News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Weird E-Mail spam to members of my forum

Started by cgallery, August 03, 2012, 12:29:47 AM

Previous topic - Next topic

cgallery

Running 2.0.2

Got a PM from a user of my SMF forum this morning.  He had received an E-Mail from me that was some sort of spam (with links that don't anywhere).  Interestingly enough, I had received a similar E-Mail from myself a few days ago, but chalked it up to spammers sometimes using your own E-Mail address as the from.  Anyway, when he told me he had received one, I realized the only thing he and I have in common is that we're bothm members of my forum.

I've included the message source for the E-Mail he received below.  I have made consistent edits to change the E-Mail addresses and domains involved.  But I was consistent in my changes throughout the message source.

The E-Mail we both received was garbage.  The links were invalid.  But I'm wondering if someone is beginning to figure-out a SMF vulnerability?  Or is this something else?  Any ideas where to start looking?

Thanks!
Phil





From - Thu Aug 02 08:49:51 2012
X-Account-Key: account1
X-UIDL: 19603-1157667445
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Content-Type: text/plain;
   charset="iso-8859-1"
Return-Path: <[email protected]>
Content-Transfer-Encoding: 7bit
Received: from mmp0-v0.bendbroadband.net ([192.168.17.141]) by msgs1.bendbroadband.net (Sun Java System Messaging Server 6.2-7.04 (built Aug 17 2006)) with ESMTP id <[email protected]> for [email protected]; Thu, 02 Aug 2012 08:40:08 -0700 (PDT)
Received: from c650-1.noc.benbroadband.com ([192.168.17.146]) by s1mq0.benbroadband.net (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <[email protected]> for [email protected] (ORCPT [email protected]); Thu, 02 Aug 2012 08:44:06 -0700 (PDT)
Received: from mail.tichapmanministries.com (HELO ns56.webmasters.com) ([66.230.220.200]) by c650-1.noc.benbroadband.com with SMTP; Thu, 02 Aug 2012 08:44:05 -0700
Received: (qmail 23017 invoked by uid 2526); Thu, 02 Aug 2012 15:43:45 +0000
Date: Thu, 02 Aug 2012 15:43:45 +0000
From: "[email protected]" <[email protected]>
Subject: tRMLjBklXxXnfKWTRT
X-SpamFlt-Status: Not Detected
X-KASFlt-Status: Lua profiles 35274 [Aug 02 2012]
X-KASFlt-Status: Rate: 0
X-KASFlt-Status: Status: not_detected
X-KASFlt-Status: Method: none
X-KASFlt-Status: Version: 5.0.1
X-SpamFlt-Phishing: Not Detected
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
To: <[email protected]>
Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
X-Mailer: SMF
Authentication-Results: c650-1.noc.benbroadband.com; dkim=neutral (message not signed) header.i=none
Received-SPF: None (c650-1.noc.benbroadband.com: no sender  authenticity information available from domain of  [email protected]) identity=pra; client-ip=66.230.220.200;  receiver=c650-1.noc.benbroadband.com; envelope-from="[email protected]";  x-sender="[email protected]"; x-conformance=sidf_compatible
Received-SPF: Pass (c650-1.noc.benbroadband.com: domain of  [email protected] designates 66.230.220.200 as permitted  sender) identity=mailfrom; client-ip=66.230.220.xxx;  receiver=c650-1.noc.benbroadband.com; envelope-from="[email protected]";  x-sender="[email protected]"; x-conformance=sidf_compatible;  x-record-type="v=spf1"
Received-SPF: None (c650-1.noc.bendbroadband.com: no sender  authenticity information available from domain of  [email protected]) identity=helo;  client-ip=66.230.220.xxx; receiver=c650-1.noc.benbroadband.com;  envelope-from="[email protected]"; x-sender="[email protected]";  x-conformance=sidf_compatible
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.1 cv=y0zQAPOssad0jT3MQoRBE0Twb/cYy7/vT9zoQXdJ1+k= c=1 sm=1 a=PP_YKxf0_hQA:10 a=QBjFdofbnPoA:10 a=LxDXLqCVAHsA:10 a=AjZ/6lLzmpwAaqqFYfTfYw==:17 a=pviSs9pIAAAA:8 a=ioegJCa9AAAA:8 a=jsLzB_QjAAAA:8 a=vcWJOPMYAAAA:8 a=cO7zPziZCamBTGQT_isA:9 a=wPNLvfGTeEIA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMPAGmfGlBC5tzIX2dsb2JhbABFgyykfYgSh04EgRceTQQ/gwSBAYg6m0mGTpsmgkKJTYMigxwDlUYBgRSRWA
X-IronPort-AV: E=Sophos;i="4.77,701,1336374000";   d="scan'208";a="78988406"
Original-recipient: rfc822;[email protected]

Storman™

No idea ! But make sure your email on the server isn't set-up as an open relay:

What is an Open Relay ?

