Hi all,
I have visited this site for some time, but only recently signed up, I have enjoyed some of the benafits of your hard work. I dont belive that anyone involved in the running of this site is responsable, but i thought you would like to know.
I recently recived an email from [email protected] titled Re:Here is the document. it contains an atachment called document_full.pif and is infected with Netsky.D which is a fairly old worm.
This concerns me only in the fact that your mail server may be vunrable, infected, or exploited OR is some one spooking your DNS?
the message header is
Microsoft Mail Internet Headers Version 2.0
Received: from security-geek.net ([--IP---]) by <myserver>.security-geek.net with Microsoft SMTPSVC(--version----);
Sat, 30 Apr 2005 19:52:15 +0100
From: [email protected]
To: [email protected]
Subject: Re: Here is the document
Date: Sat, 30 Apr 2005 23:27:14 +0430
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_0000252A.0000342F"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: [email protected]
Message-ID: <[email protected]>
X-OriginalArrivalTime: 30 Apr 2005 18:52:19.0629 (UTC) FILETIME=[BC776DD0:01C54DB5]
------=_NextPart_000_0006_0000252A.0000342F
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0006_0000252A.0000342F
Content-Type: application/octet-stream;
name="document_full.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_full.pif"
------=_NextPart_000_0006_0000252A.0000342F--
Just thought you might like to know. (and i have edited the internal network information in the header)
Mails like this are very normal.
I´m sure, the original host this email is coming has nothing to do with the xda-developers. If you take a look at the complete header of the mail you should be able to follow the path of the email.
Stefan
Hi there,
I have my own domain name. When signing up to websites, such as xda-developers, I use that site name as the to address for my domain name ie, [email protected]
This morning, I've received a spam email with subject "Subject [EN]Diablo III Account Locked - Action Required" to my xdadevelopers address at my domain.
Has there been a database compromise perchance? I've had a search through the forums here and don't see anyone else that has mentioned it as yet. The spam arrived about 3 hours ago from now.
It'd be a shame to have to close my account and devnull this email address, as I really love these forums and the great users herein.
Regards.
Update 1: It's certainly not a dictionary attack that I can see, as I haven't received any others of this nature to my catchall mailbox.
If it's any help at all, the headers show this as the sender host;
Received: from WWW-9763E06E580.net (unknown [110.103.67.128])
(very likely unrelated to any alleged compromise attempts, if indeed a compromise even occured).
I have seen this reported a couple times before but no resolution as I recall. I have passed this on to one of the admins, hopefully he can take a look and let us know if this is a problem to be concerned about.
I'm not aware of any compromise of the database. What I can say is that we treat our members data with the utmost respect and this would certainly be a concern of ours, but I don't see any evidence of any kind of intrusion like that.
bitpushr said:
I'm not aware of any compromise of the database. What I can say is that we treat our members data with the utmost respect and this would certainly be a concern of ours, but I don't see any evidence of any kind of intrusion like that.
Click to expand...
Click to collapse
Thank you for checking that sir. I believe that in the other threads, it was suggested that someone might have posted their email and a screen-scraper harvested it, or perhaps their email was grabbed some other way, but nothing definitive ever came of it.
bitpushr said:
I'm not aware of any compromise of the database. What I can say is that we treat our members data with the utmost respect and this would certainly be a concern of ours, but I don't see any evidence of any kind of intrusion like that.
Click to expand...
Click to collapse
Thanks for that, and I respect that data is treated with complete secrecy. I've not used this address or posted it anywhere else. It's used solely to login with, so i'm still a bit confused. I'll leave it for now, as it's only one example.
Regards.
Hi,
I'm in the exact same case, I use per site email on my domain , no dictionary attacks too (I got catchall so I see them) and same mail received
Same mail same kind of sender:
Thu, 16 Aug 2012 08:22:23 +0200 (CEST)
Received: from WWW-9763E06E580.org (unknown [110.103.67.40])
I can assure that this email is not used in any screen-shot or anything else than logging here.
This is quite annoying and since I don't use the same header as the other one (me it's [email protected]) it really seems that the mails data are compromised.
Regards,
Tolriq.
As above, exactly the same spam email, although the email address I used to sign up here is more complex than just [email protected]
I'll keep the email around, in case anyone wants to follow up on it.
