FireFly Media Server › Firefly Media Server Forums › Firefly Media Server › General Discussion › WARNING Nasty Email
- This topic has 6 replies, 3 voices, and was last updated 17 years, 7 months ago by rpedde.
-
AuthorPosts
-
10/04/2007 at 11:00 AM #1260AnonymousInactive
Please be aware of the following. Yesterday I had an email which reported being from [email protected] which read as follows…
=============================================
Hello AdrianLock,You have received a new private message to your account on “Firefly Media
Server” and you have requested that you be notified on this event. You can view
your new message by clicking on the following link:http://forums.fireflymediaserver.org/privmsg.php?folder=inbox
Remember that you can always choose not to be notified of new messages by
changing the appropriate setting in your profile.—
Thanks, The Management=============================================
I went to the link mentioned above. It asked me to install a piece of software to allow me to view the message – which I accepted (silly i know). It then showed me an indecent movie but that was not all … after leaving the site my PC was rendered useless – 100’s of pop ups etc everywhere. This is despite the fact that I run Norton Internet security, CCleaner and Adaware – After investigation on the internet and a possible charge of $29.99 to remove what ever it was easier to simply reinstall everything.
👿 BE WARNED – IT WAS NOT A GOOD EXPERIENCE!!!!! 👿
Adrian
10/04/2007 at 11:36 AM #9962CCRDudeParticipantThat printed URL in itself is not the problem… probably that was just a link to a different page than the displayed one…
I remember I had a similar one, but immediately deleted it, so I can’t really say…If it really was a bad link, the question would be how this spam thing got 1. Rons email address and 2. all the target emails (if it had used the PM system, the link wouldn’t have been corrupted)…
Ron, since you’re running spam friend #1 (also called phpBB 😉 ), are you regularly updating it? I see a copyright of 2005 below… and phpBB really has a lot of security holes so that always installing the newest version is a MUST to not have the board hacked.
10/04/2007 at 12:09 PM #9963AnonymousInactiveRon, if you would like to investigate the offending message is still in my mailbox – Adrian
10/04/2007 at 2:53 PM #9964rpeddeParticipant@AdrianLock wrote:
Ron, if you would like to investigate the offending message is still in my mailbox – Adrian
Yes… I asked a couple people to forward it to me, but the forwards I saw weren’t hijacked links.
I’d sure like to see that email.
10/04/2007 at 2:53 PM #9965rpeddeParticipant@CCRDude wrote:
That printed URL in itself is not the problem… probably that was just a link to a different page than the displayed one…
I remember I had a similar one, but immediately deleted it, so I can’t really say…If it really was a bad link, the question would be how this spam thing got 1. Rons email address and 2. all the target emails (if it had used the PM system, the link wouldn’t have been corrupted)…
Ron, since you’re running spam friend #1 (also called phpBB 😉 ), are you regularly updating it? I see a copyright of 2005 below… and phpBB really has a lot of security holes so that always installing the newest version is a MUST to not have the board hacked.
The forwards on the emails I saw didn’t have a corrupted link.
10/04/2007 at 6:01 PM #9966CCRDudeParticipantHmmm… I found mine in the trash can after some further searching. You’re right, it looks like a plaintext mail, so no chance to hide anything in the linl.
My mailer did flag it as suspicious, but now that I look deeper into the headers that seems just to be the case because you use your own mail server that’s not on any of the standard whitelists.
Aaaaah…
Hmmm… well, if he went to the “link above”… that probably means the spyware/adware/malware link was inside the PM he received on the board, and not inside the mail at all!
I found it suspicious since I received that PM notification but there was no PM… the later was probably just because at that point, the spamming user was already deleted along with all his PMs?
So, to sum it up: the email seemed to be a perfectly legit notification of a PM (Private Message) received here on the board.
The contents of the private message is something completely different – it could have come from ANY member of this board, including spambots (which are well known to target phpBB since its the most widely spread free forum software).This is still a good argument to always update phpBB though, since these automated PMs wouldn’t be possible if the spambot would stay outside because he can’t automatically sign up.
10/04/2007 at 6:33 PM #9967rpeddeParticipant@CCRDude wrote:
Hmmm… well, if he went to the “link above”… that probably means the spyware/adware/malware link was inside the PM he received on the board, and not inside the mail at all!
I found it suspicious since I received that PM notification but there was no PM… the later was probably just because at that point, the spamming user was already deleted along with all his PMs?
Except I didn’t delete a user. My supposition was that the post was blocked due to content (a [url] block, probably), and didn’t actually get posted. (but the new pm email fired). And, I don’t believe deleting a user deletes pms (or posts). So I actually think the PM never got sent.
And the post was a regular PM, I’ve looked at the logs. It wasn’t a hack or anything, it was posted via the PM system.
So, to sum it up: the email seemed to be a perfectly legit notification of a PM (Private Message) received here on the board.
The contents of the private message is something completely different – it could have come from ANY member of this board, including spambots (which are well known to target phpBB since its the most widely spread free forum software).Although I didn’t think you could get malicious code into a PM. I looked at the database, too — there isn’t anything there.
This is still a good argument to always update phpBB though, since these automated PMs wouldn’t be possible if the spambot would stay outside because he can’t automatically sign up.
I had some hand-tweaked signup form stuff, but clearly not enough. I guess I’ll go back and add some more. Maybe a simple math check.
I hate spammers.
-
AuthorPosts
- The forum ‘General Discussion’ is closed to new topics and replies.