Jump to content


Photo

Email addresses leaked?


  • Please log in to reply
5 replies to this topic

#1 user440

user440

    Advanced Contributor

  • Forum Member
  • PipPipPip
  • 158 posts

Posted 01 August 2017 - 10:21 AM

I have my own domain and setup an 'alias' email address anytime I sign up for a new site.   My email address here for example is gorc@xyz.com.   Evidently the email address list has been leaked as I have been receiving spam from various sources sent to my GORC address.    Just advising the site admins here to take action to mitigate any further leak.  


Mike Davis
 


#2 seamonkey

seamonkey

    Site Admin

  • Administrators
  • 518 posts

Posted 01 August 2017 - 02:10 PM

Hi,

 

When did this first occur? I will contact our backend admin to see if there's anything going on. Do you have any other details I can pass on to them?

 

Matt


Matt Hayes
GORC Board Member
Greensfelder Steward


#3 user440

user440

    Advanced Contributor

  • Forum Member
  • PipPipPip
  • 158 posts

Posted 01 August 2017 - 02:20 PM

Thankfully I have only received two, but hopefully they can get in front of it.   Here are the full details of both I have received (minus my full email address of course):

 

 

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

FIRST EMAIL - 7/31/2017

Return-Path: <Colegqomz@bezeqint.net>

Received: from [74.208.5.21] ([74.208.5.21]) by mx.perfora.net (mxeueus003

 [74.208.5.21]) with ESMTP (Nemesis) id 0Lbaxx-1dziy03XDP-00lGBE for

 <xyz@xyz.com>; Mon, 31 Jul 2017 20:55:08 +0200

Received: from bzq-198-168-31-128.red.bezeqint.net ([31.168.198.128]) by

 mx.perfora.net (mxeueus003 [74.208.5.21]) with ESMTP (Nemesis) id

 0MXXrk-1d5gVh3T0Q-00WRzh for < xyz@xyz.com >; Mon, 31 Jul 2017 20:55:07

 +0200

Received: from smtpd (localhost.localdomain [127.0.0.1])              by bezeqint.net

 (Postfix) with ESMTP id 72442C7D4CB5

 for < xyz@xyz.com >; Mon, 31 Jul 2017 21:55:05 +0300

Date: Mon, 31 Jul 2017 21:55:05 +0300

From: "Sharron Cole" <Colegqomz@bezeqint.net>

To: < xyz@xyz.com >

Message-ID: <9015234800.747522996158290990.JavaMail.root@bezeqint.net>

Subject: This stock is gonna go up 4 fold before the end of the week.

MIME-Version: 1.0

Content-Type: multipart/mixed;

                boundary="----=_Part_09208_12698062.2621165194455"

