Address Registered on This Forum Leaked to Spammers

[waugh]

I registered in this forum with a disposable address. I have not given it to anyone else. Searching for it with Google produces no match. However, I received a spam on said address just now. I don't receive them often, but this one came right after I had posted something on here for the first time in a long time.

http://www.spamcop.net/sc?id=z4134377615z0...34d0f816350ce8z

[Farelf]

I registered in this forum with a disposable address. I have not given it to anyone else. Searching for it with Google produces no match. However, I received a spam on said address just now. I don't receive them often, but this one came right after I had posted something on here for the first time in a long time.

http://www.spamcop.net/sc?id=z4134377615z0...34d0f816350ce8z

Hi Jack, thanks for reporting. The forum admin (Wazoo) will get back to you on this I am sure. There is no nexus between posting here and your forum registration address (unless you use your disposable address as the password as well). Can you clarify that you have received spam before at the disposable address?

The tracking URL you provide is spam touting a website gamezbonus.info (though the coding is messed up). Have you received spam promoting that site before that you know of?

[Wazoo]

I registered in this forum with a disposable address. I have not given it to anyone else. Searching for it with Google produces no match. However, I received a spam on said address just now.

Still a few research angles left to cover, but .... no evidence thus far that suggests anything bad happening 'here' ...

I don't receive them often, but this one came right after I had posted something on here for the first time in a long time.

I'm having some issues with your description. The timestamps of your Posts and the e-mail hearders involved don't seem to me to be "right after" .. semantics, I'm sure, but things like narrowing down areas of the various log-files to be searching are based on the "when" involved of certain actions. Fopr example, the suggested "right now" would imply some type of active mode of capturing/obtaining your data and doing something with it. The multiple-hour lag I see could more present a scenario of something like a bit of wireless data captured, then analyzed later for use of any 'found' details. Again, the actuality of the timing drives the analysis approach to different directions.

http://www.spamcop.net/sc?id=z4134377615z0...34d0f816350ce8z

My account there went dead with the demise of the free accounts, but actually hadn't used it in quite a while. But looking at that example, there are several questios that come to mind. That the 'source' was allegedly another sneakemail user seems unusual. The 'tagging' of the From: address line seems very odd (to me)....

Anyway, if you want to follow the leads, go ahead and complain to the sneakemail folks as per the directions provided at Bulk Mailer Cracked Investigation The is no connection, there has been no hack that I've seen thus far, no 'bulk-emailer' is in use, on and on.

On the flip side, there would be the issue of your system/network connection/configuration, security, your browsing tools and habits, things like that. No accusations made, just noting that there is no data available 'here' on your side of the connection that would offer much detail on your system's status.

I'll keep looking for signs.

[waugh]

Can you clarify that you have received spam before at the disposable address?

My Trash folder has one from 2010-06-10.

The tracking URL you provide is spam touting a website gamezbonus.info (though the coding is messed up). Have you received spam promoting that site before that you know of?

I have no idea whether I have received spam before touting that website. I never check what website, if any, they are touting.

Thanks for your interest in this case.

[waugh]

The timestamps of your Posts and the e-mail headers involved don't seem to me to be "right after".

I withdraw that part of the description. It's probably just a coincidence that right after I posted on this forum, I looked at my mail and saw the spam. The spam could have been sitting in my mailbox for a while before I saw it.

My account there went dead with the demise of the free accounts, but actually hadn't used it in quite a while.

I see, you mean your account at Sneakemail. (Aside: Do you regularly use a disposable address service that is still free? Which one?)

But looking at that example, there are several questions that come to mind. That the 'source' was allegedly another sneakemail user seems unusual.

What specific data are you looking at that make you say the source was allegedly another sneakemail user? The spam report says the source is 88.73.10.2, which `whois` places in Germany. Are you talking about the "From:" line? That gives the return address that Sneakemail composes for if I want to reply via Sneakemail to the original "From:" address.

The 'tagging' of the From: address line seems very odd (to me).

The "-at-" expression is one way Sneakemail shows the original "From:". For example, if you write to me with a "From:" address of "Walter Zookeeper <wazoo[at]dogsh**.com>, Sneakemail will pass me "Walter Zookeeper wazoo-at-dogsh**.com" <some sneakemail address>. Then if I reply to the Sneakemail address, Sneakemail will censor my real address from the mail and send it to you as coming from the same disposable address of mine that you used in writing to me.

Anyway, if you want to follow the leads, go ahead and complain to the sneakemail folks as per the directions provided at Bulk Mailer Cracked Investigation The is no connection, there has been no hack that I've seen thus far, no 'bulk-emailer' is in use, on and on.

I do not understand why you are suggesting I contact Sneakemail. The events that their bulk_cracked document talks about involved an increase in spam coming from addresses people had registered with various services, and Sneakemail was suspecting that those services were using a common bulk mailing service, and that someone had stolen the addresses from the bulk server. But the case at hand involves only your service.

On the flip side, there would be the issue of your system/network connection/configuration, security, your browsing tools and habits, things like that. No accusations made, just noting that there is no data available 'here' on your side of the connection that would offer much detail on your system's status.

I have probably hundreds of disposable e-mail addresses and I get spam on only a few of them. Of course I get spam on those addresses that are published on the web (e. g., my address 7yipzdu02[at]sneakemail.com). But it's unusual for me to get it on addresses I only gave to one firm.

An exception is the address I gave to TD Ameritrade. I complained to Ameritrade about it, and they pooh-pooh'ed what I had to say. Eventually I got a notice that some bright lawyers had filed, and won, a class-action suit against Ameritrade for giving or leaking a bunch of their customers' e-mail addresses. As a class member, I could have gotten a free download of some antispam software; that was the compensation. I suppose the law firm got real money out of it, and I hope so, because Ameritrade should have kept their customers' addresses secret.

If there were some other way for the spammers to get my addresses, than a leak from your database, why wouldn't they get a much larger proportion of the ones I use?

[Farelf]

...If there were some other way for the spammers to get my addresses, than a leak from your database, why wouldn't they get a much larger proportion of the ones I use?

Seems a reasonable assumption - your registration address would be no part of your posting activities on the forum. BUT if you have a watch on a topic then an advice is sent to your registered (Sneakmail) address of activity on the thread. Or if someone sends you a PM then similarly there is a notification to your registered address. So, has this forum sent you notifications?

I confess I originally thought of some sort of Sneakmail 'leak' when I saw those spam headers but the IP-address source doesn't seem to tie in to that idea (and you have now explained a bit more about how that system works) but still the [at]sneakemail.com "From:" address (which is not yours?) seemed a little uncanny (and still does). I suppose that "X-Sneakemail-Is-Sneakemail: yes" header (along with the other Sneakmail headers) is inserted by the receiving system (yours) - do you know?

Quite a puzzle, but your forbearance and assistance while it is investigated is appreciated - this is very important to the forum.

[waugh]

...if you have a watch on a topic then an advice is sent to your registered (Sneakmail) address of activity on the thread. Or if someone sends you a PM then similarly there is a notification to your registered address. So, has this forum sent you notifications?

Yes, it has.

. . . still the [at]sneakemail.com "From:" address (which is not yours?) seemed a little uncanny (and still does).

This is simply the way Sneakemail operates. When it receives a message for me, it modifies the headers of the message before forwarding to my real address. It changes the "From:" and "Reply-to:" so that if I make a quick reply, a design is followed the intent of which is to avoid my leaking my real address to my correspondent. In regard to your "which is not yours" parenthesis, I'll explain again. Sneakemail creates a disposable address for each correspondent who writes to me via Sneakemail. Sneakemail remembers this address in its database. If it receives any mail at that address, it assumes the mail is reply mail from me and that I intend it to be forwarded to my correspondent. Sneakemail forwards the reply to my correspondent, but mungs the From: address so the mail appears to have come from me at my Sneakemail address, that being the address the correspondent knows for me and has sent mail to me on. If you would like, I will demonstrate this. I can create an address at which you can write to me. I'll then give you the uncanny address at which, if you write to it, you will receive your own message, but it will appear to come from me. I tried another disposable-address service and it worked similarly. Do you use a disposable-email-address service yourself? Anyway, whether you think this practice is uncanny, it has nothing to do with how we should come to understand what the origin of the spam is, or how the spam community got my address, so far as I can see. If you still think this aspect is relevant to that question, I would like to understand your reasoning.

I suppose that "X-Sneakemail-Is-Sneakemail: yes" header (along with the other Sneakmail headers) is inserted by the receiving system (yours) - do you know?

I know that Sneakemail inserts the "X-Sneakemail-..." headers. I think the "X-Sneakemail-Is-Sneakemail: yes" header is intended as an aid to filtering by some recipients. Another Sneakemail header makes clear what the original "From:" header said.

The receiving system (mailwise) is the Spamcop webmail system. Sneakemail functions as an intermediary. The originating system is that network in Deutschland (DE).

Thanks for having followed up on this case, and I would be happy to clear up any further questions that come to your mind.

[Farelf]

...Anyway, whether you think this practice is uncanny, it has nothing to do with how we should come to understand what the origin of the spam is, or how the spam community got my address, so far as I can see. If you still think this aspect is relevant to that question, I would like to understand your reasoning. ...

Just lack of knowledge on my part of how Sneakmail operates.

So it looks like there are (at least) two avenues of investigation - a direct 'break in' to the forum database (which would undoubtedly result in the widespread abuse of many mail accounts) or a more indirect intercept of outgoing forum-generated messages - which probably ties in better to the 'coincidence' of forum use and subsequent spamming. Whichever - Wazoo will be all over it to find any exploits that there might be.

[Wazoo]

I withdraw that part of the description. It's probably just a coincidence that right after I posted on this forum, I looked at my mail and saw the spam. The spam could have been sitting in my mailbox for a while before I saw it.

The Forum server time is set to GMT -4. (Actually, GMT -5 with Daylight Savings applied.) I see that JT/crew have changed the e-mail servers to be GMT.

You Posts preceding the noticed spam were made at 06/11/2010 - 10:30:43 and 06/11/2010 - 10:59:14 which would be approximately 1430 and 1500 GMT .... The e-mail headers of the spam show 11 Jun 2010 14:32:48 ... so the timing seems pretty much on target.

However, the last hacking attempt that seemed to focus on 'account date' was on the 6th, and the 3rd prior to that. Neither of those got anywhere, beyond chewing up cpu cycles. There is no sign of anything dastardly going on at or around the time of your Posts. I see you are using FireFox 3.6.3 under Ubuntu 10.04, which would rule out most of the Windows exploit issues.

It appears that sneakemail is using greylisting with no sign of 'automatic' whitelisting. Which actually is interesting, now that I look at it. One of the notifications from this Forum took four attempts over almost two hours, another three attempts over one hour to make it through the greylisting/resend sequence. If we try to run with the apparent coincidence of time involved, how the hell did the spammer's e-mail make it through so fast?

Bottom line, thus far, I can find no sign of anything given up by this Forum application. I will keep looking around, as time permits (which is really short at present) AT this point, the only place I can see that's anywhere near obvious that your credentials would show up would be during the log0in process, and you haven't yet ruled out things like a wireless connection being used, not described any kind of other network association. MDU through Qwest, so I'm going to assume that something like tethering through a cell-phone isn't in use, but then again, that's an assumption.

I do not understand why you are suggesting I contact Sneakemail.

You made the accusation that the 'leak' came from here. I wanted to make sure that you know that you are welcome to make the complaint it it will make you feel any better.

I complained to Ameritrade about it, and they pooh-pooh'ed what I had to say. Eventually I got a notice that some bright lawyers had filed, and won, a class-action suit against Ameritrade for giving or leaking a bunch of their customers' e-mail addresses.

At present, there are but a couple of folks with access to the data in question. One hasn't been heard from in many, many moons, the other two have replied in this Topic/Discussion. You are not being pooh'ed here, said after many hours of perusing system log-files looking for any evidence or possibilities. The suggestion is a very serious matter, never mind the personal issue of the lengths taken to make sure this server/application/etc. remains as secure as possible.

If there were some other way for the spammers to get my addresses, than a leak from your database, why wouldn't they get a much larger proportion of the ones I use?

Tough question to answer, seeing as how I can't identify an issue here. On the other hand, if there was a compromise here, I would think that you'd not be only person complaining about the issue at present. There have been a few others over the years that made this same claim, but again, I could not find anything to back it up. There was a hack-on-progress that I stopped years ago that had some folks going with the user details being stolen, but ..... the timing was such that I halted the hack before any damage was done (as compared to other IPB Forums that were totally wiped out or otherwise defaced/destroyed.)

Anyway, will continue to search at this end as time allows. Have spent way too much time already, but again, this possible scenario is important to me also.

[waugh]

I don't expect we shall ever find out the cause of this case. It seems to be isolated both at your end and at mine.

I run an open wireless network. Currently, the computer is wired to the router, but the wireless function of the router is turned on. Some neighbors of mine use it for free. In the past, some of the traffic from my computer also went wireless.

Maybe the technologists who supply addresses for spam have distributed malware that configures network interfaces on infected computers so the malware can snoop packets having arbitrary destination addresses?

I just realized that I have been administering my account at Sneakemail over "http:" instead of "https:".

I will change my address registered with this forum to a fresh disposable address.

[waugh]

WOAH! I just noticed a note I had written to myself to remind me that the address used here had been used with another outfit. It was years ago, but I still give that the highest probability as the cause of the "leak" to the spamming community.

My current practice is never to reuse an address.

Sorry to have wasted your time. Very sorry.