Also, check the obvious like their email address isn't publicly visible on the forum. I had member query something similar once and only to find out that they put their email address in a post which subsequently got spammed to hell.

cgallery

Not an open relay, and the ISP verified that the E-Mail originated from the machine on which I host SMF.

So seeing as the E-Mail was from ME (the site's admin) and was to a participant of the forum, and was sent via the same server on which SMF runs, I'm thinking there may be a security hole somewhere in the way I have SMF configured, or in SMF itself.

Have to do more research.

Arantor

What was the content of the email?

Is there anything else installed on the same server? Any other hosting accounts? What mods do you have?

There are still a *lot* of possibilities before throwing around 'vulnerability in SMF' as an accusation.

cgallery

Quote from: Arantor on August 03, 2012, 03:05:36 PM
What was the content of the email?

Is there anything else installed on the same server? Any other hosting accounts? What mods do you have?

There are still a *lot* of possibilities before throwing around 'vulnerability in SMF' as an accusation.

Here is the E-Mail I had received:

*****
From: Phil Thien
Subject: Deovfqwozk
Reply to: [email protected]
To: Phil Thien

R5LK8o  <a href="http://dmcmawffbngt.com/">dmcmawffbngt</a>, xgftalbttpdq,
[link=http://rctmyqdnzhyt.com/]rctmyqdnzhyt[/link], http://rmqgzgngepdj.com/
*****

The only mod I have is "Stop Forum Spam 1.0."

The site is hosted by Webmasters, I know for a fact that there are other sites hosted on the same server.

Not casting accusations.  But the to/froms are members of the forum, and don't exist in the same universe anywhere else.  And also because the mail originated on the same server where the the two/from members exist, and the forum is hosted.

Arantor

And is the 'send an email' facility enabled and everyone has permission?

Has the user done a sweep for malware/viruses?

cgallery

Quote from: Arantor on August 04, 2012, 09:04:41 AM
And is the 'send an email' facility enabled and everyone has permission?

Has the user done a sweep for malware/viruses?

I can't find anything in the configuration screens that would indicate "send an email" is enabled.  Users can send a PM, but these were via E-Mail.

At least two users (myself and I'm the Administrator, and another user) have received similar E-Mail.  I have not asked if anyone else has received the E-Mail, I don't want to start any sort of hysteria.

Arantor

Look for the 'Send a forum email to members' permission. By default regular members and up have this permission and the forum will send it.

And if someone's account is compromised because they have a virus or other malware (and yes, this does happen) there could be your weak link.

cgallery

Quote from: Arantor on August 04, 2012, 09:45:17 AM
Look for the 'Send a forum email to members' permission. By default regular members and up have this permission and the forum will send it.

And if someone's account is compromised because they have a virus or other malware (and yes, this does happen) there could be your weak link.

I found that permission, and it has been disabled all along.

Arantor

For all member groups?

Did you carry out my other suggestions?

cgallery

Quote from: Arantor on August 04, 2012, 01:55:50 PM
For all member groups?

Did you carry out my other suggestions?

Correct, sending E-Mail disabled for all member groups.

Neither of the machines involved have any viruses/malware.  Both the other user, and I, work in the IT industry, and have done thorough scans to verify no root kits, and nothing else.

Arantor

OK, so I compared the headers you listed against the code in Subs-Post.php, sendmail(). I'm not sure whether you've mangled enough of the headers to actually disprove what I'm about to say or not, but I'm hoping you've not damaged it enough that what I'm saying makes sense.

There are two things that make me concerned as to the authenticity of this being 'SMF' as the sender.

* After SMF issues the MIME Version header, it also puts out a Content-Type and Content-Transfer-Encoding header, neither of which are in the above.

