Did anyone just get or has gotten an spam email like this.

Dear xxx@xxxxxx.xx,
You were sent a e-Card!
Click here and press Open to view it. [1]
lao lust proven
foamflower

excrescent ail austria cooley degree

deltoid massif
propitiate yipping capella monsanto


Links:
------
[1] bizhost1.com/bidden_heed7.jpg <<unlinked, as it's not safe to open>>

I ask is because, whenever I sign up aywhere I create a forward in cpanel to my email address. Great way to combat spam, cause then you know where it came from.

Reason I'm asking is because I have one for webhostingtalk as well. Interesting I just got a spam email sent to the email address (email forward), that I use for webhostingtalk.

No one but webhostingtalk will have this email address. I highly doubt they are selling my email address off to make a buck. My other option I thought of was when site got hacked last month email addresses got dumped on spam lists.

I got about 600 new spam emails. after the hack. and I can check if you where on the list

I wondered how long it would take, and got my answer this morning.

I set up an email address solely for use with WHT forums that is not used anywhere else. I setup a unique email for every forum, mailing list and online shopping site I use, so if I get spam I know who sold my address, or whose servers got hacked. (hint: Oreck, the vaccuum cleaner company, is apparently a big list-selling whore.)

I know the WHT hacker posted the user list on numerous file sharing sites.

Well, I just got my first spam to my (exposed) WHT address. It's link to a virus masquerading as a greeting card from a friend.

Grrrrrrr.

Wrong Section!

What email service do you use? Try GMail as it's very good at spam and virus filtering.

I wondered how long it would take, and got my answer this morning.

I set up an email address solely for use with WHT forums that is not used anywhere else. I setup a unique email for every forum, mailing list, online shopping site, etc., that I use because if I start getting spam, I know what site is responsible for selling the list, or whose servers got hacked. (hint: Oreck, the vaccuum cleaner company, is apparently a big list-selling whore.)

I know the WHT hacker posted the user list on numerous file sharing sites.

Well, I just got my first spam to what was - a link to a virus masquerading as a greeting card from a friend.

Grrrrrrr.

I also received this message;

Return-path: <mucilage8@schema.com>
Envelope-to: x.xxxx@northstorm.net
Delivery-date: Sun, 19 Apr 2009 09:17:32 -0400
Received: from ec2-79-125-54-70.eu-west-1.compute.amazonaws.com ([79.125.54.70])
by xxxx.*********** with smtp (Exim x.xx)
(envelope-from <mucilage8@schema.com>)
id 1LvWtn-0005UV-VU
for x.xxxx@northstorm.net; Sun, 19 Apr 2009 09:17:32 -0400
From: "e-Card.com" <mucilage8@schema.com>
To: x.xxxx@northstorm.net
Subject: Gena sent you an eCard
Date: Sun, 19 Apr 2009 13:12:41 -0100
Message-Id: <lOVtCxo6I8yDWFNR.agenda@gagwriter.com>
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


sacrifice compositor slaughter ac dehumidify

Wrong Section!

I know. But this is the only forum I hang out in at WHT and I consider the regulars here to be my online circle of friends. I was posting it for them mainly.

Yes, I just got this as well. It was delivered to the email address that I used after the first hack.

Return-Path: <doreen7@blockade.com>
X-Original-To: wht@xxx
Delivered-To: wht@xxx
Received: from ec2-79-125-55-16.eu-west-1.compute.amazonaws.com (ec2-79-125-55-16.eu-west-1.compute.amazonaws.com [79.125.55.16])
by mail.xxx (Postfix) with SMTP id F06D140050
for <wht@xxx>; Sun, 19 Apr 2009 14:09:02 +0100 (BST)
From: "eCard.com" <doreen7@blockade.com>
To: wht@xxx
Subject: Wesley sent you an eCard
Date: Sun, 19 Apr 2009 20:08:03 +0600
Message-Id: <c7n8P9kOJhG58pxe.gemstone@arsenate.com>
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000008">
<font face="Tahoma, sans-serif, Verdana">Dear wht@xxx,<br />
You were sent a e-Card!<br>
<a href="http://bizhost1.com/REMOVED">Click here and press Open to view it.</a></font><br>
<font color="#fffff2">claudia wrack townsend deride snagging</font><br />
<br /> <font color="#fffff0">ndjamena berra nubile atreus alkali</font><br> <font color="#fffff9">reverse cacti capture</font><br><br />
</body>
</html>

I also received this message;
From: "e-Card.com" <mucilage8@schema.com>
Subject: Gena sent you an eCard


Yup, that's the one. Only in my case it was Harriet that sent it. :(

I know the WHT hacker posted the user list on numerous file sharing sites.

Grrrrrrr.

You have seen the list on these sites?

SO it looks like emails were stolen as well and used. Well, good think I used email forwards. If it continues, I will just create a new email forward.

Thanks for the replies.

You have seen the list on these sites?

Majority of us have :(

Yes just checked and I received it.

You have seen the list on these sites?

Yes.

The hacker included links to several different file sharing sites, claiming it was their whole user list. Like everyone else, I clicked the link. No password was required to access the data. I had to know if MY personal info was exposed.

I felt paranoid just seeing that list, and used a multi-pass file shredder to delete it.

Very disturbing.

Perfect. Don't visit a website for 2 years, and get lead back to it by a spam email. And here I thought I changed all those addresses to junk ones...

