Kitz Forum
Announcements => Site & Forum Discussion => Topic started by: AndrueC on July 28, 2017, 08:52:19 PM
-
So I just received some spam sent to me using the address that I have only ever given to this site. My policy for years has been unique address for every contact. I suggest that the forum administrator start investigating their system as it seems likely they have been compromised and their database is no longer secure.
I forget when I registered for access to this site but I can assure you that only I and the database ought to know that address. I have now blacklisted the address so the only way to contact me is currently through this forum thread.
https://en.wikipedia.org/wiki/Disposable_email_address#Advantages_over_traditional_email
"Additionally, because access has been narrowed down to one contact, that entity then becomes the most likely point of compromise for any spam that account receives (see "filtering" below for exceptions). This allows users to determine firsthand the trustworthiness of the people they share their DEAs with. "Safe" DEAs that have not been abused can be forwarded to a real email account, while messages sent to "compromised" DEAs can be routed to a special folder, sent to the trash, held for spam filtering, or returned as undeliverable if the DEA is deleted outright."
-
I forget when I registered for access to this site but I can assure you that only I and the database ought to know that address.
FYI taken from your user profile:
Date Registered: June 25, 2012, 09:21:46 AM
-
Hi
I think you make a bold statement sorry
There are infect numerous systems which could be compromised, including the computer you have the account setup on
I would ask if any other user has seen similar spam messages about the same time frame.
If so, it may infer a compromise of kitz db, but I stress infer as a hack would usually yield a mass spam send to all
It could just be a wild guess or random email address creation (yes it does happen, which those who work in this field know and would have seen themselves)
I am not saying your wrong or right but just pointing out various other reasons for seeing spam in the account in question.
Also, the headers would have been more beneficial
I do think though, if no other user has received spam in the timeframe then it is likely not to be a compromise of kitz db
Many thanks
John
-
I agree with what John said above - it's extremely unlikely that just a single email address would be affected if the site were compromised. Of course we'll investigate, but one thing I can assure you of: there was no leak (deliberate or accidental) by any of the very small number of people who have access to user email addresses.
-
What a load of nonsense.
Spam sends to random emails, it doesn't need to have been taken from this site.
I've had spam sent to an email the day I created it, before using it even once.
I haven't received a spam email to the address registered on this site for many many months, and it's not the only site I use it on.
I think that was an extremely bold statement, and personally think it deserves an apology. The owner of this site has spent thousands of hours creating tutorials, guides, wikis, administering the forums, etc.
She does all this without filling the site with ads and trying to make money off it. You receive 1 spam email in over 5 years and jump to a ridiculous conclusion.
-
The email address I use on here is totally unique to this site (if the admins took a look they'd be able to see why it would only be used for this site). It hasn't had any spam.
-
Just got in (my dsl has been down all day - see MDWS).
I am taking this extremely seriously leave it with me I shall do some checks straight away.
-
The email address I use on here is totally unique to this site
Here also - no spam.
-
I take similar precautions to AndrueC these days and get very little spam that I can't identify, maybe 6 a month in my spam folder, on average. My registration here predates these precautions, so this site would expose my real address.
This past week, filters have caught 3 spams. That's a small increase on the average, but probably not any statistical significance. :)
-
Just this minute got off the phone with my hosts. They can see no absolutely sign of any compromise of any data.
All the forum software and any patches are already completely up to date so unless there is an SMF issue its not that.
Nor can I see anything weird in any of the forum logs.
However just to be on the safe side and because I do take security extremely serious, I am taking some additional precautions.
If there is any oddness with the site over the next few hours it will be me resetting things.
-
Results of an external security scan
https://sitecheck.sucuri.net/results/forum.kitz.co.uk
-
Jeeze - for those that saw what just happened, so sorry about that. :'(
Gave myself heart failure by not only locking myself out but by doing so taking not just the forums but the front page of the main site down.
The site should be ok now... I wish I could say the same about me - It may take my hammering heart a while to recover. :o
-
I think I may have found the culprit. Try putting your email address in here. [link removed temp]
Then look see what comes up - as you will see, its not here. Basically if you use the same username at another forum which has been hacked, then bots take the username & password to crawl other forums and find other associated accounts and emails.
This info is then sold on the darknet. Whilst I am sorry that the bot appears to have found you here, I'm afraid that despite spending hours and hours on this, I can find absolutely no evidence that it is a result of a database breach here and there is nothing I could have done to prevent it.