Envelope-To: < xyz@xyz.com >

X-UI-Filterresults: notjunk:1;V01:K0:g9tVzuD3AIc=:ABis9/LjYf23vkEEHMUVn+umbv

 839u9rE9lKj/syOg9+Zs4GDeEOMFiHl8sxCff6kmB85A4kPaEUv1limRm0r+mVyyMnHk4rbvp

 bltJ9P3GSUR8oNvXEayvZNCPyQAynygJqpzEcxnbalShzB2WsqmKnlsekxUdYx2pZEipTKUD+

 icANgNKyJI/SCNbgdo0cmURT4ltWFcCRsyGuhF9ocR6mMzLe0zIcHNfcOoHwNVqCKDNbVbh5w

 jR1cEBgnx4Sr00MQxJjF5w6MlcnUagHXtdFzZWrksiMkIPFrar5OIptHY0R5Lia3MkPuy5skP

 HOmagUE3aEZUVrDy0iRODkUzHAT+fh3euGVBOgK4Rn5upC9qA7BoJQ73a5biyDTCdon03LVg0

 4dmJ31eVUkMBv59ddPuRQFAtbniaumGJ8MqPmSLw8Saeli7+ejXBc0fLm8C9gaRvJXKDdAQ0c

 hI56SGR/MkkBN0AkTaJXzKonX9wZkNbOTZMT1LNla+ZZxb3NmKxU2NvCDIi8G5wZbggt7i6uk

 Br5VO7SvvUCp8HNuVrQH4NqSNcExQ5HyVpd5dqpjoROIcYh/k9RRsqqIDcmFKtPxq27tRCLWz

 ue15E32vVcuYr+8hifa6VDYgnsuRpz6JWJQsVOUR3w11m2Bx3QRT6k1nZtZPSlFRGMWOLNX/w

 eyxyQ0/tyMRuSifVJnTcAmhbJ/JfbCK2spUMka3G8I0YLHZad+fNPOoOD+zG3TujbaJsm21nf

 GI0VXQ42N9TnLvCicTgUfP/0tn3AR6u2N0nkRXSI2P4mRO00Wa9lScxBWaFjW6E1OxJ7STYUH

 WL7m9eOkf0wxIuRJK82EoXRRky/Ez8izBvgKw4iEzt1AEPVjAUrZhRUOhKVGc745sZ0AskbGu

 zqUuyg/J+xrHbhi5blvspEXelqR9vh6dtrNqQ4sndHSbyXp5x5KiRcNI0mwwoY27EOiZB8OWi

 4tHRxzfxwd1AIxM4wYOg2VwD91rk8lfwhIMJsQdS9UWidVd3xEJzfevcn1iGYYyR9Y7mG4wl9

 zKrrh4v6qDMGL+5P1/GOl1tm/4z4HcZsbTx7wmcj4MuNLPvvsmu2iD1viB24cuJa9piLA08YH

 rUYjA70XJaYPDEq15Zq0rGLHYoy1DDjNZ630j5mIkr7vauhS6jvMaNrdvMjIqFevfjzbHiO6J

 NvR/K1usmk6k1R5EX/SCdl1LMfD0xo3LajoDW7KiXlJG1MZkCn5+3TQThHYHyIWa4km5P1QlO

 3Dy4TsiuaTcySQMywFV2Wajzj3jjHm1G4lXwwOIkDSoALaN2ruf738smqnWp1rCsvaxqC5MES

 0xuAHqxZaiQlxxa2cc8q3JEmccZP3JhbGF5weX2E3CqisD76r9tUnauUwAIB6SLp7qwxKhe5C

 agxtavVzusGaj36kiEQgSerxGWxta2VOTLh3cD6fZ4wZoA+Kq0A4Ok0YUMROvqCmC53FLNV/m

 I/io9eHGQ5dDa5phrWbJXoluMW31yjgiPAcwAFmLLvfMBqWKI3JlFtUyZj4rIpcTx/DczHQRa

 +sqS8pJX+i8boNiNYxckf7hAg7TEfdqwv3A0plncD0POtc2jUppy/Ved5F/bKYga6knk5JfCH

 fs+aaQam3j/dBCx0aLztmbTngp1FbvT1+lDaxmRFJ8+tcTWQIR7PuUT5IWEzOel94iOyxtFvt

 JStxl+cHpRfh9A9aeeNERGA

 

------=_Part_09208_12698062.2621165194455

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

 

I won't waste your time with nonsense. I'll get right to it...

 

One of my best friends who happens to be employed at the largest firm in =

new york told me that I should really consider buying a specific stock =

today.

 

Without going into specifics he told me that it's going to at least =

quadruple in price this week.

 

It's a small company that's basically trading at rock bottom prices, and =

after digging a bit more into it I think that they are about to make a =

really massive announcement any day now.

 

If you can get in at between 7 and 10 cents in the next few minutes I =

really recommend you jump on it quickly. It's trading under the symbol =

q,s,m,g (just the letters without the commas). Type this in your account =

to buy it.

 

Don't waste any more time because before the day is over I think it will =

be much, much higher so now is your chance.