Heh, 4 years with that email and this is my first spam email no my main account.

Hopefully that's the only one I get..

Yup, started getting spam this morning. I only use this particular email account at wht so it obviously came from the list.

My spam has been several greeting cards with a link which was masked to show a jpg card, but it was a .exe file. No I never ran it!!

Heh, 4 years with that email and this is my first spam email no my main account.

Hopefully that's the only one I get..

Don't count on it. It's a brand new list chocked full of good email addresses.

It's Christmas time in Spammerville.

I also just started getting spam to an email account that is only setup for webhostingtalk. Seems as if someone has decided to actually start spamming us WHT users :(

Begs the question whether a spammer took the list himself, or someone else downloaded and sold it to him.

Only a moron would download a list known to be stolen, then spam the very people who know where he got it.

Received it as well.

no one else has been hit with 600 new emails like me? lol

Yep - i got 3 of them to each of my inboxes shrug

I only got one email....so far

I got the same email and its from email that i use only on web hosting talk:confused:

Maybe we are all now on lots of spam databases for spammers!

Got one that is similar too. Reported it via SpamCop:

Received: from ec2-79-125-54-226.eu-west-1.compute.amazonaws.com ([79.125.54.226]:51402)
From: "eCard.com" <carboloy2@fleeing.com>
To: x
Subject: Marcelo sent you an eCard
Date: Sun, 19 Apr 2009 07:53:37 -0600
Message-Id: <XOY2__________________uate@pad.com>
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=3.5
X-Spam-Score: 35
X-Spam-Bar: +++
X-Spam-Flag: NO

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000001">
<font face="Tahoma, sans-serif, Verdana">Dear x,<br />
You were sent a eCard!<br>
<a href="http://bizhost1.com/centric_roof1.jpg">Click here and press run to view it.</a></font><br />

<font color="#fffff6">betwixt duke abate arrear</font><br /> <font color="#fffff9">bloodstain dyspeptic spook</font><br><br>
</body>
</html>

I got it too - interestingly I started getting spam from an email account I used to sign up for service with Server Beach about 3-4 years ago (sbeach@myemail) ... looks like email addresses are available for sale from Peer1 if the spammers didn't get all they needed from hacking the WHT database

Hello,
I received two emails at around 10am est this morning. They arrived to two unique email addresses that have only been used for the Web Hosting Talk Forums.

I believe that this is a second stage attack targeting web hosts directly in order to build a massive bot farm and that the WHT hack may only been to obtain this list of email addresses.

Here is the profile of the email. I'm sure that visiting the link will infect the pc with a very nasty virus that may be custom crafted.

The image filename appears to be a regular filename at first glance, but it is an assembled jumble of words with a few numbers that I'm sure is unique per email target so even if you avoid infection, you will be confirming that you got the email if you click the link.

Subject:
{Random Name} sent you an e-Card

Body:
Dear {Email Address},
You were sent a eCard!
Click here and press run to view it.
{Random words in white text}

The link is to:
bizhost1{dot}com/{Random Words and Numbers}.jpg

This is, of course, basic stuff.
"Don't click links in strange emails."

I would not have bothered posting except that the targets are WHT members and that means this may be something MUCH more nasty than porn spam.

Thanks!
James

I doubt this is targeted. This is probably just a typical spam that everyone gets. The hallmark one has been around for quite a while.

Yea, you are most likely correct.

The fact that these only arrived to completely unique email addresses that have never been published anywhere except inside the recently compromised WHT database should not be cause for any kind of concern.

Heck, what would the "bad guys" do if they rooted your PC and were able to get root login to all of your servers anyway?

Yep, don't worry about it.

I doubt this is targeted. This is probably just a typical spam that everyone gets. The hallmark one has been around for quite a while.

well curiously enough, an associate and i also recieved identical emails from several user@domains pertaining to the same thing. click to download, then ownage of your system. i blocked the keywords on the network to prevent it further, but it was both to our registered emails for WHT. i personally think its just the WHT hack morons selling/trading/giving away all our info ;)

Yep, I too got ecard spam and yes, I too have a unique address for each forum I sign up to so knew it was from here. Luckily only one spam so far, but the advantage of having a unique email address just for this forum is I can just delete it or change it to something else without worrying if it's used on any other forum.

Still annoyed that it appears the forum database got hacked though.

I doubt this is targeted. This is probably just a typical spam that everyone gets. The hallmark one has been around for quite a while.

No, this is targeted specifically from the WHT database compromise.

Hello,
I received two emails at around 10am est this morning. They arrived to two unique email addresses that have only been used for the Web Hosting Talk Forums.

And this is your first post? Do you have other accounts maybe? ;)

And this is your first post? Do you have other accounts maybe? ;)

Haha, get him...

Yeah, especially since the join date is Apr 2009 and the hack was in March. :D

Heh...of course I do. I have two. One I use for official business posts as the owner of a hosting company and the other I use when I'm asking what I know is a really dumb question and don't want it to reflect badly on my company. :P

This is the only other account I have created so I could post about this specific issue to keep a low profile without giving any clues to the guys who are using the compromised email addresses and who obviously are going to follow the thread.

I'm sure the standard policy is one account per human. I have reasonable reasons for the Company and Personal and would hope to have a bit of understanding on this one.

