest of the header info (if you can get it) then you might be able to see where it was actually sent from

Here it is:

Code: [Select]

Delivered-To: (my email)
Received: by 10.100.96.6 with SMTP id t6cs137686anb;
        Tue, 6 Jul 2010 17:52:54 -0700 (PDT)
Received: by 10.220.75.200 with SMTP id z8mr2936364vcj.57.1278463973839;
        Tue, 06 Jul 2010 17:52:53 -0700 (PDT)
Return-Path: <www-data@bay12forums.com>
Received: from mail.bay12forums.com (bay12forums.com [97.107.128.126])
        by mx.google.com with ESMTP id d38si4237722vcm.105.2010.07.06.17.52.53;
        Tue, 06 Jul 2010 17:52:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) client-ip=97.107.128.126;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) smtp.mail=www-data@bay12forums.com
Received: by mail.bay12forums.com (Postfix, from userid 33)
id 6B7F0146007; Tue,  6 Jul 2010 17:52:53 -0700 (PDT)
To: (my email)
Subject: qFAVluhxQPtGrQJV
From: "qezetn@dwxjhn.com" <toadyone@bay12games.com>
Reply-To: <qezetn@dwxjhn.com>
Date: Wed, 07 Jul 2010 00:52:53 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-027ec1d2c280752fec11da5a0aa4f8d1"
Content-Transfer-Encoding: 7bit
Message-Id: <20100707005253.6B7F0146007@mail.bay12forums.com>


9Cw2Ln  <a href="http://iwqmcffcfwzr.com/">iwqmcffcfwzr</a>, [url=http://gfiketnbzvwx.com/]gfiketnbzvwx[/url], [link=http://grruyjobnalo.com/]grruyjobnalo[/link], http://mvffwwowtnus.com/
--SMF-027ec1d2c280752fec11da5a0aa4f8d1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

9Cw2Ln  <a href="http://iwqmcffcfwzr.com/">iwqmcffcfwzr</a>, [url=http://gfiketnbzvwx.com/]gfiketnbzvwx[/url], [link=http://grruyjobnalo.com/]grruyjobnalo[/link], http://mvffwwowtnus.com/
--SMF-027ec1d2c280752fec11da5a0aa4f8d1--

Seems like it was not just forged header...

[Toady One]

There was a problem a while ago with a guy making an account and then using the email button next to members' names to send them spam.  Those emails come from bay12forums.com because the forum sends them.  To prevent getting those, you'd have to go into your profile and make yourself un-emailable.  That time, the "qezetn@dwxjhn.com" part let me find out who it was and ban them.  This time, I can't find a member with that name/email, so they were either one of the several spammers whose accounts I deleted today, or it is indeed a security problem that allows people to send mail from my server.  At this point I don't know which one.

edit:
The last one looked like this:

Code: [Select]


Delivered-To: <email>
Return-Path: <www-data@bay12forums.com>
Received: from mail.bay12forums.com (bay12forums.com [97.107.128.126])
Received-SPF: pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) client-ip=97.107.128.126;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) smtp.mail=www-data@bay12forums.com
Received: by mail.bay12forums.com (Postfix, from userid 33)
  id 4BF30146007; Sat, 19 Jun 2010 01:44:35 -0700 (PDT)
To: <email>
Subject: hi
From: "elody002@yahoo.cn" <toadyone@bay12games.com>
Reply-To: <elody002@yahoo.cn>
Date: Sat, 19 Jun 2010 08:44:35 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-87f18405698de29a03460206963dadfc"
Content-Transfer-Encoding: 7bit
Message-Id: <20100619084435.4BF30146007@mail.bay12forums.com>


[smjjames]

Hopefully that particular one was an isolated case, but spammers are sometimes just another sub-species of troll, so..... you know.

[Toady One]

I guess there's a third possibility -- that the member changed their email and is still active.  As far as I know, that would make this sort of thing fairly difficult to detect.

[eerr]

static emails?

[Qmarx]

I'm really not certain how useful the "email to user" feature is - it might be a good idea just to disable it by default, and not let anyone use it who has less than, say, 10 posts