SMF Support > SMF 2.0.x Support
Weird E-Mail spam to members of my forum
cgallery:
Running 2.0.2
Got a PM from a user of my SMF forum this morning. He had received an E-Mail from me that was some sort of spam (with links that don't anywhere). Interestingly enough, I had received a similar E-Mail from myself a few days ago, but chalked it up to spammers sometimes using your own E-Mail address as the from. Anyway, when he told me he had received one, I realized the only thing he and I have in common is that we're bothm members of my forum.
I've included the message source for the E-Mail he received below. I have made consistent edits to change the E-Mail addresses and domains involved. But I was consistent in my changes throughout the message source.
The E-Mail we both received was garbage. The links were invalid. But I'm wondering if someone is beginning to figure-out a SMF vulnerability? Or is this something else? Any ideas where to start looking?
Thanks!
Phil
From - Thu Aug 02 08:49:51 2012
X-Account-Key: account1
X-UIDL: 19603-1157667445
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Content-Type: text/plain;
charset="iso-8859-1"
Return-Path: <phi@cgaller.com>
Content-Transfer-Encoding: 7bit
Received: from mmp0-v0.bendbroadband.net ([192.168.17.141]) by msgs1.bendbroadband.net (Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006)) with ESMTP id <0M84002RMWUWF180@msgs1.bendbroadband.net> for tpde@bencable.com; Thu, 02 Aug 2012 08:40:08 -0700 (PDT)
Received: from c650-1.noc.benbroadband.com ([192.168.17.146]) by s1mq0.benbroadband.net (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0M8400LYKX1BR920@s1mq0.benbroadband.net> for tpde@bencable.com (ORCPT tpde@bencable.com); Thu, 02 Aug 2012 08:44:06 -0700 (PDT)
Received: from mail.tichapmanministries.com (HELO ns56.webmasters.com) ([66.230.220.200]) by c650-1.noc.benbroadband.com with SMTP; Thu, 02 Aug 2012 08:44:05 -0700
Received: (qmail 23017 invoked by uid 2526); Thu, 02 Aug 2012 15:43:45 +0000
Date: Thu, 02 Aug 2012 15:43:45 +0000
From: "gsgkqm@eexoot.com" <phi@cgaller.com>
Subject: tRMLjBklXxXnfKWTRT
X-SpamFlt-Status: Not Detected
X-KASFlt-Status: Lua profiles 35274 [Aug 02 2012]
X-KASFlt-Status: Rate: 0
X-KASFlt-Status: Status: not_detected
X-KASFlt-Status: Method: none
X-KASFlt-Status: Version: 5.0.1
X-SpamFlt-Phishing: Not Detected
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
To: <tpde@bencable.com>
Reply-To: <gsgkqm@eexoot.com>
Message-ID: <20120802154345.23013.qmail@ns56.webmasters.com>
MIME-Version: 1.0
X-Mailer: SMF
Authentication-Results: c650-1.noc.benbroadband.com; dkim=neutral (message not signed) header.i=none
Received-SPF: None (c650-1.noc.benbroadband.com: no sender authenticity information available from domain of phi@cgaller.com) identity=pra; client-ip=66.230.220.200; receiver=c650-1.noc.benbroadband.com; envelope-from="phi@cgaller.com"; x-sender="phi@cgaller.com"; x-conformance=sidf_compatible
Received-SPF: Pass (c650-1.noc.benbroadband.com: domain of phi@cgaller.com designates 66.230.220.200 as permitted sender) identity=mailfrom; client-ip=66.230.220.xxx; receiver=c650-1.noc.benbroadband.com; envelope-from="phi@cgaller.com"; x-sender="phi@cgaller.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: None (c650-1.noc.bendbroadband.com: no sender authenticity information available from domain of postmaster@ns56.webmasters.com) identity=helo; client-ip=66.230.220.xxx; receiver=c650-1.noc.benbroadband.com; envelope-from="phi@cgaller.com"; x-sender="postmaster@ns56.webmasters.com"; x-conformance=sidf_compatible
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.1 cv=y0zQAPOssad0jT3MQoRBE0Twb/cYy7/vT9zoQXdJ1+k= c=1 sm=1 a=PP_YKxf0_hQA:10 a=QBjFdofbnPoA:10 a=LxDXLqCVAHsA:10 a=AjZ/6lLzmpwAaqqFYfTfYw==:17 a=pviSs9pIAAAA:8 a=ioegJCa9AAAA:8 a=jsLzB_QjAAAA:8 a=vcWJOPMYAAAA:8 a=cO7zPziZCamBTGQT_isA:9 a=wPNLvfGTeEIA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMPAGmfGlBC5tzIX2dsb2JhbABFgyykfYgSh04EgRceTQQ/gwSBAYg6m0mGTpsmgkKJTYMigxwDlUYBgRSRWA
X-IronPort-AV: E=Sophos;i="4.77,701,1336374000"; d="scan'208";a="78988406"
Original-recipient: rfc822;tpde@bencable.com
Storman™:
No idea ! But make sure your email on the server isn't set-up as an open relay:
What is an Open Relay ?
Also, check the obvious like their email address isn't publicly visible on the forum. I had member query something similar once and only to find out that they put their email address in a post which subsequently got spammed to hell.
cgallery:
Not an open relay, and the ISP verified that the E-Mail originated from the machine on which I host SMF.
So seeing as the E-Mail was from ME (the site's admin) and was to a participant of the forum, and was sent via the same server on which SMF runs, I'm thinking there may be a security hole somewhere in the way I have SMF configured, or in SMF itself.
Have to do more research.
Arantor:
What was the content of the email?
Is there anything else installed on the same server? Any other hosting accounts? What mods do you have?
There are still a *lot* of possibilities before throwing around 'vulnerability in SMF' as an accusation.
cgallery:
--- Quote from: Arantor on August 03, 2012, 03:05:36 PM ---What was the content of the email?
Is there anything else installed on the same server? Any other hosting accounts? What mods do you have?
There are still a *lot* of possibilities before throwing around 'vulnerability in SMF' as an accusation.
--- End quote ---
Here is the E-Mail I had received:
*****
From: Phil Thien
Subject: Deovfqwozk
Reply to: czdact@yfgtnh.com
To: Phil Thien
R5LK8o <a href="http://dmcmawffbngt.com/">dmcmawffbngt</a>, xgftalbttpdq,
[link=http://rctmyqdnzhyt.com/]rctmyqdnzhyt[/link], http://rmqgzgngepdj.com/
*****
The only mod I have is "Stop Forum Spam 1.0."
The site is hosted by Webmasters, I know for a fact that there are other sites hosted on the same server.
Not casting accusations. But the to/froms are members of the forum, and don't exist in the same universe anywhere else. And also because the mail originated on the same server where the the two/from members exist, and the forum is hosted.
Navigation
[0] Message Index
[#] Next page
Go to full version