Could this perhaps be the result of the new theme showing user email addresses on member pages (Eg. somewhere on http://forum.xda-developers.com/member.php?u=3492510)? Even if it's corrected now, if it did at any point, spammers may have scraped the member list during that time.
I've also just gotten an email directed at my one-time use address used for registering at XDA. Something's up, check your logs you've been compromised. I highly recommend a notice and forced password reset.
Return-path: <[email protected]>
Envelope-to: xda@MYDOMAIN.COM
Received: from [110.103.66.127] (port=57501 helo=WWW-9763E06E580.org)
by [REDACTED] with esmtp (Exim 4.63)
(envelope-from <[email protected]>)
id 1T6h7P-000354-NH
for xda@MYDOMAIN.COM; Wed, 29 Aug 2012 08:11:36 -0400
From: "Diablo III" <[email protected]>
To: <xda@MYDOMAIN.COM>
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-Spam-Level: *****
X-Spam-Report: score=5.0 tests=CMAE_1, SHORTCIRCUIT version=3.3.1 cmae=v=1.1
cv=02sxpKrcaeIklPG9ikjtw9+Ix2dV+yAR3ckHHBRjlIA= c=0 sm=0 p=eKWGPzfAF9w9RlBXnosA:9
a=rfP7uN3eH0UA:10 a=SpdMY5nFWogA:10 a=IkcTkHD0fZMA:10 a=L-ISu7bKYZgA:10
a=jWLQlvoj7db9vSsTWhEWiQ==:17 a=blzCNhbTAAAA:8 a=3J15CkO5AAAA:8
a=xrJga5KMAAAA:8 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
X-Spam-Score: 5
Subject: [EN]Diablo III Account Locked - Action Required
I'll add a +1 to this (got phish with subject "[EN]Diablo III Account Locked - Action Required" trying to get me to visit a url on host us.diablo.net.zh-fot.in) . The unique address I used to register here in early 2008, while not super cryptic, is not as simple as [email protected] and likely would not be the left-hand part of anyone else's email addr, so likely would not have been derived from the phisher mixing-and-matching from different lists. It appears that they've successfully harvested xda member email addresses.
I can confirm that I've just got the phishing e-mail mentioned by other users here, on an e-mail account created and given exclusively to xda forum.
Code:
Received: from WWW-9763E06E580.org (unknown [110.103.67.201])
From: "Diablo III" <[email protected]>
To: <sax_[B][COLOR="Red"]xda-developers[/COLOR][/B]@xxxxxxxxxx.xxx>
Subject: [EN]Diablo III Account Locked - Action Required
Now I am in the process of making the current e-mail invalid and I creating a new unique one.
We will see how it goes...
I can confirm this. I use [email protected] and haven't had any unusual mail to any other address on my domain.
SMTP From: [email protected]
---
Message-ID: <[email protected]>
From: "Diablo III" <[email protected]>
To: <[email protected][Redacted]>
Subject: [EN]Diablo III Account Locked - Action Required
Date: Wed, 29 Aug 2012 17:00:34 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
[Base64 Message Body Redacted]
+1 for me
Mail address used here is site specific, never used for anything else, cannot be dictionary generated.
We have received several reports from users receiving spam and/or phishing emails to email accounts which were unique to their profile on our community. We feel that there are enough of these to indicate that at some point in the past there was some sort of information disclosure which exposed these email accounts. We are not aware of any particular information disclosure or what exact information may have been exposed.
That being said, we take our community members' information security seriously and continuously review our code and configurations for security vulnerabilities. We do, however, run 3rd party forum software and plugins which occasionally have public security vulnerabilities. We apply all patches as soon as they are available to ensure the security of our data and therefore of our community. Even so, there is always the chance that someone is using an unpublished security vulnerability to try to attack our forum and gain personal information.
Our forum, as with many others running similar software, is a target for hackers attempting to harvest personal data (email addresses, passwords, etc). We highly recommend that you use a unique password for each website you are signed up with, and change that password on a regular basis. For services that support two-factor authentication, enable this option for even more security and peace of mind.
If anyone has information relating to any sort of information disclosure or compromise, we encourage them to report them to the technical contact at http://www.xda-developers.com/contact/#technical
Thank you and as always, questions and comments are welcome.
I posted in the other thread about this but figured I'd chime in here as well. I also use my own [email protected] address just for this site. I've never posted the address publicly and I always make up new passwords for each site. Those are at minimum 8 random characters/numbers/symbols.