 

 

Best Wishes,

Sharron Cole

------=_Part_09208_12698062.2621165194455—

 

 

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

SECOND EMAIL - 8/1/2017

 

Return-Path: <Anastasiazj@axtel.net>

Received: from [74.208.5.21] ([74.208.5.21]) by mx.perfora.net (mxeueus002

 [74.208.5.21]) with ESMTP (Nemesis) id 0M0BBa-1dOAML3CRg-00uLJr for

 <XYZ@XYZ.COM>; Tue, 01 Aug 2017 16:19:25 +0200

Received: from 189-210-191-115.static.axtel.net ([189.210.191.115]) by

 mx.perfora.net (mxeueus002 [74.208.5.21]) with ESMTP (Nemesis) id

 0LmdJF-1d42Pe2mSB-00aCfk for < XYZ@XYZ.COM >; Tue, 01 Aug 2017 16:19:25

 +0200

Received: from smtpd (localhost.localdomain [127.0.0.1])              by axtel.net

 (Postfix) with ESMTP id 01A8365058C8

 for < XYZ@XYZ.COM >; Tue, 01 Aug 2017 09:19:23 -0500

Date: Tue, 01 Aug 2017 09:19:23 -0500

From: "Anastasia" <Anastasiazj@axtel.net>

To: < XYZ@XYZ.COM >

Message-ID: <8322291223.197790772712051695.JavaMail.root@axtel.net>

Subject: How are you?

MIME-Version: 1.0

Content-Type: multipart/mixed;

                boundary="----=_Part_88443_53412638.3256772168706"