(I was trying to warn people, not plant a bulls-eye on my servers.)

You may wish to notify the community as a whole; I honestly think this is much bigger than a spam issue.

James

Heh...of course I do. I have two.

Seen this rule, have we?
"You are permitted a maximum of one account, active or inactive, regardless of how many companies you represent. If you choose to ignore this important restriction, all your accounts will be disabled."

How about contacting us on the helpdesk and get this fixed? ;)

Hang on a second.
I have two. One I use for official business posts as the owner of a hosting company and the other I use when I'm asking what I know is a really dumb question and don't want it to reflect badly on my company.
This is the only other account I have created so I could post about this specific issue

Is that now three accounts?

I've been getting spammed considerably more too since the hack.

good thing, i wasnt a member before this hack i hate spam

No spam at all, not before the event, not after the event. It's a Gmail account used only for i-net forums, so -- in the event it'll get massively spammed, which I doubt -- I can drop it at any time. But anyway, Gmail has indeed a tremendous antispam filtering system.

sash

I doubt this is targeted. This is probably just a typical spam that everyone gets. The hallmark one has been around for quite a while.

From what I read, it resembles the Storm Worm in its classical later appearances.

I doubt this is targeted. This is probably just a typical spam that everyone gets. The hallmark one has been around for quite a while.

The point was, it's being sent to email addresses that are not used anywhere other than WHT. When spam comes in to these addresses, it's pretty obvious the addresses got into the hands of blackhats from the WHT hack where their userbase was posted publicly.

Looks like the domain in question was recently registered.

http://whois.domaintools.com/bizhost1.com

Looks like the domain in question was recently registered.

http://whois.domaintools.com/bizhost1.com

IP Location - Beijing... I bet this site is full of most unpleasant things one can imagine. Is there any possibility to close it? On the other hand, you close this one, they'll set up another one etc. etc.

Got about half a dozen so far, all sent to a Sneakemail address that I am using here and nowhere else.

Now off to kill the Sneakemail address and create another one - problem solved as far as I am concerned, but I do feel sorry for those of you who have signed up here using non-disposable addresses.

Problem not solved... :-(

To change my email address I need to manually type in my password... which I can't remember as it's stored.

Tried to reset it only to find that the "reset password" process has stopped working. And of course I can't kill the old Sneakemail address (which is getting more spam by the second) before I've changed my address here... which I can't do because I can't reset my password (keep getting all sorts of odd error messages)

Got two here today.

Received: from ec2-79-125-53-202.eu-west-1.compute.amazonaws.com (ec2-79-125-53-202.eu-west-1.compute.amazonaws.com [79.125.53.202]

Ive got 21 of them in my spam box now :P

Well I just got 20 spam emails from CUSTOM_EGREETLOL.COM :eek:

Problem not solved... :-(

To change my email address I need to manually type in my password... which I can't remember as it's stored.

Tried to reset it only to find that the "reset password" process has stopped working. And of course I can't kill the old Sneakemail address (which is getting more spam by the second) before I've changed my address here... which I can't do because I can't reset my password (keep getting all sorts of odd error messages)

you can always do a javascript hack to show the letters. and I have gotten 200 spam emails so far XD.

Well I just got 20 spam emails from CUSTOM_EGREETLOL.COM :eek:

<3 Gmails spam filters. I just looked in my folder and I've got the same thing.

Well I just got 20 spam emails from CUSTOM_EGREETLOL.COM :eek:
Those are the ones I received as well. I haven't received any other spam than that since the hack though.

I use a catchall to monitor who passes user email addresses to third parties. I just noticed that I have received my first spam email to that address. To be specific, the address I gave to WHT was unique and no one else ever had this email address.

I imagine this is from the hacking attack.

From - Sun Apr 19 08:52:50 2009
Return-path: <doorknob9@phase.com>
Envelope-to: *UNIQUE EMAIL*
Delivery-date: Sun, 19 Apr 2009 07:49:51 -0500
Received: from ec2-79-125-51-93.eu-west-1.compute.amazonaws.com ([79.125.51.93])
by *SERVER NAME* with smtp (Exim 4.69)
(envelope-from <doorknob9@phase.com>)
id 1LvWSw-0004l9-Ll
for *UNIQUE EMAIL*; Sun, 19 Apr 2009 07:49:51 -0500
From: "e-Card.com" <doorknob9@phase.com>
To: *UNIQUE EMAIL*
Subject: Jeremiah sent you an e-Card
Date: Sun, 19 Apr 2009 15:48:55 +0200
Message-Id: <0wmbqjJmrHAbxJhR.occupant@schuylkill.com>
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=3.9
X-Spam-Score: 39
X-Spam-Bar: +++
X-Spam-Flag: NO

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000006">
<font face="Tahoma, sans-serif, Verdana">Dear *UNIQUE EMAIL*,<br>
You were sent a e-Card!<br>
<a href="http://<<edited>>">Click here and press run to view it.</a></font><br>

<font color="#fffff5">plenipotentiary astrophysical appetite qualify</font><br> <font color="#fffff2">merry settle acquiesce</font><br /><br> <font color="#fffff4">hester</font><br> <font color="#fffff5">scrape mensurable</font><br><br>
</body>
</html>

I didn'get any. But, did get some spam tickets saying "F*** You!" coming from amazon systems.

Hmmm...

