Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4 5

Author Topic: Spam.. From you :(  (Read 18614 times)

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Spam.. From you :(
« Reply #15 on: July 29, 2017, 08:31:04 AM »

Hi kitz

Kudos to you

I know you and many others would have expanded a lot of time to this investigation.

At least you know your uptodate as can be, which is some assurance but as with everything, is only for that date/time of check.

I hope you have a more relaxing weekend

Many thanks

John
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Spam.. From you :(
« Reply #16 on: July 29, 2017, 08:37:04 AM »

Thanks for investigating and explaining all this, it's always nice to understand the issue.

Curiously my own address, when entered into the hacked emails search, lists a leak form a forum that I have never heard of, and judging by its name, would not have ever been of any interest to me.  :-\
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: Spam.. From you :(
« Reply #17 on: July 29, 2017, 09:37:28 AM »

Interesting all this. I have never in 9 years had any spam from this forum. I also checked the hacked emails site and it showed5 references to one of my email addresses which does get spammed, however no references to another which gets more spam than the one with 5. Actually virtually zero spam gets past my mail hostings spam filters these day, the odd one or two usually about buying vans which I suspect is a UK company who have purchased a list of email addresses which mine is on.

I have always felt that this site is one of the safest to be on mainly because of the care and knowledge of the folks involved in running it, however I do realise there is no such thing as 100% security.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

aruba

  • Member
  • **
  • Posts: 54
Re: Spam.. From you :(
« Reply #18 on: July 29, 2017, 09:42:40 AM »

I don't know if it helps or hinders, but I've started receiving spam today too - and like the OP it's a unique kitz-only address.

It's easy for me to block the address (and why I use unique addresses), but just means I block everything kitz-related.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Spam.. From you :(
« Reply #19 on: July 29, 2017, 09:49:31 AM »

Hi

I hope you don't mind, as I do not want to take this off topic, but in general, most spam senders place a null reference so it reports if opened/received. It's a normal action for mass mail sending, legitimate or otherwise. If noted it has been opened/received, ergo address is live. That's all they need

All systems come under constant attack, on all services, email, hosting, ftp, ssh, rdc etc and we expand a lot of effort to keep things as secure as possible, such as IDS/IPS systems, and are automonitored to take action. An extract is below

There are a few genuine users who get caught out and totally banned, but these are dealt with manually to be unblocked (we do a full blanket ban of all services/systems if you trip the IDS/IPS systems)

As you can see and hope appreciate, it is not easy but generally we get it right most of the time. Hopefully and how do we know the extract is correct - we do not allow SSH

Many thanks

John

Jul 29 09:26:04 ns4 sshd[18095]: reverse mapping checking getaddrinfo for 50-235-128-175-static.hfc.comcastbusiness.net [50.235.128.175] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 29 09:26:04 ns4 sshd[18095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.235.128.175  user=root
Jul 29 09:26:06 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:08 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:10 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:12 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:14 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:16 ns4 sshd[18095]: Failed password for root from 50.235.128.175 port 38684 ssh2
Jul 29 09:26:16 ns4 sshd[18095]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: Spam.. From you :(
« Reply #20 on: July 29, 2017, 10:10:13 AM »

Just as a test I have changed my email address on here to a brand new one setup just for here and will not be used elsewhere. If I get spam to it I will report back.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Spam.. From you :(
« Reply #21 on: July 29, 2017, 10:26:22 AM »

Hi

Sorry, just a polite note to all to ensure your password used is a secure password. Ideally it should contain upper/lowercase, numbers, at least 2 symbols (?!£€$¥) and be an uneven length (7,9,11 etc charters long). The reason for the uneven length is some software try to use 4 characters blocks as most are even characters

It is feasible the odd account may have been bruteforced and explains why only a few email addresses have been taken.

If this was a true db access, all email addresses would have been taken

Many thanks

John
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Spam.. From you :(
« Reply #22 on: July 29, 2017, 10:27:19 AM »

bear in mind dictionary attacks can get spam to unused email boxes as well.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Spam.. From you :(
« Reply #23 on: July 29, 2017, 11:00:50 AM »

I don't know if it helps or hinders, but I've started receiving spam today too - and like the OP it's a unique kitz-only address.

It's easy for me to block the address (and why I use unique addresses), but just means I block everything kitz-related.