As mentioned everything on this side appears to be secure, my hosts can find no evidence of any breach and the only IP addresses used to connect to my database are those that I have used and MISP which is my hosts. The admin account had only been accessed by my IPs.
As my hosts said earlier this evening it is highly unusual for hackers just to attack a site for email and leave everything undamaged and they suggested that it may be the work of bots and not related to this specific site.
I guess that is why after some of the fairly large breaches last year people were advised to change all their passwords at other websites too.
See also here (https://www.reddit.com/r/DarkNetMarkets/comments/4i5l9g/whats_the_location_of_the_darknet_leaks_from/)
Most people use the same password for all sites so what happens is when one site's database is leaked, you can try using their same user/pass for any other site you might think they are on. Databases work great for targeting individuals.
All I can do is suggest you change your password for this site and any other sites that you frequent :(
... and on that note Im off to bed.. Ive been up since 6.45 yesterday :(
-
ahh was this why the forum went down earlier?
I got an email from another site I am registered on I think was ebid, saying they found my email address in a database they purchases (hacked accounts), but they wouldnt disclose where my email address got compromised which annoyed me.
Just so noone interprets what I said above wrongly.
The above info about ebid has no relation to this site :), was an email I got several months ago and I dont use that email address on here. :)
also to add to the link kitz provided, here is another one
https://haveibeenpwned.com/
I entered one of my most commonly used email addresses and got this
Highlighted leaks where your email has been compromised
exploit.in (compilation)
592.394.406 Emails found
avast.com (forum)
421.253 Emails found
nexusmods.com
5.914.650 Emails found
Patreon
2.330.939 Emails found
Ironic that one of them is avast a security company. But the pattern in all 4 is that they all have huge amounts of users, sites with large user databases are the ones most likely to be targeted.
-
>>> ahh was this why the forum went down earlier?
Yes it was me. Purely as a precaution I was changing the database passwords* however despite timing both the server side and software changes at the same time, the forum software threw a hissy and decided it would shut itself down and locked me out too.
>>> here is another one - https://haveibeenpwned.com/
Thanks. Yeah the Avast one was a biggy that got an awful lot of people :(
Avast: In May 2014, the Avast anti-virus forum was hacked and 423k member records were exposed. The Simple Machines Based forum included usernames, emails and password hashes.
Compromised data: Email addresses, Passwords, Usernames
------
*this was one of the first things I did as 'just in case' and before I'd done a full investigation.
-
Hi kitz
Kudos to you
I know you and many others would have expanded a lot of time to this investigation.
At least you know your uptodate as can be, which is some assurance but as with everything, is only for that date/time of check.
I hope you have a more relaxing weekend
Many thanks
John
-
Thanks for investigating and explaining all this, it's always nice to understand the issue.
Curiously my own address, when entered into the hacked emails search, lists a leak form a forum that I have never heard of, and judging by its name, would not have ever been of any interest to me. :-\
-
Interesting all this. I have never in 9 years had any spam from this forum. I also checked the hacked emails site and it showed5 references to one of my email addresses which does get spammed, however no references to another which gets more spam than the one with 5. Actually virtually zero spam gets past my mail hostings spam filters these day, the odd one or two usually about buying vans which I suspect is a UK company who have purchased a list of email addresses which mine is on.
I have always felt that this site is one of the safest to be on mainly because of the care and knowledge of the folks involved in running it, however I do realise there is no such thing as 100% security.
Stuart
-
I don't know if it helps or hinders, but I've started receiving spam today too - and like the OP it's a unique kitz-only address.
It's easy for me to block the address (and why I use unique addresses), but just means I block everything kitz-related.
-
Hi
I hope you don't mind, as I do not want to take this off topic, but in general, most spam senders place a null reference so it reports if opened/received. It's a normal action for mass mail sending, legitimate or otherwise. If noted it has been opened/received, ergo address is live. That's all they need
All systems come under constant attack, on all services, email, hosting, ftp, ssh, rdc etc and we expand a lot of effort to keep things as secure as possible, such as IDS/IPS systems, and are automonitored to take action. An extract is below
There are a few genuine users who get caught out and totally banned, but these are dealt with manually to be unblocked (we do a full blanket ban of all services/systems if you trip the IDS/IPS systems)
As you can see and hope appreciate, it is not easy but generally we get it right most of the time. Hopefully and how do we know the extract is correct - we do not allow SSH
Many thanks
John
Jul 29 09:26:04 ns4 sshd[18095]: reverse mapping checking getaddrinfo for 50-235-128-175-static.hfc.comcastbusiness.net [50.235.128.175] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 29 09:26:04 ns4 sshd[18095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.235.128.175 user=root
Jul 29 09:26:06 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:08 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:10 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:12 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:14 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:16 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:16 ns4 sshd[18095]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.
-
Just as a test I have changed my email address on here to a brand new one setup just for here and will not be used elsewhere. If I get spam to it I will report back.
Stuart
-
Hi
Sorry, just a polite note to all to ensure your password used is a secure password. Ideally it should contain upper/lowercase, numbers, at least 2 symbols (?!£€$¥) and be an uneven length (7,9,11 etc charters long). The reason for the uneven length is some software try to use 4 characters blocks as most are even characters
It is feasible the odd account may have been bruteforced and explains why only a few email addresses have been taken.
If this was a true db access, all email addresses would have been taken
Many thanks
John
-
bear in mind dictionary attacks can get spam to unused email boxes as well.
-
I don't know if it helps or hinders, but I've started receiving spam today too - and like the OP it's a unique kitz-only address.
It's easy for me to block the address (and why I use unique addresses), but just means I block everything kitz-related.
Just to reiterate what kitz pointed out, if I understand correctly, using a unique email address may not help. If you use the same forum login id and password on more than one forum, and one of the other forums is hacked to reveal your forum login, the 'unique' email addresses held on all the other forums may easily be discovered, no hacking required, and no security breach required.
Check kitz's earlier post for full explanation.
-
All my forums use unique passwords and all my passwords are a mixture of upper & lower case, numerics and special characters (sometimes) and are normally between 7 and 8 in length (yes sometimes 8). Userids are often reused but that is less likely to be an issue as long as p/w are different.
Stuart
-
From what it says on the link from reddit all it takes is a bot to have your username and password from a another previously compromised forum eg
User
Password
email:- ForumOne@yourdomain
Using the compromised User and Password the bot then crawls lots of other forums on the internet looking to see if those details allow it to log in anywhere else. If it finds it can log in, then it will take any relevant info from that forum too.
So now its starting to build up a profile of the user
User
Password
emails :- ForumOne@yourdomain, ForumTwo@yourdomain, ForumThree@yourdomain
Owners of the bot are then selling this new information on the darknet. This info has 2 possible outcomes.
1) A new list of emails that can be resold for spamming purposes.
2) The list of new info can then easily be further filtered and this I suspect is what oiulkjmnb1 is referring to when he says expensive and exclusive lists. They can identify a list of people who use their domain name with a different prefix for each forum.
If the prefix matches up in some part with the forum name its obvious what the user is doing and a list of those domains can be identified for the purpose of further ill gains such as
- dictionary type spam attacks on the domain name
- Using the domain name to spoof a load of spam mails to avoid blacklists
- Someone even mentioned they could be used for spear phising (http://searchsecurity.techtarget.com/definition/spear-phishing)?
What it does mean, is that even if you use a specific prefix with a specific forum that you can not say without doubt that the forum is the source of the breach.
I have investigated everything I can - and probably gone to a heck of a lot more trouble than most forums would - but I can hand on heart say that I cannot see anything to suggest there has been a breach of our database.
If anything I suspect this may have come as a second wave attack from a breach of data elsewhere using one of the above methods on the back of same username. I do admit that its highly likely that a bot has visited this forum specifically looking for info, but the original breach has come from elsewhere and there is nothing I or any other forum owner can do to prevent this other than suggest you change your password and ensure separate passwords are used for different sites. :(
-
@jelv
Within the past couple of months receiving spam on an email address that I specifically use only for a certain usergroup. Because I know you are a member there I wonder if you are seeing any spam via that forum which only started within the past month or so too?
Whilst I know that there 'may' have been a breach related to an event 10+ ago but I disposed of that email address and created another, its that second email address that has suddenly out of the blue started receiving spam.
-
I would like to add a note of caution about the sites mentioned here that allow you to check for leakage of your email. Before using them do some research yourself to make sure they are legit. Bad guys may be running honest looking sites that are actually harvesting addresses.
-
^ Good advice.
https://haveibeenpwned.com/ is considered legitimate.
OK I have a bit more info.
I've been doing a bit more digging and with the aid of my hosts, I can say that the only IPs used to access my server have belonged to either me or MISP (them).
Everything is as secure as it can be and there is no sign of anything on it being breached.
I would stress that if anyone has any concerns they should change their password and ensure that same passwords are not used across multiple sites.
-
Just as a test I have changed my email address on here to a brand new one setup just for here and will not be used elsewhere. If I get spam to it I will report back.
Will be doing the same. I use a different user name, email address and password for every forum I sign up to. The password on this forum is 20 characters long.
Generally, I get around 3 spam messages a week - I've had eight in the last 24 hours using the kitz address.
https://haveibeenpwned.com/ is considered legitimate.
Second this, the guy who set it up is a well-known security researcher. The only downside is that it concentrates on data from large-scale breaches/dumps.
-
Can't say I get much spam, and I've been using the same handful of addresses for years, I get more on my work email addresses, which are used far less on forums and not published on websites either.
If anyone wants to see how much random email is sent turn on a catch all address on your domain, although random is the wrong word, educated guesses would be more correct.
Nothing from the OP, thought he would of popped by and perhaps said a huge thanks to Kitz for checking.
-
@jelv
Within the past couple of months receiving spam on an email address that I specifically use only for a certain usergroup. Because I know you are a member there I wonder if you are seeing any spam via that forum which only started within the past month or so too?
I never changed the email address from xxx.plus.com so I wouldn't know.
-
Curiously my own address, when entered into the hacked emails search, lists a leak form a forum that I have never heard of, and judging by its name, would not have ever been of any interest to me. :-\
Fireworks?
-
Fireworks?
Can you shed any light?
-
If you'd seen the same as me my post would have meant something. It was deliberately cryptic to not give too much away.
-
If you'd seen the same as me my post would have meant something.
It did.
The scenario I am afraid of is that my email may have been compromised at some previous time, and used for registration... In which case, the compromised email would be worth worrying about.
-
hmmm. I see what you mean, there is some sort of connection.
The earlier compromise was related to a much larger known breach. :hmm:
-
Fireworks?
It seems that my interest in pyrotechnics has also been compromised :o
-
Then this is getting weird.
Until this afternoon my best (and worst) guess was that my inbox had somehow been accessed, allowing access to a forum registration mail. That would be quite hard today, with gmail's two-step authentication, and near zero probability of their machine generated App passwords being guessed. But I've used that email for donkeys years and it wasn't always so secure.
But the size of the supposed leak was quite small, around 3,000. It does seem a remarkable coincidence if 3 of us here are among the 3,000. Yet I really cannot believe that kitz's forum is any kind of factor at all. ???
I'm forming a theory... according to nominet Whois, the domain has not even been registered. Suppose therefor the bad guys sometimes publish 'fake' leaks, maybe as some kind of trap to see who publishes them, and therefor close the door on genuine leaks?
-
It seems that my interest in pyrotechnics has also been compromised :o
23 Oct 2016?
-
Snap.
-
23 Oct 2016?
Yep.
-
Until this afternoon my best (and worst) guess was that my inbox had somehow been accessed, allowing access to a forum registration mail.
I would have thought it was more likely to be linked in with the earlier breach.
However, I'm not liking the co-incidences tbh.
Yet the email address I have set for my forum account, my personal email address & the web@ address all show clear.
I'm puzzled, let me try do some more digging if I can.
-----------
ETA For the time being Im removing the link I posted earlier just in case, whilst I attempt do some further investigating.
-
Hi
I'm sorry, a lot of this thread I cannot follow due to not knowing the email addresses or forums
I would like to though, remind everyone that until recent years, forum registration did not require separate confirmation (some may still not), webmail access would not show on pc if hacked, and yahoo (and a lot of other db, e.g. Talktalk avast etc) were compromised and email addresses taken. There will be a lot unpublished. Also, any domains registered were and/or still show owners email address. Even if the owner changed to hide details, time web still show these details and once part of a domain is known, it is easy to tie most forum users with a domain part, first name etc, so algorithms are scripted to generate email addresses.
This is true of nameservers/dns, where a domain is hosted, rdns of the host ip to reveal details of other websites hosted, yielding more to speculate for gathering.
We use honeypots, to help the Internet community further and those who use honeypots to stop access to the websites/servers
There is a lot more but time is short and I have my grandchildren stopping with us for a few weeks
I hope that helps rather then complicate issues
Many thanks
John
-
@john I hope you dont mind, butIve PM'd you some info showing the results on jelv, 7LM & Browni (without disclosing their email or personal data) but it should give you more of an idea. You are far more experienced in this particular area than I ever will be.
Your email address comes up clean, so does the email address I use for my forum account.
My personal email address is clean.... as is web@
I'm PM'd you the email addresses I use so that you can confirm they are clean. Jelv also knows them so he can also confirm too, so whatever it is is not affecting all members.
However, I'm not liking the co-incidence and have fired yet another ticket off to my hosts who by now probably think I'm neurotic. ???
-
I would have thought it was more likely to be linked in with the earlier breach.
Yes, I understand exactly what you mean. ;)
@ Kitz, please don't feel you need to spend much time on this on my behalf. I never suspected for a minute it had anything to do with your site, and still don't. Just to clarify, when I said I was worried that my inbox had been accessed, I meant the inbox of my personal email account hosted by Google, nothing to do with these forums. :)
I would of course be interested in anything explanation that unravels but please, don't stress over it.
I would like to though, remind everyone that until recent years, forum registration did not require separate confirmation (some may still not)
That is reassuring, I have now pretty much stopped worrying completely. My nightmare scenario was that people who frequent forums relating to things that go 'bang' might, just maybe, have unhealthy interests, and so may want to do so under a false identity. I can't stop them using my email address, but wasn't happy that they would have been actively impersonating me by reading my private emails. I no longer think there was any risk that ever happened.
-
@kitz I haven't received any spam for the email address I used here, what I find a little disconcerting is my email address linked to a previously unheard of forum.
-
Firstly, let me apologise for the delay in responding. I was away for the weekend and am only just catching up on stuff.
-
Just got in (my dsl has been down all day - see MDWS).
I am taking this extremely seriously leave it with me I shall do some checks straight away.
I'm glad to hear that as that was the only purpose in my posting the message. To be honest I'm not a regular visitor here so I was initially surprised that I'd even registered. I do apologise for any ill-feeling I might have caused but I was rushing to prepare for a weekend away and I felt you ought to be informed as quickly as possible.
-
Ah, interesting Ah, yes that email is listed as hacked. The shared user name and password is a possibility based on the age of this account. That password is a very old one. Very, very old actually. The first password I ever came up with (in the mid-90s, lol) and was only ever used on lowest security sites. It has been pensioned off for several years now and I guess it's so long since I signed on here that it never got changed.
And yes 'fireworks' means something to me (at least in the context of that check - it ain't anywhere I've visited).
Anyway I'd like to apologise again for ruining anyone's weekend and would like to reiterate that my post was intended to be a helpful warning and was perhaps just written a little too hastily whilst preparing to leave for the weekend.
-
Hi
Many thanks
To confirm no details were ever passed to me, but details were given so I had a better understanding, and I have pm replied
I think this thread is concluded, as I believe there is only 7lm who could not understand why he received spam, but a hack on a forum he belongs too, from the details given show he was listed in July 2016.
Jelv has confirmed no spam and andruec has just confirm hacked earlier.
The good outcome here is kitz appears as secure and can be trusted, but as always, it is only as good as a car mot, it applies only at that time/date
If anyone has any concerns, you can pm me, and I'll check but we have our grandchildren for the next 2 weeks, so time permitting
I hope that helps
Many thanks
John
-
Hi
@7lm, I'm sorry, rereading thread shows I did not fully answer sorry
You email account could/as could anyone's email account have been hacked (even using 2aith - this is a whole thread on its own as it is proven to be not 100% secure) but is unlikely in your instance
It is worth mentioning here the follow
If you have register a domain, setup spf (hard fail) and dmarc records
If anyone uses or sends email pretending to be from you (your domain), the above checks should 98% stop it dead if setup correctly
If using your email address (hacked at webmail or from your computer), this is different and harder to find/confirm. The only good thing is most people have email setup on mobile, so you have a high degree of seeing an unusual email confirming identity or services just acquired/purchased.
The above is not a full theism but a warning to keep vigilant
I hope that makes sense and helps
Many thanks
John
-
@d2d4j
No probs, you did help, by pointing out that other forum registration need not be confirmed by email. Spam was not my problem, I have not received anything unusual. My worry was that somebody had registered at that other forum, had the confirmation sent to my email, resd it, responded to it, and deleted it. That would have been awful, but I no longer think it happened. :)
I do have my own domain, but it is currently managed by Google. I was lucky enough to sign up to Google Apps while it was free. So yes, I know all about SPFs but that would be for another thread and anyway, spam is not the problem.
Many thanks.
-
I haven't received any spam for the email address I used here
Thank you for confirming that. Sorry I misunderstood and thought you had also been affected.
I think there are two separate issues and I was putting the 2 together when they may not be related at all.
Firstly, let me apologise for the delay in responding. I was away for the weekend and am only just catching up on stuff.
Thank you for getting back to me. The system you use seems similar to my own private mail.
To confirm no details were ever passed to me, but details were given so I had a better understanding, and I have pm replied
Thank you John for the information & help you have given. I wont pretend to understand it all, but since its your day job I trust that you see these type of events happening more frequently and have a far better understanding of that side of things than I do. :)
-
To all.
I do take security extremely seriously. Because I'm not an expert in server security, it is why I pay extra for a fully managed service to ensure that someone else deals with server security and updates etc.
As far as the forum software goes I am extremely diligent about applying patches as soon as possible after they are released.
I have also learnt over the past few days from various information & topics at reddit/r/darkweb & reddit/r/DarkNet that using an email prefix is no longer a valid way of identifying that a particular forum has itself had a data breach. Hackers and bots have now got more sophisticated and rolling on the back of some very large breaches such as myspace/linkedin/avast/adobe/etc they are now clever enough to identify domain email addresses which are using different prefixes at different forums.
It will explain why the email address I used for a another suddenly started getting spam a few weeks ago out of the blue. I'd not been there in years, but when I checked over there (http://usergroup.plus.net/forum/index.php/topic,7528.msg95722.html#msg95722) and it seems it may be similar to what has happened here. There are only 2/3 people saying its happened, but on reflection I think that is also something that may have happened after the avast hack which did affect me. So it appears whatever it is, may also be happening on other [SMF?] forums.
It explains why after the larger breaches those sites warned to change passwords on other sites too. Although they never mentioned why you should, it is now apparent that there are bots out there crawling other forums to see if they can get even more info. I think some of us may have felt safe because we were using unique prefixes.
I thank andrue and others for alerting me. I must admit that at first I was highly alarmed because at that time I too was under the impression that using prefix's was a way of identifying breaches. If there was something wrong or a hole some where then obviously I wanted to plug it.
However as it stands my server is secure, and it also seems odd that normally with breaches then you would expect everyones email to have been disclosed and they usually leave behind other damage such as taking the whole forum down.
I think Im putting this to bed now as there seems to be nothing more I can add.
-
What a load of nonsense.
Spam sends to random emails, it doesn't need to have been taken from this site.
Hardly ridiculous and without wanting to stir up a hornets nest it might be useful to you to understand why this method is a reasonable (albeit now it seems flawed) means of identifying culprit sites.
I and several others here are using contact specific email addresses. That is every contact gets their own unique email address to communicate back to us. If I get spam where the email address is(*) something like (this is hypothetical, not the real template).
sitespecific.kitz@mydomain.com
It is hardly a 'random' address. There should only ever be two entities that are aware of that address. In fact unless that is actually used to send me mail there will only be one entity (Kitz in this case). Nothing on my side even knows I've handed that address out. It won't be in my address book - ever - because I don't send myself email pretending to be other people. It will briefly be stored in my computer's RAM but otherwise there's no record of it there. The mechanism I use for these addresses actually uses wildcards to redirect the message so even my mail server doesn't have a record of that address.
Now if/when that address is used there will be a record of it in the server logs and for a while at least on my client machine. However it's still unlikely either of those could be the source of the leak because otherwise I ought to be getting spam to all my disposable addresses.
Now what's come out of this discussion is that it seems at some point in the distant past one of the low security web sites that I registered on ended up with the same user credentials as I used for Kitz. That site was hacked and later someone found that the leaked credentials from that site could also be used to log onto Kitz. So they did that, got the email address I was using here and sent me some spam.
But, technically (and absolutely not blaming Kitz) the methodology does still hold. I got sent spam because [my account on] Kitz was compromised. So whilst it might have caused some panic (for which I prefusely apologise) my DEA system worked perfectly. It identified the source and allowed me to determine and the cause and ensure appropriate steps were taken. All those of us using DEAs needs to remember in such situations is that the 'culprit' site might only be a step along the road so we should avoid making accusations. Just work with them to investigate.
But my original post was not nonsense.
(*)Very important note: You cannot rely on your email client to tell you this. Your client gets that from the headers and they can be faked. You really need to have access to your server logs in order to see what the RCPT command used for the target mailbox.