Maybe you should all register new e-mails here and forward your old e-mails as described in the link below: Specifically Q7.

http://www.uceprotect.net/en/index.php?m=2&s=0

I got 5 of them within 2 hours

I got 36 of them in the past 12 hours... it really annoys me. Is there a way to stop this? What is the recommendation about spam filters? I just want to block that CUSTOM_EGREETLOL mails everything else should still go through without getting caught in the spam folder - how can i achieve that?

I tried some Spam Protection in the past that was supposed to be "self learning" but all it learnt was to annoy me with blocking all the wrong mails EVERY TIME (I'm active in Affiliate Marketing, so it mistaked Merchant Notifications with Spam every time, even when I whitelisted the merchants....)

At first I just read about the attack WHT and thought well its been awhile since I was on the site. Now I get drawn back by internet headers. How bad is the overall leak of information? Has anyone had any real problems other than annoyance?

An extra little bit of info about the spammer

Lookup has started ...


; <<>> DiG 9.4.2-P2 <<>> -x 79.125.53.181 any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62912
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 8

;; QUESTION SECTION:
;181.53.125.79.in-addr.arpa. IN ANY

;; ANSWER SECTION:
181.53.125.79.in-addr.arpa. 86400 IN PTR ec2-79-125-53-181.eu-west-1.compute.amazonaws.com.

;; AUTHORITY SECTION:
53.125.79.in-addr.arpa. 900 IN NS pdns6.ultradns.co.uk.
53.125.79.in-addr.arpa. 900 IN NS pdns1.ultradns.net.
53.125.79.in-addr.arpa. 900 IN NS pdns2.ultradns.net.
53.125.79.in-addr.arpa. 900 IN NS pdns3.ultradns.org.
53.125.79.in-addr.arpa. 900 IN NS pdns4.ultradns.org.
53.125.79.in-addr.arpa. 900 IN NS pdns5.ultradns.info.

;; ADDITIONAL SECTION:
pdns1.ultradns.net. 33566 IN A 204.74.108.1
pdns1.ultradns.net. 39841 IN AAAA 2001:502:f3ff::1
pdns2.ultradns.net. 29337 IN A 204.74.109.1
pdns3.ultradns.org. 28782 IN A 199.7.68.1
pdns4.ultradns.org. 28782 IN A 199.7.69.1
pdns4.ultradns.org. 28782 IN AAAA 2001:502:4612::1
pdns5.ultradns.info. 28787 IN A 204.74.114.1
pdns6.ultradns.co.uk. 28782 IN A 204.74.115.1

;; Query time: 11 msec
;; SERVER: 216.144.187.37#53(216.144.187.37)
;; WHEN: Tue Apr 21 03:57:10 2009
;; MSG SIZE rcvd: 430

Not sure if it is the same person but the name server is actually on google
forums.opensuse.org/network-internet/403406-cant-connect-local-network-opensuse-11-1-a.html

This is a post of someone looking for tech support. What would the odds be that this is the culprit?

i am on number 76 still mounting up in my spambox :P

Today, I also receive a lot of spam emails from "CUSTOM_EGREETLOL.COM"
I set a filter to block all of these emails in the spam filter system.

I had over 100 of the custom_egreet emails, they're still arriving.

Seriously, even though I expected this to happen, I hoped it wouldn't, faith in WHT declines once again...

faith in WHT declines once again...

Explain that comment, please.
The list was in the wild so no calling it back, someone is exploiting the emails from that list, so how has WHT done anything to further "decline your faith"?

Explain that comment, please.
The list was in the wild so no calling it back, someone is exploiting the emails from that list, so how has WHT done anything to further "decline your faith"?

I know this was always the case, but I somehow hoped nothing would come of it, or it'd just disappear. Before it was "Yeah, this could happen..." which was like "oh, wht :(" but now it has happened, it's reinforced what actually happened, before it wasn't as serious, because I wasn't affected, now I've received over 100 spam emails, which reinforces what happened.

maybe saying WHT has declined further was the wrong phrase, or way of wording it, but it's what I meant.

So what actually happened here? Did the WHT user database get compromised or something?

Just to add to the existing complaints, I also use a special email address for every site I sign up for. In this case it was webhostingtalk.com@mydomain.com, so there's no doubt whatsoever it was here that the leak occurred.

I've received two emails thus far: one which seemed to link to a virus of some kind as the page was blocked by Avast!, and another which was generic spam.

So what actually happened here? Did the WHT user database get compromised or something?

Just to add to the existing complaints, I also use a special email address for every site I sign up for. In this case it was webhostingtalk.com@mydomain.com, so there's no doubt whatsoever it was here that the leak occurred.

I've received two emails thus far: one which seemed to link to a virus of some kind as the page was blocked by Avast!, and another which was generic spam.

The database was hacked and a dump of all the users and their passwords (They were hashed, however the database included the key, so it is possible to 'decrypt' then, with brute forcing) the database was then posted around and most people got a copy. There was also a leak of the credit card details stored for paying for sticky topics in the advertising forums, something like 9,500 credit card details were taken (including cvv codes).

The spammer must have a copy of the database and be emailing every single email address repeatedly :(

There's more information on what happened in the threads at the top of the forum :)

Wow, the credit card issue is crazy. Should be illegal to store such details IMO due to the possibility of compromise even on a well-maintained site like this.

Seeing as we're receiving spam emails and our credit card information may be in the hands of bastards, wouldn't it be an idea to send an email out informing all registered users of this, WHT?

Wow, the credit card issue is crazy. Should be illegal to store such details IMO due to the possibility of compromise even on a well-maintained site like this.
That's why the PCI standard was developed. For recurring billings, it is impractical to NOT store credit card info.


Seeing as we're receiving spam emails and our credit card information may be in the hands of bastards, wouldn't it be an idea to send an email out informing all registered users of this, WHT?

Did you personally have a credit card on file with WHT? My guess is no, because I believe (someone correct me if I'm wrong) that WHT already notified those subscribers.

Today, I also receive a lot of spam emails from "CUSTOM_EGREETLOL.COM"
I set a filter to block all of these emails in the spam filter system.

Same here, except I was using an external pop3 account where i can't set a filter for this (except in my email client). urgh!

Should of made an alias long ago, but I never excepted for WHT to be hacked...oh well, live & learn...

For the record, I was just looking in the Mailscanner "mailwatch" page, and it showed about 6 of these "CUSTOM_EGREETLOL" going to accounts on the server, and none are members here on WHT, guaranteed. It would appear everyone is getting them, not just members.

Not downplaying the possibility it's related, just stating fact.

For the record, I was just looking in the Mailscanner "mailwatch" page, and it showed about 6 of these "CUSTOM_EGREETLOL" going to accounts on the server, and none are members here on WHT, guaranteed. It would appear everyone is getting them, not just members.

Not downplaying the possibility it's related, just stating fact.
It's a safe bet the WHT list has been merged into larger spam lists by now.

The one thing I do know for sure is, the only way this particular email address got into the hands of spammers was from the WHT hack. A co-worker also has a dedicated "used for WHT only" email alias, and spam finally started hitting that address late yesterday afternoon.

wow the spam is flooding in for me now....

thank goodness for email forwards...problem solved

back to 0 spam

I get loads a day and adding '%CUSTOM_EGREETLOL.com' to my spam list does nothing?

APX do you email forward them to a random address?

Explain that comment, please.
The list was in the wild so no calling it back, someone is exploiting the emails from that list, so how has WHT done anything to further "decline your faith"?

i got my first egreetlol spam mail today... the day after i logged into wht, for the first time in many months(over a year??)

the address it went to was used on this forum only, and i don't recall seeing any other spam going to that email address ever before.

so while my wht-exclusive email address may have been out in the wild all along, it's strange that i didn't notice it being hacked until i logged into wht yesterday...

i was forced to change the password when i logged into wht yesterday.

i was bummed to hear that wht had been hacked, and now i'm just hoping that it still isn't compromised.

I've been getting the following SPAM message today

Dear ***** @ lenohost.com,%CUSTOM_ZZBR You were sent a %CUSTOM_EGREETLOL!%CUSTOM_ZZBR Click here and press %CUSTOM_RUNZ to view it.%CUSTOM_ZZBR %CUSTOM_LOLRNDTIMES


Been getting one about every 5 minutes since 6AM this morning, it's currently 5PM now. That's a hell of a lot of SPAM.

I don't seem to be the only one on WHT getting this, either.

:mad:

I have one email address me@domain.com, and then I have email forwards going to that email address.

If i start to get spam on one of the forwards, I will just delete or rename the forward.

Andy

Did anyone just get or has gotten an spam email like this.

Reason I'm asking is because I have one for webhostingtalk as well. Interesting I just got a spam email sent to the email address (email forward), that I use for webhostingtalk.

No one but webhostingtalk will have this email address.

I do the exact same thing.
And when the email address is compromised, I kill it. Which is what I have to do in this case.

Over the past couple of days I've been receiving tons of this:

Dear webhxxxxxxxxxxxx@xxxxxxxxxxxxxx.net,%CUSTOM_ZZBR You were sent a %CUSTOM_EGREETLOL!%CUSTOM_ZZBR Click here and press %CUSTOM_RUNZ to view it.%CUSTOM_ZZBR %CUSTOM_LOLRNDTIMES

scripttester

The link in the OP is very strange!!

bizhost1.com/bidden_heed7.jpg

Thats looks like a PICTURE,but if you click the link AN EXE FILE ATTEMPTS TO DL!! (I would not want to run it!)

The link in the OP is very strange!!

<<url removed>>

Thats looks like a PICTURE,but if you click the link AN EXE FILE ATTEMPTS TO DL!! (I would not want to run it!)





Yeah I've seen files like this before. Many years ago, I opened what I thought to be a jpeg, but it was embedded with code made to reboot your computer. Luckily no harm was done to my system though, but who knows what this one here will do...

I clicked it and my AV correctly let me know it was a virus/trojan.

It's easy to do, it can be done using php headers, htaccess and a few other methods. Just don't ever download an exe and run it, unless you're sure what it is. Do people still do that? :|

Please, for the sake of people reading after you, stop linking to these viruses. You're only making things worse.

4 removed from this thread and counting.

I've received a few of these spam emails over the past month, I dropped my spam threshold on SpamAssasin and haven't received any in weeks.

I just got a number from %CUSTOM_EGREETLOL.com

Gotta love the SPAM. Not sure what I can do as I supplied my personal email. A lesson learnt I suspect.

I'm getting them too... 10 or 20 per day right now. Lucky gmail is filtering them all as spam :P

All coming from %CUSTOM_EGREETLOL.com... Spammers fail at variable substitution I guess. :P

I've only gotten one so far:


Delivered-To: -@gmail.com
Received: by 10.210.133.14 with SMTP id g14cs754118ebd;
Sun, 19 Apr 2009 11:18:51 -0700 (PDT)
Received: by 10.100.111.11 with SMTP id j11mr572455anc.19.1240165129616;
Sun, 19 Apr 2009 11:18:49 -0700 (PDT)
Return-Path: <chilblain3@symptom.com>
Received: from ec2-79-125-54-187.eu-west-1.compute.amazonaws.com (ec2-79-125-54-187.eu-west-1.compute.amazonaws.com [79.125.54.187])
by mx.google.com with SMTP id c23si9456746ana.0.2009.04.19.11.18.48;
Sun, 19 Apr 2009 11:18:49 -0700 (PDT)
Received-SPF: neutral (google.com: 79.125.54.187 is neither permitted nor denied by best guess record for domain of chilblain3@symptom.com) client-ip=79.125.54.187;
Authentication-Results: mx.google.com; spf=neutral (google.com: 79.125.54.187 is neither permitted nor denied by best guess record for domain of chilblain3@symptom.com) smtp.mail=chilblain3@symptom.com
From: "e-Card.com" <chilblain3@symptom.com>
To: -@gmail.com
Subject: Perry sent you an e-Card
Date: Sun, 19 Apr 2009 15:15:49 -0400
Message-Id: <OPP6UNAe49vnrU1G.tanager@cezanne.com>
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000002">
<font face="Tahoma, sans-serif, Verdana">Dear -@gmail.com,<br>
You were sent a eCard!<br />
<a href="http://bizhost1.com/XXXestiture_XXXwnian0.-">Click here and press Open to view it.</a></font><br />
<font color="#fffff2">curtis</font><br> <font color="#fffff4">gould</font><br><br>
</body>
</html>


Thanks Perry for the nice eCard! :P

I just got a number from %CUSTOM_EGREETLOL.com

Gotta love the SPAM. Not sure what I can do as I supplied my personal email. A lesson learnt I suspect.

Me too getting the same emails in junk but gmail filters them out cleanly.

I'm not getting much spam these days.

owm

I stopped by to change my wht email addy so I could kill my unique token addy and its now endless spam.

Doesn't seem to be a working interface to do that here. I change email in my profile, but it wants my password. And then it tells me the pw has to contain 7 characters. I was able to remove other useful stuff from my profile ;-)

Does the wht account get deleted when wht email gets bounced?

tia

-larry

Our forum was hacked at inboxrevenge.com, too. Some spam came to addresses only used for the forum, though it also came to addresses related to spam reporting that were never used on the forum.

Most of what we have received has been joe jobs promising child porn or malware -- exactly the sort of thing you'd expect folks like us to rush to report. It may be a former affiliate of a porn site who is retaliating after being booted off an affiliate program, or it may be an attempt to link email addresses to usernames on our forum.

An email list of anti-spammers -- or a list of hosting providers -- is not a very useful list for spamming. We're unlikely to buy anything, and quite likely to cause them trouble. Other than trying to lure you into reporting them, only spammers too clueless to know where the list came from would mail to your addresses. In fact, it would be more useful as a list of addresses to remove from spam email lists, to avoid sending spam to the hosting providers for their own websites.

For the record, I was just looking in the Mailscanner "mailwatch" page, and it showed about 6 of these "CUSTOM_EGREETLOL" going to accounts on the server, and none are members here on WHT, guaranteed. It would appear everyone is getting them, not just members.

Not downplaying the possibility it's related, just stating fact.

I've never noticed any change whatsoever to the usual spam I get and have been getting for many years. It seems to spike then pitter out. I think it's a little over zealous to put any onus on WHT and even verges on one of my favourite subjects of conspiracy theories. :D See my 9/11 poll in the social issues forum. :agree:

Spammers and spam software on a whole are getting more intelligent so of course spam will spike from time to time, then fizzle out as spam db's update. It's a game of cat & mouse.

owm

Spam volume has been insanely high the last few days on my addresses that usually get spam. We need someone to take out another McColo or something.

But as far as your addresses, they're poison to any email list. You know how to get a spammer's sponsor's hosting shut down and/or domain suspended. The fellow that hacked your forum certainly isn't going to expose any domain of a real sponsor by spamming you. He might expose a competitor's domain, but those types of joe jobs are short lived.

The question is whether the email addresses posted on web pages where spam harvesting bots will find them will end up being sold without the buyers realizing what they are. If it looks like you're getting the usual types of spam, I would recommend aggressively reporting. If every one of you reported every spam you received to those addresses, pointing out the address was obtained via criminal action and harvested via automated bots in violation of the US CAN-SPAM act and many other nations' antispam laws, you should be able to get a high percentage of their sponsors' websites shut down. Spammers will get the message. First they will retaliate by using your email addresses in the "from" fields, but then they will start looking for copies of that list to scrub their email lists.

darn I got the same email too, was gonna delete it but stupidly clicked the link on accident. Asked me to download an .exe, quickly exited out and virus scanner said its a trojan. (It's backdoor.sdbot btw). I think its ok that I didn't get the .exe, I've run 3 different virus scanners and I think I'm safe now.