Just to reiterate what kitz pointed out, if I understand correctly,  using a unique email address may not help.  If you use the same forum login id and password on more than one forum, and one of the other forums is hacked to reveal your forum login, the 'unique' email addresses held on all the other forums may easily be discovered, no hacking required, and no security breach required.

Check kitz's earlier post for full explanation. 
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: Spam.. From you :(
« Reply #24 on: July 29, 2017, 11:34:52 AM »

All my forums use unique passwords and all my passwords are a mixture of upper & lower case, numerics and special characters (sometimes) and are normally between 7 and 8 in length (yes sometimes 8). Userids are often reused but that is less likely to be an issue as long as p/w are different.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Spam.. From you :(
« Reply #25 on: July 29, 2017, 12:26:33 PM »

From what it says on the link from reddit all it takes is a bot to have your username and password from a another previously compromised forum eg

User
Password
email:- ForumOne@yourdomain

Using the compromised User and Password the bot then crawls lots of other forums on the internet looking to see if those details allow it to log in anywhere else.   If it finds it can log in, then it will take any relevant info from that forum too.

So now its starting to build up a profile of the user

User
Password
emails :- ForumOne@yourdomain, ForumTwo@yourdomain, ForumThree@yourdomain

Owners of the bot are then selling this new information on the darknet.  This info has 2 possible outcomes.
1) A new list of emails that can be resold for spamming purposes.

2) The list of new info can then easily be further filtered and this I suspect is what oiulkjmnb1 is referring to when he says expensive and exclusive lists.  They can identify a list of people who use their domain name with a different prefix for each forum. 
If the prefix matches up in some part with the forum name its obvious what the user is doing and a list of those domains can be identified for the purpose of further ill gains such as
 - dictionary type spam attacks on the domain name
 - Using the domain name to spoof a load of spam mails to avoid blacklists
 - Someone even mentioned they could be used for spear phising?


What it does mean, is that even if you use a specific prefix with a specific forum that you can not say without doubt that the forum is the source of the breach.

I have investigated everything I can - and probably gone to a heck of a lot more trouble than most forums would -  but I can hand on heart say that I cannot see anything to suggest there has been a breach of our database.
If anything I suspect this may have come as a second wave attack from a breach of data elsewhere using one of the above methods on the back of same username. I do admit that its highly likely that a bot has visited this forum specifically looking for info, but the original breach has come from elsewhere and there is nothing I or any other forum owner can do to prevent this other than suggest you change your password and ensure separate passwords are used for different sites. :( 
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Spam.. From you :(
« Reply #26 on: July 29, 2017, 12:34:19 PM »

@jelv

Within the past couple of months receiving spam on an email address that I specifically use only for a certain usergroup.  Because I know you are a member there I wonder if you are seeing any spam via that forum which only started within the past month or so too?

Whilst I know that there 'may' have been a breach related to an event 10+ ago but I disposed of that email address and created another, its that second email address that has suddenly out of the blue started receiving spam. 
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

petef

  • Reg Member
  • ***
  • Posts: 135
Re: Spam.. From you :(
« Reply #27 on: July 29, 2017, 02:53:46 PM »

I would like to add a note of caution about the sites mentioned here that allow you to check for leakage of your email. Before using them do some research yourself to make sure they are legit. Bad guys may be running honest looking sites that are actually harvesting addresses.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Spam.. From you :(
« Reply #28 on: July 29, 2017, 04:47:18 PM »

^ Good advice.   
https://haveibeenpwned.com/ is considered legitimate.

OK I have a bit more info.   
I've been doing a bit more digging and with the aid of my hosts, I can say that the only IPs used to access my server have belonged to either me or MISP (them).
Everything is as secure as it can be and there is no sign of anything on it being breached.   

I would stress that if anyone has any concerns they should change their password and ensure that same passwords are not used across multiple sites.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

aruba

  • Member
  • **
  • Posts: 54
Re: Spam.. From you :(
« Reply #29 on: July 30, 2017, 08:43:21 AM »

Just as a test I have changed my email address on here to a brand new one setup just for here and will not be used elsewhere. If I get spam to it I will report back.

Will be doing the same. I use a different user name, email address and password for every forum I sign up to. The password on this forum is 20 characters long.

Generally, I get around 3 spam messages a week - I've had eight in the last 24 hours using the kitz address.


https://haveibeenpwned.com/ is considered legitimate.

Second this, the guy who set it up is a well-known security researcher. The only downside is that it concentrates on data from large-scale breaches/dumps.
Logged
Pages: 1 [2] 3 4 5