-
AndrueC has shared his advice for tracking email origins when administrative access to the email server is available.
There are a couple of other ways of doing contact specific email addresses. Your email provider needs to support them.
https://en.wikipedia.org/wiki/Email_address#Subaddressing allows a tag to be inserted. For example joebloggs@gmail.com could use joebloggs+kitz@gmail.com. Gmail, Apple iCloud and outlook.com are some of the providers offering this.
https://en.wikipedia.org/wiki/Email_address#Local-part_normalization is limited to a handful of aliases. The dots in local-part are ignored in Gmail so joe.bloggs@gmail.com and j.o.e.b.l.o.g.g.s@gmail.com end up in the same inbox.
One caveat with subaddressing is that some web services have bugs in their validation rules for email addresses. I was unable to sign up with an insurance company on one occasion.
-
One caveat with subaddressing is that some web services have bugs in their validation rules for email addresses. I was unable to sign up with an insurance company on one occasion.
Yah and at least one company - Samsung - does not allow its own name in the address. So I either have to register using 'samzung' or simply not bother at all (my preferred option :) )
-
FYI the email address I used to register here which is unique to this site (i.e. used nowhere else) has also started receiving spam since 29/07/17 08:17.
-
given kitz has already changed her db passwords, and assuming all admin's are not compromised I would say the only other considered possibility would be the host itself been compromised such as root mysql password, but its still entirely possible these email accounts can get spam via other means of distribution.
I will change my email address to a unique one and monitor it, if I get junk I will then check my email logs on my email server to investigate more.
-
Hi
I would consider the host platforms not to be compromised and especially the root access to MySQL (which should be set standard as local only - no remote access)
Kitz server is a vps, which has additional segmentation and most likely has rootkit testing already setup
I'm just at skegness with family but if kitz would like me to look, I would but honestly, I do not believe this to be an issue, as it would appear only to be on 1 email as posted earlier, but may prove to be similar to others
Many thanks
John
-
Since you seem to have good knowledge of the hosting arrangements and can speak with confidence on the mechanisms in place thats good to hear. I was just merely speculating of course the possibilities however unlikely they may be and do agree that its a lot more likely the spam came via unrelated ways of distribution.
-
Hi chrysalis
Many thanks but sorry, I do not nor have any access to kitz platform/server/services sorry
I know how ISP/Hosting platforms should be setup, and I know kitz host, so they will be setup to a high degree as all platforms are, and will be systematically tested for rootkits (ours certainly are). Vp
Vps servers are very highly segmented to each vps, with monitoring on resources to attempt to stop any 1 (or more) vps from bringing the server/platform down.
Please understand, as with everything, there could be new attack vectors which are unknown, so we never say 100%, just as users on their computers cannot 100% state they have never been/are currently infected, or can be 100% sure where any spam emails may have been sourced.
Headers would be good but this would only show where the emails have originated (yes headers can be stripped/manipulated but the headers on the email can only be stripped on the sending server - if a spammer has setup their own smtp server - however, the receiving server would add their headers in, which the spammers cannot manipulate, so the original sending details remain on many aspects of details)
As I said, with only 1 report of spam (other reports have looked into as per thread) then it is very unlikely to be connected with kitz if you have every dealt with this issue or similar, they do not just use 1 or even 5 email addresses (if harvested), it's usually all as a one shot before it's highlighted and on most hosted platforms, it happens very quickly.
I hope that helps and explains a little more of possibilities/reasons
Many thanks
John
-
the email server logs would e.g. reveal if its a dictionary attack, as you would see in the logs other random addresses for the same domain been tried as a recipient, someone without access to such logs would be completely unaware of this.
Regarding the hosting, I will mention I do server administration for a living and have over the years have had multiple clients who run hosting companies, and will end it there, also not sure how much kitz wants us discussing her host here, she has mentioned in the past its not a VPS tho as her website has too much traffic.
-
Hi chrysalis
Many thanks, and apologies, I was not meaning to cause any offence sorry. I do not know you nor you know me.
The server logs for email would not show as an attack in the real sense, as this would be mass spam sending (no attack is entered into to gain access), and on most mail platforms, backscatter is stopped (unless the client wants a reply to been sent stating email account unknown etc...), but most platforms are set default to silently drop
I would never discuss kitz server, as I would not discuss any server specifically. Rather just generalise sorry. That said, kitz has already confirmed it is a managed server, so all these aspects should have been implemented as a matter of course with managed duties of SA.