In the other thread it was proposed that an admin/moderators system may of been compromised and a screen scraper had seen our emails. I find this pretty unlikely since my last post before the ones about this was in March. Are you sure all the moderators/admins can be trusted not to of sold our information themselves?
I think enough people have reported this problem that you should acknowledge it on the homepage and ask if people receiving these emails can post back so you can get a real idea of how many peoples accounts have been compromised.
Until you have found the source of the leak what is the point of changing our emails/passwords, they could just pull the new info again, besides, it's a PIA to keep changing my email address. Is anything being done about this or are you just waiting for some good willed hacker to email you at the address you posted?
Tann San,
I have a zero-tolerance policy about spam and getting the information I trust to a site, leaked all over the place,
but the only reason I've posted about it, is to confirm that indeed happened, after seeing bitpushr's post,
so the sysadmin(s) can look into it.
After said that, please keep in mind that even if they find out what caused the leak this time and patch it,
that doesn't mean that it won't happen again in the future. So the least we (the members) can do,
is to follow svetius advice and keep different passwords for each service we subscribe to and different e-mail accounts
whenever possible, although most of the disposable e-mail services, sadly are banned in this site -- obviously to fight spam accounts.
I hope that this can answer your question about why to change email/passwords this time (and every time after that).
I understand your frustration, it is indeed PITA, but one can hope that whatever backdoor was open to our data, it is closed for now...
You misunderstood me, I do use different email addresses for all my logins, that's the benefit of having my own email server. I also use different random passwords for each account. What I meant was that it's a annoying to change my email address here more than once since the leak hasn't been identified. For example, I can change it right now to another one but then whoever got our addresses already could go back and get my new email address, so then I have to change it again.
I don't really use my account here very often but I do read the RSS feeds/articles every day. I'm just saying that it seems a bit irresponsible to not let people know that their email accounts and who knows what other information has been stolen. That is also part of the reason I asked what was being done about this besides waiting for whoever it was to tell them how they did it.
Unfortunately "hoping" that the leak has been sealed is not a solution.
I wrote the screen scraper suggestion, and that's a pretty unlikely scenario since those are usually used against high value targets for banking info/logins. Most harvesters use the outlook address book or mine the browser cache of victim machines. The most likely explanation is that this was a sql injection attack on the forum software and probably took place "many moons" ago.
Ditto
Not sure if you want more confirmation, but I too have received Diablo III related fishing messages - to an address specific to this board.
My best bet is that someone sold a list of email address on...
Not a big issue for me as I'll just change my email address if the messages gets too much. Going to change my password just in case, but I haven't noticed anything strange.
Good luck!
Rinkink said:
Not sure if you want more confirmation, but I too have received Diablo III related fishing messages - to an address specific to this board.
My best bet is that someone sold a list of email address on...
Not a big issue for me as I'll just change my email address if the messages gets too much. Going to change my password just in case, but I haven't noticed anything strange.
Good luck!
Click to expand...
Click to collapse
XDA will never, ever ever ever sell E-mail adreses!
Sent from my MB525 using xda app-developers app
Rinkink said:
Not sure if you want more confirmation, but I too have received Diablo III related fishing messages - to an address specific to this board.
My best bet is that someone sold a list of email address on...
Not a big issue for me as I'll just change my email address if the messages gets too much. Going to change my password just in case, but I haven't noticed anything strange.
Good luck!
Click to expand...
Click to collapse
We have looked for any suspicious activity carried out by authorised users, and have found nothing so far.
I'm currently working backwards through years of vBulletin emails to see if there's anything from the past that could be an issue.
Your actual password isn't stored on, or transmitted to, XDA. It's stored in a hashed and salted form, which is more than can be said for many high profile sites unfortunately that were in the news recently...
Still, we'll not be happy until we can work out what's happened, no matter how long ago or recently it may have been.
I guess "Off topic" is the right place for this.
Just got two emails from some unknown sender with the following message;
Greetings"
I hope this message meets you in good state of health? My name is [ Mrs Monalisa Cebile Nelson ], I'm young and adventurous woman, searching for a dependable and positive minded person. Actually I found your e-mail address from [ http://forum.xda-developers.com ] and specifically contact you for assistance in foreign partnership based on agreement for mutual benefit, also will very much acknowledge your immediate response please. I hope we can have a positive correspondence and also we can work collectively? Anyway I will intimate you more on that as soon as we get in contact. Please if you are interested do not hesitate to get back to me via [ [email protected] ] for more details and my pictures. Best regards with expectation to hear from you soon.