Envelope-To: < XYZ@XYZ.COM >

X-UI-Filterresults: junk:10;V01:K0:iEtsWausnX4=:uiI8/igQCw1Ue5F7LNdJUgotRoEy

 RDWGhmbyUb5CKZFF2yODuCYBkmF/vTLBaW9vCbRpJqO2iNlu7liuImW9xSTHbBFDfsHCfJb7a

 z9hS3E1BajYp+lVgW59Yc8PJH7yecD97x7VX2j10+h7JqhyY/Wgvy+Z6RVUzsBNzAIca2/QN5

 qRE+t7GUbhTbhbWk+ccUmZsVjJ6NENVWh4WxQUPyRS1JSrcFdBiCoUf/ndFjb6EjFzEAh0Kch

 Sp1x1SIQ7sRe1wSgTO6RAU74+XslhedEWajM/uhzUvmlOUgCR1mSXI3Ly0idwtH2sRNmb5bN1

 e71vLGze5y6+TY1Hi+H/yK/ujejCU0Qm1qt6pTBgQ/j/zgotg8yrDh60j1vo8HT8tF2ByvII1

 J/qbCWtgsiGXpVh5eusWmm93r+zcv2ZvHz9V3qA+r2ElmSFLh+MaxXssw7EOpYgo1DyOJXOjH

 EEIrOaK5N5cBPOrXypaGJWyDQsqDxkB93ZaMOeq46ovYBzHlL59nqjkGCBFC9qQpG5fmzklzB

 PH8KbTq3jo4vpuCMR+jN01A/9AJC8fb7VW69VhaenUvpN43JzPAAmJ1AJjMkhMRcsqL+zO0+e

 2U3BMaJ2WXnish6E4ZwMFWsh3NfMoP9Ohrteu52JA1cxoD1ASsjMEye50eq0dtNZv6aIC38eB

 MyzaEghgbE4fyrEQ4Rf4tyxOh5RPuzySqOKGG7MnBGZVBBq+w4Dsq2qukfdRLVoyAO63CwI6+

 89foeoUCuGxhfCxZdqZwZjvYhaaof+NrmeQGYkwFNSt03YLz8C8O6zACsCN3I5pGgrCTSNi+d

 oAkfU69cyRFTFOy1VYxXTthbJUM/QzZOVbrEC94eWXyW5q/yONfzz5grJS9xsrWinx9zeq0UV

 Ue3wWatpzZwxF1v1Vq1SmuXAyA33hgaF/ptfZARP6Ul2Rn0ueI2p/VKzjtA+SX7Kg0dYDj2RG

 ZhwDnDV9t3GS2/vf/NwbRMUwm2FrE9tm40xK4RSORdPtyvt04hFjszEmuOlUJ25umsUlX9KZJ

 v6daXQ4VyCUiJmmAP1Tsylku70BhR3jJ9FvBcnPtoOpaZ9aTFEN0t6IKZGTOVhRPi5ZHvMqtM

 /GVBrZlhVj9b1vlVRCd2qPk43CsoxDgugRF6EgorU4lJw6lnD6Qq8gglbzQaaXFlXE4h3yNF6

 uuguS+qRnpcNtd+FOK8Vxd9Gp3iFOzDaWWK5Ap80pRGuT7jIyHAn5N1sz5AJg+ElWdTLW7LKN

 xa0u3FBVRTgXu3tSqMCOG98YQp7GUn8l5xWfOrCsSnnkWQRo1rw8x68QCTaImGJMlppWc2zNL

 RrG2QggIo5rZ53JrRvXZRmDE2+wZ/AJs/ryKzl8odNUxnRTVKX6Vzdheckw+RKX7Uiv/95/w0

 Ba4sPeLKEYiC9xr4tMRXug8uOBZpo13COagQ+pcl1JB68sqhIMfknnu0gq5aNEK2S6Hnvisfu

 dlo50WYRjm8dXuNylqLjFcTdpTNtNGzs6hPPaoRK2CUtLh5QRCqgb8C8zPDUDDhivtJY9BMk2

 IP5HaIUin7a+ANmMr7PA17dd+nsyjDPqc/XpWnbzxm0v4TzeUKdh2FMKx4wr4HnU8SazAWFqE

 N/5q+hcI2RyKT2QX6rldiE0xw3fchbz4Pceaq2m6L3BRyqa4HDGeK4idvGjcVOKBtaQa+p9W7

 DN+Qox6jWpkSuXOkGfwrB

 

------=_Part_88443_53412638.3256772168706

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: quoted-printable

 

Hi! How are you?

My name is Anastasia (or shortly Nastya), and I=92d love to know your =

name.

Do you visit this site oftentimes? I was hoping to talk to you in chat =

once but you left all of a sudden. Could you write me your address or =

send me a letter some day?

I believe we have a lot in common and talking to you will be much =

pleasure for me.

 

My email sesosuti@gmx.com

 

Looking forward to getting your letter,

Anastasia

------=_Part_88443_53412638.3256772168706--


Mike Davis
 


#4 seamonkey

seamonkey

    Site Admin

  • Administrators
  • 518 posts

Posted 18 August 2017 - 06:55 AM

Here is what the host admins provided:

 

+++++

"I see no evidence that there was a recent leak. I reviewed server and account access logs, and see no successful connection attempts from unknown IP addresses. The server doesn't log every database connection, but the ability to connect to the database server is not easily available outside of connecting to the server hosting the databases first.

I also checked the dev server, and do not see evidence that there was a recent leak.

On both servers, I have run our malware scanner specifically on ALL gorc files (the scan runs nightly, but focuses on newly modified files), and the scans both came back clean.

In addition, I've changed database __________ on both servers, just as a precaution.

Based on the forum post, it does sound like a legitimate complaint. Based on Drupal security and permission settings, I don't see an opening for it to happen in Drupal or Civi interface.

 

 

+++++

 

GORC will be upgrading the forum once a new php version is installed that is also compatible with our current drupal site config.

 

Matt


Matt Hayes
GORC Board Member
Greensfelder Steward


#5 user440

user440

    Advanced Contributor

  • Forum Member
  • PipPipPip
  • 158 posts

Posted 18 August 2017 - 08:09 AM

Thank you for the reply.   The good news is that to this day I still have only received the two emails above.  Like I said, I only use the gorc@xys.com email address for this site, but it looks like you've gone above and beyond to go through everything.   Thanks again for fielding my inquiry.


Mike Davis
 


#6 CoffeeBananaBike

CoffeeBananaBike

    Newbie

  • Forum Member
  • Pip
  • 12 posts

Posted 22 November 2017 - 04:01 PM

Whoa! @user440

I have gotten an email like this too.

 

It was from bananabike@hoo.com

 

It read:

 

Hello Mr. CBB,

I'll get right to the point.

We know you love bikes.

We know you love bananas.

We know you love coffee.

 

You are under arrest for loving these things too much.

 

-The Police






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users