Alert - This site's member's email addresses leaked - Expect incoming SPAM !

[basys]

Hi Folks

A head's up to admins and members.
simplemachines.org/community site's member's email addresses have somehow leaked out.



As of this morning, 29/05/2011,
I've started receiving spam
addressed to an inbox exclusive to this website.



For every forum I sign up to
I use a new unique email address exclusive to that forum.

That exclusive address is never used again,
not even in communications with that forum's members.

Doing so allows for easy tracing of spam, etc.



HTH
ATB
Paul

[Illori]

well your email address is public so users of this forum can send you messages to your email account. do you have any other basis that other users have received the same emails?

[basys]

Hi Folks

Illori -
Am I misunderstanding SMF's email implementation entirely ?     



Are you saying anyone logged-in here in can see my email address ?

Thats anyone, and not elevated privelge users, (mods, admins etc.).



If so,
since when did this become default behaviour ?     

IIRC, all addresses were by default hidden.

Or was it a upgrade/migration failure ?   



Related -
What's happened to the option -
Profile - Account Related Settings - Hide email address from public?



If I click on your email icon,
I only see your username
I never see your email address.

Unless you reply to me,
or if I'd CC/BCC it to myself.



ATB
Paul

[Illori]

once you click on your email letter in your profile you can then email someone from the forum interface as your email address is not hidden from public.

[Thantos]

once you click on your email letter in your profile you can then email someone from the forum interface as your email address is not hidden from public.

Using that option doesn't show their email address (in fact it was the reason that feature went in).  Now if they received an email through that system and then responded to it then it would be out.

[basys]

Hi Folks

Illori -
Thanks for your prompt reply,
but it tells me nothing.     

If I click on your email icon,
I only see your username
I never see your email address.

i.e.
The forum emailing interface
does not display the recipient's email address.

Also confirmed against ~ 30 members here,
none displayed their email address.

What's happened to the option -
Profile - Account Related Settings - Hide email address from public?

Has that been relabelled as - Allow users to email me

They mean very different things.




EDIT -
Thantos, cheers,
thats what I'd always expected/thought.



Many thanks
ATB
Paul

[Illori]

once you click on your email letter in your profile you can then email someone from the forum interface as your email address is not hidden from public.

Using that option doesn't show their email address (in fact it was the reason that feature went in).  Now if they received an email through that system and then responded to it then it would be out.

that is the same as what i said just in different words.

[basys]

Hi Folks

once you click on your email letter in your profile you can then email someone from the forum interface as your email address is not hidden from public.

Using that option doesn't show their email address (in fact it was the reason that feature went in).  Now if they received an email through that system and then responded to it then it would be out.

that is the same as what i said just in different words.

Illori -
Different words, different order,
and entirely different, exactly opposite meanings.     



So back to my original query -

You can only see your own email address,
You cannot see the recipient's email address,

So how did the spammer obtain my SMF exclusive email address ?



Most people aren't going to have exclusive addresses,
therefore not notice a rise in spam,
or be able to attribute it specifically originating from SMF sources.



Many thanks
ATB
Paul

[Herman's Mixen]

You use MKportal wich is closed as a project and you use the old crappy RC candidate of MKportal i think that's your problem coz no bugfixes will be done ever for that !!

[Thantos]

once you click on your email letter in your profile you can then email someone from the forum interface as your email address is not hidden from public.

Using that option doesn't show their email address (in fact it was the reason that feature went in).  Now if they received an email through that system and then responded to it then it would be out.

that is the same as what i said just in different words.

Not in any way.  You implied that the user's email address got out because of the feature.  But that may only be true if they sent an email to another person or responded to an email neither of which the OP said they did.  As such one can't blame that feature of the email address getting out.

[青山 素子]

Quickest way to see if the mail was sent through the forum's feature, or directly is to check the mail headers and see the lines with "received" in them. The lowest one is the first, and as they go up, it tracks delivery through servers. If the origin is a simplemachines.org server, it's probably the e-mail form here. If it is not, then it isn't.

Even if it wasn't sent through this site, that does not mean for sure that any kind of leak occurred on the simplemachines.org side (it also doesn't mean it didn't).

[SleePy]

basys,

Could you please attach the message you received in an email and send it to [email protected].

Thanks

[basys]

Hi Folks

Thanks for the followups.



SleePy -
Spam email forwarded as requested.



青山 素子 -
It was Illori's claim of my address visibility
that sidetracked us into the SMF emailer discussion.   

The spam was sent from a Soviet Union domain,
and not via the SMF forum's user profile emailer.



The Burglar! -
As you're a burglar of long-standing,
maybe you could explain, (without giving away your trade secrets),
how old insecure doors and windows in one of my houses,
allows you to steal The Crown Jewels, from The Tower of London.   

Please go back and reread my posts.



My SMF exclusive email address
is an inbound only address,
and only existed in this forum's database.

Any replies I send,
all originate from a different email address.



I'm sure the admins here
would quickly spot a harvesting bot
that was PM'ing members,
and also cc/bcc'ing itself.



HTH
ATB
Paul

[hcfwesker]

I use an alternate email when registering to forums just for spam announcements, or instances like these.  Not worried at all.

but thanx for the heads up.

[LiroyvH]

Unless there is a bug in SMF that allows database access and/or see the email address in any way; our database systems are standalone and the public servers are secured in a way that allows us to monitor any access, even if it would be unauthorized. So, unless there is a bug: no security breach has occured on our servers, especially not the database server: it is unreachable to the outside world.

I think this is purely because i have administrator rights, but when I hover over the "send email" button, I can see your email address. Unfortunately, I do not have a non-admin account anywhere at the moment to test it out

On a sidenote, I have another question for you which may explain this "leak" regarding the email address, which I will post in a PM for your privacy protection.
Expect one from me soon.

Thank you

[Thantos]

I think this is purely because i have administrator rights, but when I hover over the "send email" button, I can see your email address. Unfortunately, I do not have a non-admin account anywhere at the moment to test it out

It is.  When I hover over it it says "Email"

[mashby]

I've hovered over a few profiles with the email button enabled and don't see any email addresses displaying. When viewing my own profile, hovering over the email button shows my email address.

[ApplianceJunk]

Doing so allows for easy tracing of spam, etc.



HTH
ATB
Paul

What's the point of tracing spam?

[vesna42]

I use an alternate email when registering to forums just for spam announcements, or instances like these.  Not worried at all.

but thanx for the heads up