Mrs Lisa Nelson...
Any idea on this?
SKJoy2001 said:
I guess "Off topic" is the right place for this.
Just got two emails from some unknown sender with the following message;
Greetings"
I hope this message meets you in good state of health? My name is [ Mrs Monalisa Cebile Nelson ], I'm young and adventurous woman, searching for a dependable and positive minded person. Actually I found your e-mail address from [ http://forum.xda-developers.com ] and specifically contact you for assistance in foreign partnership based on agreement for mutual benefit, also will very much acknowledge your immediate response please. I hope we can have a positive correspondence and also we can work collectively? Anyway I will intimate you more on that as soon as we get in contact. Please if you are interested do not hesitate to get back to me via [ [email protected] ] for more details and my pictures. Best regards with expectation to hear from you soon.
Mrs Lisa Nelson...
Any idea on this?
Click to expand...
Click to collapse
The site isn't compromised - you've configured your profile to show this information publicly.
Your account settings are making a lot of contact information available - check out your profile page at http://forum.xda-developers.com/member.php?u=2123239 and go to contact info - there's a few email addresses showing up there. Your yahoo and own-domain emails are both appearing there - you may wish to not publicise such information on the site.
pulser_g2 said:
The site isn't compromised - you've configured your profile to show this information publicly.
Your account settings are making a lot of contact information available - check out your profile page at http://forum.xda-developers.com/member.php?u=2123239 and go to contact info - there's a few email addresses showing up there. Your yahoo and own-domain emails are both appearing there - you may wish to not publicise such information on the site.
Click to expand...
Click to collapse
It is good to learn that nothing bad had happened. I knew my email address is exposed, but it was a little strange someone might care to copy it from here and include in a mailing list in a random basis and it would take a lot of hard work to check and copy for all members here! Feeling special lol
SKJoy2001 said:
It is good to learn that nothing bad had happened. I knew my email address is exposed, but it was a little strange someone might care to copy it from here and include in a mailing list in a random basis and it would take a lot of hard work to check and copy for all members here! Feeling special lol
Click to expand...
Click to collapse
It will be a crawler - like search engines crawl pages for search terms, some crawlers trawl the entire internet for email addresses to spam. Unfortunate that it happens, but so is the internet these days... That's just ordinary spam, nothing more, nothing less.
So, I just came across this website, http://www.openeducationsa.com that has all sorts of instructional OPs copy/pasted from here at XDA, with the contributing members' name nowhere to be found. Instead, everything is "Posted by roma".
For example, HERE is a word-for-word copy of a tutorial that I originally posted HERE on XDA. It was copied the same day I posted it here, but " Posted by roma", with my name nowhere to be found.
After browsing through the site for awhile, I found several other posts by "roma" that I recognize from here, so chances are, if you've contributed anything here, it's being copied there, without any sort of acknowledgement that it's your original content.
Knowing how major websites operate, I suspect that 'openeducationsa' is, in fact, owned/operated by XDA, and simply exists as a means of generating more traffic. This is fairly common practice, and I have no problem with it. I do, however, have a problem when a user's work is directly copied, with no credit to the person who created it. That's blatant plagiarism, and is not cool.
Regardless of who is behind it, it needs to either be removed, or proper credit needs to be given for its' (stolen) content. If XDA is not behind it, I expect the owners/operators to immediately send a cease and desist order.
Plagiarism is not acceptable.
Domain Name: OPENEDUCATIONSA.COM Registry Domain ID: 1904904917_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2015-02-24T06:36:38Z Creation Date: 2015-02-23T13:23:14Z Registrar Registration Expiration Date: 2016-02-23T13:23:14Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.480-624-2505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registry Registrant ID: Registrant Name: mena saad Registrant Organization: Registrant Street: tanta Registrant City: tanta Registrant State/Province: AL Registrant Postal Code: 32255 Registrant Country: United States Registrant Phone: +1.201220301755 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: mena saad Admin Organization: Admin Street: tanta Admin City: tanta Admin State/Province: AL Admin Postal Code: 32255 Admin Country: United States Admin Phone: +1.201220301755 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: mena saad Tech Organization: Tech Street: tanta Tech City: tanta Tech State/Province: AL Tech Postal Code: 32255 Tech Country: United States Tech Phone: +1.201220301755 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: NS1.MALTOT.COM Name Server: NS2.MALTOT.COM DNSSEC: unsigned
Click to expand...