If you're not using Internet Explorer and you've got javascripts turned off by default (e.g., using Firefox with Noscript), and as it sounds like your browser is set to always ask where to put a file before downloading it (so you can cancel unwanted downloads), you should be okay.

Still, there's always the small risk of a new browser vulnerability only the bad guys know about.

Yeah well a message by wht should be sent out, since it seems everyone here who is just here is getting the email. Its a backdoor trojan horse that is used to steal online passwords and bank information, so pretty serious. I've been checking my system, asking experts, and running scans the entire day because of this annoying trojan.

Yeah well a message by wht should be sent out, since it seems everyone here who is just here is getting the email.
No, not everyone here is getting it and not everyone in this thread received it either.

No, not everyone here is getting it and not everyone in this thread received it either.

I got it on a email used exclusively for WHT.

Today I received a spam email addressed to my WHT email address.

This address is uniquely assigned to this forum, so I'm guessing the compromised data has now been assimilated into the spammer's exhaustive lists. Frankly surprising it's taken this long...

Anyone else see the same thing?

<<request for merge>>

I just started getting some today. Surprised it has taken this long.

Time to delete the wht@email and change it to a new one.

Time to delete the wht@email and change it to a new one.
Agreed, except I can't seem to change the email. If the (optional) password field is empty, I get the "7 char limit" error. If the password field contains my current password, I get the "no can do for 365 days" error.

Now, where's this helpdesk I occasionally read about...

Agreed, except I can't seem to change the email. If the (optional) password field is empty, I get the "7 char limit" error. If the password field contains my current password, I get the "no can do for 365 days" error.

Now, where's this helpdesk I occasionally read about...

I believe its here...

http://helpdesk.webhostingtalk.com/ (http://helpdesk.webhostingtalk.com/)

Anyone else getting e-card virus' emailed to their WHT acct email address. I used a unique address when I signed up here and this morning I got two ecard virus emails to that address and ONLY that address.

According to Spamcop the email was sent from amazon.com to direct me to driveby malware site in Sweden.
http://www.spamcop.net/sc?id=z2952678353zab065e37963da45ccf1d99a9703994a5z

Maybe some of the Hosts on here that I've outed for being linked to organized crime (the same hosts that claimed they where going to sue for libel,m and never did) are trying to get back at me.

If a spammer was doing a dictionary attack my domain, I would have tons of spam since my domain forwards all email to the postmaster (me) even if no such addresss has been config'd.

Anyone else gotten any spam to same email address they used to register here?

remember the email list was hacked...... there was a thread about it already. some people got no emails i got 200...

Also got the email today.... it got sent to my BlackBerry so go figure. Now if they only start sending emails with BlackBerry viruses. ...:blush:

Agreed, except I can't seem to change the email. If the (optional) password field is empty, I get the "7 char limit" error. If the password field contains my current password, I get the "no can do for 365 days" error.

Now, where's this helpdesk I occasionally read about...

Yup, I got that too and sent a ticket to the helpdesk. 6 and a half hours and counting.

I've never had much luck with a "helpdesk" on a forum based site, so we'll see how it goes here.

Yes, I also got one of these, sent from AMAZON-EU-AWS, malicious link at 194.146.204.44 hosted by nevacon.net. The only places I have used the addresss that received it have been Godaddy, Namecheap, and WHT. It appears that WHT is the common source of this address to the spammer.

This is why I hate Gmail. I rarely ever get these fun e-mails with the viruses and the what not :(

Wow, haven't been to this site in at least a couple years, maybe more. Brought back here, as some others have, due to the SPAM from the email I used only for this site. From reading some of the posts here, sounds like there was some hacker breach of the database a bit ago, that harvested all our email addresses. Nice.

I never received any sort of notification that this happened.

Sure would have been nice for WHT to have sent the membership an email announcing that this happened, so we could all take appropriate steps to mitigate the SPAM.
That would have been the proactive and customer-oriented thing to do.

I've changed my email (probably too late now) to a disposable Spamex email address, so now I can turn it off and on at will.

Next time, please let everyone know when your system has been hacked so we can take steps to prevent attacks as well.

Next time, please let everyone know when your system has been hacked so we can take steps to prevent attacks as well.

They let everyone who had their credit cards details stolen know, but not us ordinary members :(

Next time, please let everyone know when your system has been hacked so we can take steps to prevent attacks as well.

They let everyone who had their credit cards details stolen know, but not us ordinary members :(
Everyone who had "Receive admin emails" set to "yes", received notification via the newsletter. You both have it set to "no" :)

How come I never get spammed?

I always get left out. :confused:

It's like "Hey....us Scot's guy can read too you know!" I speak 3 different languages fluently and a couple of others not too badly either, so stop ignoring me.

Maybe I'm on the spammer people's blacklist.

Even when I was a kid a school I would have to wait till the football team were desperate enough for players before they'd pick me to play.



owm

Everyone who had "Receive admin emails" set to "yes", received notification via the newsletter. You both have it set to "no" :)

That would be because back when I was an active member on the forums, I would get useless emails from the forum, so I turned it off.