I was only trying to let people know I did not have any access, nor do I ask for any access to kitz.
I hope that clarifies and once again, I apologise if I caused upset. It was not my intention sorry
Many thanks
John
-
I thought we had established that use of unique email addresses is a bit irrelevant, and spam to such a 'unique' address no longer implies that the corresponding site has been compromised, or even that the user has been hacked.
These unique email addresses can be discovered by various other means, described earlier in thread, without implying any attack at all - successful or not - on kitz's servers.
-
I thought we had established that use of unique email addresses is a bit irrelevant, and spam to such a 'unique' address no longer implies that the corresponding site has been compromised, or even that the user has been hacked.
These unique email addresses can be discovered by various other means, described earlier in thread, without implying any attack at all - successful or not - on kitz's servers.
Would you not expect to see spam from other random email addresses if spammers were just trying random addresses? Kitz seems an odd word to pick from random and know that it would have any link to a certain email address/domain name.
I'm not saying there has been any breach (in fact I don't think there has been from the what has been described) but it just seems like an odd co-incidence that it all started at once for different users. Thankfully, I'm spam-free again after blocking the email address.
-
Hi
Sorry, my opinion is the opposite (and have seen it a lot). The more popular, the more likely it is to contain the domain
In a funny way, it shows the site is worth spending time on for the bad people, whereas a site which is not as popular, is not
I hope that makes sense but sorry if I am wrong.
Many thanks
John
-
Would you not expect to see spam from other random email addresses if spammers were just trying random addresses? Kitz seems an odd word to pick from random and know that it would have any link to a certain email address/domain name.
I'm not saying there has been any breach (in fact I don't think there has been from the what has been described) but it just seems like an odd co-incidence that it all started at once for different users. Thankfully, I'm spam-free again after blocking the email address.
There is no suggestion that the spammers are trying random addresses. If they were, it would be obvious to anybody who uses their own domain to create 'unique' addresses.
Simply, it transpires that spammers have the ability to discover 'unique' addresses, no server attack, no randomness, no brute force, no user account hacking. And nothing, absolutely nothing, that Kitz or her hosts, or any other website owner, can really do about it. It's all been explained earlier in thread.
-
I'm not really sure what else I can add. Whilst I won't deny that there appears to be some sort of link for a few addresses, all I can do is confirm that my server appears to be secure and I have always done my utmost to ensure security of data. Any patches are applied asap - usually the same day/night of release.
As explained by the reddit post using unique addresses is no longer a way to guarantee that a particular domain has been breached. Bots are now sophisticated enough to be able to suss out that people are using website addresses in front of their domain names.
I myself very recently thought another website that I used to be a member of may have been breached because I started getting spam about a month ago on a 'unique' address I use for the Plusnet usergroup - You can see here (http://usergroup.plus.net/forum/index.php/topic,7528.msg95722.html#msg95722), a few others are saying same thing, but PUG are also saying nothing that they can see their end. The one thing I do know is that I have had email addresses breached from avast and a couple of the other major ones a few years back. Its affected my PUG email, but not the one I use for my email on this site - the difference is I use very unique and strong passwords for this site. My web@ gets lots of spam - always has done - but that is because it is pretty public, but even that did not appear on that list.
All I can do is apologise if you may have been caught up in this, but I really am not sure what else I can do or could have done. You should be able to see from my reaction as soon as it was reported that I did take it seriously and investigated immediately. I can honestly say its not come about from lack of keeping up with updates, or any of my passwords being leaked... and any data held on my server is as secure as it can be. I believe I have spent more time trying to look into this than most site owners would.
I guess the next step would be for me to use SSL, but please bear with me on that my time is limited and tbh I'm unsure how to go about this due to the fact the forum has many linked non-SSL images. I'm aware of LetsEncrypt but I also need to research how to make it work and if I still have to pay a fee for my hosts to set it up (From what I can see there is a fee for setting up SSL which arent their own).
-
Kitz seems an odd word to pick from random and know that it would have any link to a certain email address/domain name.
As explained earlier in far more detail how the bots do it - no its not. info is available on r/darkweb how its done. They choose a forum then try their luck based on previous larger leaks. So if say your avast@domain has ever been leaked then they try their luck elsewhere. It's what I suspect has also happened at PUG.
They could be targeting SMF forums - I dont know and I stress that is a guess on my part.. but PUG also uses SMF.