* The MessageID header is invalid for SMF's format. SMF's format is a 32 character hex string, followed by a hyphen, then a number, then @ the domain of the webmaster email (or the email the thing was sent from, but the supplied MessageID header is neither of these things)

What occurs to me is that someone or something is loose on the server, it's been able to query your database for details and then proceed to send spam based on what it finds. On a shared host this would be absolutely trivial to do even down to badly impersonating SMF.

cgallery

Quote from: Arantor on August 05, 2012, 09:59:50 AM
OK, so I compared the headers you listed against the code in Subs-Post.php, sendmail(). I'm not sure whether you've mangled enough of the headers to actually disprove what I'm about to say or not, but I'm hoping you've not damaged it enough that what I'm saying makes sense.

There are two things that make me concerned as to the authenticity of this being 'SMF' as the sender.

* After SMF issues the MIME Version header, it also puts out a Content-Type and Content-Transfer-Encoding header, neither of which are in the above.

* The MessageID header is invalid for SMF's format. SMF's format is a 32 character hex string, followed by a hyphen, then a number, then @ the domain of the webmaster email (or the email the thing was sent from, but the supplied MessageID header is neither of these things)

What occurs to me is that someone or something is loose on the server, it's been able to query your database for details and then proceed to send spam based on what it finds. On a shared host this would be absolutely trivial to do even down to badly impersonating SMF.

Okay, thanks for the work and feedback.  I'm going to ponder this some more.  If I figure out where it is coming from, I will be sure to let you know.

butchs

The American translation to what he is saying is that "you have been hacked my brother"!
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ApplianceJunk

Quote from: butchs on August 05, 2012, 10:07:57 PM
The American translation to what he is saying is that "you have been hacked my brother"!
:)

ROFL

cgallery

Quote from: butchs on August 05, 2012, 10:07:57 PM
The American translation to what he is saying is that "you have been hacked my brother"!
:)

LOL, could be right.  It just seems unlikely.

I was writing forum software back in the 80's (contract programmer, Exec-PC BBS was a client, 300 phone lines, tens of thousands of users).  These days I still do a lot of C work, and a lot of network security.  So I'm pretty familiar with the concepts.

And I can tell you this:  (1) People that have remote control of a server, with the types of privs (su) where they can see my data, don't send onesy-twosy bits of unintelligible spam to admins of accounts on that server ("hey, you're infected" notices).

They also don't bother trying to make it look like SMF sent the mail.

I'm not saying this is a SMF hole.  And even if it IS, it is quite possible that it is worthless, as the mail we've seen so far was completely unintelligible.

But out of all the possible explanations, I'd say the least likely (so far) is that something on the server is reading my SMF data and mimicking the SMF mails.

Arantor

QuoteLOL, could be right.  It just seems unlikely.

No more unlikely than anything else.

QuoteAnd I can tell you this:  (1) People that have remote control of a server, with the types of privs (su) where they can see my data, don't send onesy-twosy bits of unintelligible spam to admins of accounts on that server ("hey, you're infected" notices).

Um, are you on a shared server or a VPS or better? On a shared server, by definition any user can typically see all files depending on their permissions, especially those hosts who run Apache as a nobody user, when all the files have to be readable to all users just to make it work.

Since all the code can be accessed in that fashion, it's certainly far from impossible.

QuoteI'm not saying this is a SMF hole.  And even if it IS, it is quite possible that it is worthless, as the mail we've seen so far was completely unintelligible.

Yes, you are.

There are only two explanations options here.:

1. SMF has a hole, sending email
2. Something on the server is mimicking the SMF emails

You're saying in your opinion the latter is less likely, even though I demonstrated that the email does not have SMF's characteristics, which means by definition you're saying it DOES have a hole. You can't deny one without implying the other.

As far as I'm concerned it is not a flaw in SMF and that it is instead something else on the server that is abusing resources and masquerading as SMF because based on the provided evidence that's all it can be, but if you have any evidence to disprove that assertion, please provide it.

Joseph H

Cheap webhosting +24 hours

Arantor


mrintech

Quote from: butchs on August 05, 2012, 10:07:57 PM
The American translation to what he is saying is that "you have been hacked my brother"!
:)

Holy LOL  :o  :P

Advertisement: