You are here: Home » Topic » WARNING Nasty Email

WARNING Nasty Email

This topic contains 6 replies, has 3 voices, and was last updated by  rpedde 10 years, 7 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #1260

    AdrianLock
    Participant

    Please be aware of the following. Yesterday I had an email which reported being from [email protected] which read as follows…

    =============================================
    Hello AdrianLock,

    You have received a new private message to your account on “Firefly Media
    Server” and you have requested that you be notified on this event. You can view
    your new message by clicking on the following link:

    http://forums.fireflymediaserver.org/privmsg.php?folder=inbox

    Remember that you can always choose not to be notified of new messages by
    changing the appropriate setting in your profile.


    Thanks, The Management

    =============================================

    I went to the link mentioned above. It asked me to install a piece of software to allow me to view the message – which I accepted (silly i know). It then showed me an indecent movie but that was not all … after leaving the site my PC was rendered useless – 100’s of pop ups etc everywhere. This is despite the fact that I run Norton Internet security, CCleaner and Adaware – After investigation on the internet and a possible charge of $29.99 to remove what ever it was easier to simply reinstall everything.

    👿 BE WARNED – IT WAS NOT A GOOD EXPERIENCE!!!!! 👿

    Adrian

    #9962

    CCRDude
    Participant

    That printed URL in itself is not the problem… probably that was just a link to a different page than the displayed one…
    I remember I had a similar one, but immediately deleted it, so I can’t really say…

    If it really was a bad link, the question would be how this spam thing got 1. Rons email address and 2. all the target emails (if it had used the PM system, the link wouldn’t have been corrupted)…

    Ron, since you’re running spam friend #1 (also called phpBB 😉 ), are you regularly updating it? I see a copyright of 2005 below… and phpBB really has a lot of security holes so that always installing the newest version is a MUST to not have the board hacked.

    #9963

    AdrianLock
    Participant

    Ron, if you would like to investigate the offending message is still in my mailbox – Adrian

    #9964

    rpedde
    Participant

    @adrianlock wrote:

    Ron, if you would like to investigate the offending message is still in my mailbox – Adrian

    Yes… I asked a couple people to forward it to me, but the forwards I saw weren’t hijacked links.

    I’d sure like to see that email.

    #9965

    rpedde
    Participant

    @ccrdude wrote:

    That printed URL in itself is not the problem… probably that was just a link to a different page than the displayed one…
    I remember I had a similar one, but immediately deleted it, so I can’t really say…

    If it really was a bad link, the question would be how this spam thing got 1. Rons email address and 2. all the target emails (if it had used the PM system, the link wouldn’t have been corrupted)…

    Ron, since you’re running spam friend #1 (also called phpBB 😉 ), are you regularly updating it? I see a copyright of 2005 below… and phpBB really has a lot of security holes so that always installing the newest version is a MUST to not have the board hacked.

    The forwards on the emails I saw didn’t have a corrupted link.

    #9966

    CCRDude
    Participant

    Hmmm… I found mine in the trash can after some further searching. You’re right, it looks like a plaintext mail, so no chance to hide anything in the linl.

    My mailer did flag it as suspicious, but now that I look deeper into the headers that seems just to be the case because you use your own mail server that’s not on any of the standard whitelists.

    Aaaaah…

    Hmmm… well, if he went to the “link above”… that probably means the spyware/adware/malware link was inside the PM he received on the board, and not inside the mail at all!

    I found it suspicious since I received that PM notification but there was no PM… the later was probably just because at that point, the spamming user was already deleted along with all his PMs?

    So, to sum it up: the email seemed to be a perfectly legit notification of a PM (Private Message) received here on the board.
    The contents of the private message is something completely different – it could have come from ANY member of this board, including spambots (which are well known to target phpBB since its the most widely spread free forum software).

    This is still a good argument to always update phpBB though, since these automated PMs wouldn’t be possible if the spambot would stay outside because he can’t automatically sign up.

    #9967

    rpedde
    Participant

    @ccrdude wrote:

    Hmmm… well, if he went to the “link above”… that probably means the spyware/adware/malware link was inside the PM he received on the board, and not inside the mail at all!

    I found it suspicious since I received that PM notification but there was no PM… the later was probably just because at that point, the spamming user was already deleted along with all his PMs?

    Except I didn’t delete a user. My supposition was that the post was blocked due to content (a [url] block, probably), and didn’t actually get posted. (but the new pm email fired). And, I don’t believe deleting a user deletes pms (or posts). So I actually think the PM never got sent.

    And the post was a regular PM, I’ve looked at the logs. It wasn’t a hack or anything, it was posted via the PM system.

    So, to sum it up: the email seemed to be a perfectly legit notification of a PM (Private Message) received here on the board.
    The contents of the private message is something completely different – it could have come from ANY member of this board, including spambots (which are well known to target phpBB since its the most widely spread free forum software).

    Although I didn’t think you could get malicious code into a PM. I looked at the database, too — there isn’t anything there.

    This is still a good argument to always update phpBB though, since these automated PMs wouldn’t be possible if the spambot would stay outside because he can’t automatically sign up.

    I had some hand-tweaked signup form stuff, but clearly not enough. I guess I’ll go back and add some more. Maybe a simple math check.

    I hate spammers.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.