Click to collapse
@bitpushr
Thanks for the heads up. We have contacted Singlehop, who is hosting this site, with a DMCA complaint. I've also blocked them from our server as I believe they are just pulling our RSS feed.
Morningstar said:
Knowing how major websites operate, I suspect that 'openeducationsa' is, in fact, owned/operated by XDA, and simply exists as a means of generating more traffic. This is fairly common practice, and I have no problem with it. I do, however, have a problem when a user's work is directly copied, with no credit to the person who created it. That's blatant plagiarism, and is not cool.
Click to expand...
Click to collapse
Just to be clear we do not own/operate this site and we don't copy content anywhere else to try to get more traffic. We do however often deal with sites that copy our content; and have varying success with knocking them offline.
Nice find @Morningstar hopefully they will be able to successfully handle this.
bitpushr said:
Just to be clear we do not own/operate this site and we don't copy content anywhere else to try to get more traffic. We do however often deal with sites that copy our content; and have varying success with knocking them offline.
Click to expand...
Click to collapse
It's nice to know that XDA doesn't utilize such tactics, and that appropriate action has been taken.
This is a fantastic community, full of very talented individuals. People post things here with the intent of sharing it with others, but for them to copy it and not even so much as give proper credit is pretty low.
[emoji106] [emoji106] [emoji106]
Seems like my block worked for XDA. I see they are still pulling in content from other websites but it has stopped for XDA.
awesome
I actually just noticed they had copied one of my threads, it kinda popped out when one of my firmware files was downloaded over 2k times vs just a few hundred for the others, it was the only file where they hot-linked it, didnt even bother to re-up it somewhere else, just took ,my mediafire link.
bitpushr said:
Seems like my block worked for XDA. I see they are still pulling in content from other websites but it has stopped for XDA.
Click to expand...
Click to collapse
Looks like there might be a bunch of these websites.
Previous:
http://www.openeducationsa.com
Just found this:
http://www.openeducationr.com
Yup, I confirmed 2 more as of yesterday. They pretty much copy threads in real time to get traffic.
cipherswitch said:
Yup, I confirmed 2 more as of yesterday. They pretty much copy threads in real time to get traffic.
Click to expand...
Click to collapse
Pathetic. Especially for a site(s) called "open education"....
there are many site packs out there, mostly for blackhats.
you select just some topics for your site, the contet is generated automatically by scraping websites / forums / RSS
mostly used for traffic generation, SEO, Advertising, or Malware or in other words - easy money making with the work of others.
would be surprised if that is an other case
I just stumbled on this malacious impersonator/mirror of xda, maybe you can take steps against it with the hosting provider. I have replaced the tt in http with xx to make the link non clickable as the site contains malware: hxxp://forum.datadevelopement.com/
@bitpushr
Thanks guys, another proxy site. They are blocked.
bitpushr said:
Thanks guys, another proxy site. They are blocked.
Click to expand...
Click to collapse
they are not a proxy, they impersonate XDA to spread malware. They copy all our posts and articles (or intellectual property), some of which have our real names attached to them, to spread malware (in our names) you should contact the authorities and at least the hosting provider and domain registrar
godutch said:
they are not a proxy, they impersonate XDA to spread malware. They copy all our posts and articles (or intellectual property), some of which have our real names attached to them, to spread malware (in our names) you should contact the authorities and at least the hosting provider and domain registrar
Click to expand...
Click to collapse
I would love to have the authorities go after them, but from experience they are not very interested in people like this. They use multiple hosting providers and multiple IPs to essentially fetch our site and automatically inject their own ads (and malware). It's a proxy and we are able to track which IPs they connect from, and block those IPs.
There are a few pages thay they cache and are still serving but typically they will shut down the site in a few hours.
Came across this thread when searching the above website. I am also seeing that the website is now showing up on xda aswell. If you do a search for the site name there are 193 results. Luckily my firewall blocked the website but, others may not be so lucky. Just wanted to give a heads up so the links can be removed or somehow sanitized.