Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: domain abused to send spam (huh?)  (Read 1104 times)

zwei

  • Bay Watcher
  • [ECHO][MENDING]
    • View Profile
    • Fate of Heroes
domain abused to send spam (huh?)
« on: July 07, 2010, 01:15:14 am »

So, I go this curious email:

from   qezetn@dwxjhn.com <toadyone@bay12games.com>
reply-to   qezetn@dwxjhn.com
to   (my email)
date   7 July 2010 02:52
subject   qFAVluhxQPtGrQJV
mailed-by   bay12forums.com
   
Code: [Select]
9Cw2Ln  <a href="http://iwqmcffcfwzr.com/">iwqmcffcfwzr</a>, [url=http://gfiketnbzvwx.com/]gfiketnbzvwx[/url], [link=http://grruyjobnalo.com/]grruyjobnalo[/link], http://mvffwwowtnus.com/
Anyone got something similar?

I get feeling that there is some security slip-up, or did Creator just go mad?

smjjames

  • Bay Watcher
    • View Profile
Re: domain abused to send spam (huh?)
« Reply #1 on: July 07, 2010, 01:55:28 am »

Just checked myself and don't see anything. Should alert Toady as to whats going on with this though.
Logged

Googolplexed

  • Bay Watcher
  • My avatar is of whitespace, Not the firefox logo
    • View Profile
Re: domain abused to send spam (huh?)
« Reply #2 on: July 07, 2010, 03:27:55 am »

Changing a couple of headers can make an email appear like it was send from anywhere
If you post the rest of the header info (if you can get it) then you might be able to see where it was actually sent from
Logged

zwei

  • Bay Watcher
  • [ECHO][MENDING]
    • View Profile
    • Fate of Heroes
Re: domain abused to send spam (huh?)
« Reply #3 on: July 07, 2010, 03:42:27 am »

Changing a couple of headers can make an email appear like it was send from anywhere
If you post the rest of the header info (if you can get it) then you might be able to see where it was actually sent from

Here it is:

Code: [Select]
Delivered-To: (my email)
Received: by 10.100.96.6 with SMTP id t6cs137686anb;
        Tue, 6 Jul 2010 17:52:54 -0700 (PDT)
Received: by 10.220.75.200 with SMTP id z8mr2936364vcj.57.1278463973839;
        Tue, 06 Jul 2010 17:52:53 -0700 (PDT)
Return-Path: <www-data@bay12forums.com>
Received: from mail.bay12forums.com (bay12forums.com [97.107.128.126])
        by mx.google.com with ESMTP id d38si4237722vcm.105.2010.07.06.17.52.53;
        Tue, 06 Jul 2010 17:52:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) client-ip=97.107.128.126;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) smtp.mail=www-data@bay12forums.com
Received: by mail.bay12forums.com (Postfix, from userid 33)
id 6B7F0146007; Tue,  6 Jul 2010 17:52:53 -0700 (PDT)
To: (my email)
Subject: qFAVluhxQPtGrQJV
From: "qezetn@dwxjhn.com" <toadyone@bay12games.com>
Reply-To: <qezetn@dwxjhn.com>
Date: Wed, 07 Jul 2010 00:52:53 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-027ec1d2c280752fec11da5a0aa4f8d1"
Content-Transfer-Encoding: 7bit
Message-Id: <20100707005253.6B7F0146007@mail.bay12forums.com>


9Cw2Ln  <a href="http://iwqmcffcfwzr.com/">iwqmcffcfwzr</a>, [url=http://gfiketnbzvwx.com/]gfiketnbzvwx[/url], [link=http://grruyjobnalo.com/]grruyjobnalo[/link], http://mvffwwowtnus.com/
--SMF-027ec1d2c280752fec11da5a0aa4f8d1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

9Cw2Ln  <a href="http://iwqmcffcfwzr.com/">iwqmcffcfwzr</a>, [url=http://gfiketnbzvwx.com/]gfiketnbzvwx[/url], [link=http://grruyjobnalo.com/]grruyjobnalo[/link], http://mvffwwowtnus.com/
--SMF-027ec1d2c280752fec11da5a0aa4f8d1--

Seems like it was not just forged header...

Toady One

  • The Great
    • View Profile
    • http://www.bay12games.com
Re: domain abused to send spam (huh?)
« Reply #4 on: July 07, 2010, 09:58:57 am »

There was a problem a while ago with a guy making an account and then using the email button next to members' names to send them spam.  Those emails come from bay12forums.com because the forum sends them.  To prevent getting those, you'd have to go into your profile and make yourself un-emailable.  That time, the "qezetn@dwxjhn.com" part let me find out who it was and ban them.  This time, I can't find a member with that name/email, so they were either one of the several spammers whose accounts I deleted today, or it is indeed a security problem that allows people to send mail from my server.  At this point I don't know which one.

edit:
The last one looked like this:
Code: [Select]

Delivered-To: <email>
Return-Path: <www-data@bay12forums.com>
Received: from mail.bay12forums.com (bay12forums.com [97.107.128.126])
Received-SPF: pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) client-ip=97.107.128.126;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of www-data@bay12forums.com designates 97.107.128.126 as permitted sender) smtp.mail=www-data@bay12forums.com
Received: by mail.bay12forums.com (Postfix, from userid 33)
  id 4BF30146007; Sat, 19 Jun 2010 01:44:35 -0700 (PDT)
To: <email>
Subject: hi
From: "elody002@yahoo.cn" <toadyone@bay12games.com>
Reply-To: <elody002@yahoo.cn>
Date: Sat, 19 Jun 2010 08:44:35 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-87f18405698de29a03460206963dadfc"
Content-Transfer-Encoding: 7bit
Message-Id: <20100619084435.4BF30146007@mail.bay12forums.com>
« Last Edit: July 07, 2010, 10:07:59 am by Toady One »
Logged
The Toad, a Natural Resource:  Preserve yours today!

smjjames

  • Bay Watcher
    • View Profile
Re: domain abused to send spam (huh?)
« Reply #5 on: July 07, 2010, 10:07:55 am »

Hopefully that particular one was an isolated case, but spammers are sometimes just another sub-species of troll, so..... you know.
Logged

Toady One

  • The Great
    • View Profile
    • http://www.bay12games.com
Re: domain abused to send spam (huh?)
« Reply #6 on: July 07, 2010, 10:14:42 am »

I guess there's a third possibility -- that the member changed their email and is still active.  As far as I know, that would make this sort of thing fairly difficult to detect.
Logged
The Toad, a Natural Resource:  Preserve yours today!

eerr

  • Bay Watcher
    • View Profile
Re: domain abused to send spam (huh?)
« Reply #7 on: July 07, 2010, 03:30:28 pm »

static emails?
Logged

Qmarx

  • Bay Watcher
  • "?"
    • View Profile
Re: domain abused to send spam (huh?)
« Reply #8 on: July 09, 2010, 11:48:59 am »

I'm really not certain how useful the "email to user" feature is - it might be a good idea just to disable it by default, and not let anyone use it who has less than, say, 10 posts
Logged