However, when personal information is stolen, and yes, email is personal information, the ethical thing to do would have been to notify EVERYONE who's personal information was stolen, not just some. Hiding behind having a 'switch' turned off is inappropriate in this situation. We are trusting the forum with our personal information, and if they are not able to properly protect it such that it gets stolen, the notification that this happened should override everything else. I would have readily welcomed such notification. I wouldn't have been happy about the breach in security, but I would have appreciated the importance of the notification.

Don't agree? Then why in this single topic, are there so many people that didn't know their personal information was stolen and are upset about only finding out because they started receiving SPAM? Maybe it doesn't matter to you, but it does to these people, and it does to me.

On a side note but somewhat related, why not provide a method in the control panel to delete (or at least disable) one's account?

I haven't even been on this site in the last 6 years. I forgot I was even a member long ago. :eek:

Food for thought.

Maybe report it to amazon's abuse department for the ec2 stuff?

I'm glad I hadn't got it.. I'm a bit stupid, sometimes click them!

I'm glad I hadn't got it.. I'm a bit stupid, sometimes click them!
It wouldn't impact members with an account created after the database intrusion ;).

I have a WHT-specific address but haven't received any SPAM directed towards it yet.

Get a grip, folks. Getting spam is not some scary thing in itself. You can try to hide your email address from spammers. But an email address is no good to you unless you share it with someone you want to correspond with. And there's a good chance spammers will eventually get it from someone through social engineering , malware infections, or cracking sites like this. These guys are criminals, and getting your email address is the least of what they want. (They're pretty good at getting credit card numbers, too; since this site is attacked, my credit card company has sent me a new card two separate times due to unspecified security breaches, and I was not one of the people whose card number was stored here.)

Internet crime is completely out of hand because people have not considered it important enough to get involved. They may feel they themselves are safe if they filter their spam, don't open attachments, don't click on links in spam, don't fall for phishing emails, etc. But no one is 100% safe, and if the people sophisticated enough to be relatively safe don't get involved, the spammers can continue to expand their ability to attack the rest of us with more money and more hijacked computers at their disposal.

If you've never been targeted for retaliation by spammers before, welcome to the club. I hope whatever the folks on this forum did to this criminal to invoke such a vicious attack, it was something very painful to him.

Please consider joining the effort to cause some pain to criminals like him through whatever (legal) means are available to you.

Add me to this list...

Do we know if the addresses were stolen or sold?

Last time this happened to me, after some chasing it turned out they were sold...

Anyone getting spammed this afternoon? :P

So far 4 to my WHT address ;p

Add me to list

I used spamex to create specific email addresses to each forum board I sign up to and I received about 10 spam emails specially targetted to this WHT email address. And I just signed up recently.

And I just signed up recently.

:clap: Welcome to WebHostingTalk.

It's a great place.

owm

A bunch of spam this morning and I've only posted on this forum once before a long time ago. (used forum-specific email address of course)

I guess its time to forward that email address to hell. Encoding db emails is a good way to go. Use 'highly' protected php or shell script file to decode.

well....I just got a ton of spam...from this ip 79.125.53.54 and the others were 79.125.xx.xx

however, it was to an email address I've never used on wht.

maybe they're just psychic spammers and got lucky :)

Received: from ec2-79-125-58-107.eu-west-1.compute.amazonaws.com ([79.125.58.107])

Easiest way to deal with this is to ban that range.

owm

14 so far, just for today.
Shiny! At least, that's what my anti-spam s/w provider says. :)

Quick tip:
So far, all waves of these are coming via Amazon's "Cloud" computing service (both the main USA IP blocks, and more recently thru their Irish block).

Amazon's service is a nifty idea, and is used for legitimate purposes, however, for most of us, it's both safe and wise to just block 'em, both for email and web access (i.e. via htaccess for us Linux hostees).

Here's Amazon's Cloud IP blocks, in IP range, then CIDR formats:

67.202.0.0 - 67.202.63.255
72.44.32.0 - 72.44.63.255
75.101.128.0 - 75.101.255.255
79.125.0.0 - 79.125.63.255
174.129.0.0 - 174.129.255.255
216.182.224.0 - 216.182.239.255

67.202.0.0/18
72.44.32.0/19
75.101.128.0/17
79.125.0.0/18
174.129.0.0/16
216.182.224.0/20


If I missed any, please report them here, and I'll pass them along to the IP-to-Nation data source I use. Amazon's Cloud is being abused so often, their IP blocks have "earned" them two separate "virtual" nations in that database (which has blocked 100% of these, so far, because Amazon's Clouds are in the default rule set updates).

Yupps....let's work the problem....no point moaning about it because that for sure won't solve anything.

I could suggest something but I'd be dragged off to hell (again) in a handcart.

owm

In the time it took me to type my previous post, two things happened...

1. three more of these spams arrived...

2. the domain that's been in all of today's spams was listed by the brilliant ninjas at uribl.com (http://www.uribl.com/help.shtml) which means they should all die swiftly, even in a severely limited SpamAssassin setup. :)

The lesson? Report early, report often.
Moaning without action doesn't help.

I've been getting a slew of spam from the email address I use at this site.

so, I'm changing my email address I use here - it will still be unique for this forum. I will see if I get spam with the new email address. If so, the hacking is ongoing.

I will check back in a week.

Got about 14 today from amazonaws servers - spam assassin caught them all - so glad that is working as configured. <waste of time??>Forwarded all of them in an email to aws@amazon.com and asked them to let me know what they do</waste of time??>