PDA

View Full Version : Spammers harvesting from AH



John Nebel
06-15-2004, 06:59 AM
A while back, I posted the below:

"I changed my e-mail address from [email protected] which it had been since early Internet days to [email protected] after the painful step of going through everything I'd signed up for and changing the registration, and spam dropped to zero."

and to see what would happen, I also created the IDs lastname and lastname.firstname to see if the spammers were watching AH vBulletin posts.

This morning, I received two virii from audiokarma.org addressed to [email protected]. The e-mail "from" domain may be forged, and the emails traversed mmetzger.net which is forged.

So we are on candid camera.

John

Wardsweb
06-15-2004, 08:22 AM
It is called Silent Spamming and done by robots reading the members file. We had the same issue over on Audiokarmar.org until we came across this article:

http://www.britecorp.co.uk/articles/webmaster-resources/warning-website/

Don - read this article and make some of the changes as described. I think the biggest change for us came when I password protected the memberslist folder. You will also need to go into the admins forum and manually delete the bot's registered as members. Because the system is already "infected" you may have to remove them for a few days until the changes take affect.

John Nebel
06-15-2004, 08:27 AM
This rascal has a program reading the posts - the address which was harvested is not in the members file.

It looks like Don's set-up of vBulletin does not expose members e-mail addresses.

It is not necessarily a bad thing to have the posts harvested as useful information can thereby be made available for net-based lookups, however, that is Don's and the members' call.

John

Wardsweb
06-15-2004, 09:03 AM
FYI: members file is an actual file called memberlist that you can not see, but is a know commodity within vbulletin that the spammers are exploiting.

John Nebel
06-15-2004, 09:22 AM
Originally posted by Wardsweb
FYI: members file is an actual file called memberlist that you can not see, but is a know commodity within vbulletin that the spammers are exploiting.

Greetings Wardsweb!

OK, I see memberlist.php within the virtual server tree. Are you saying that that particular script can be run with a parameter to expose e-mail addresses?

The example which started this thread was a deliberate honey pot, not an exploit of a vBulletin php script weakness. That hasn't happened yet and it would be nice to close that loophole in advance.

We have been having discussions about what can be done by exploiting php, but are not experts on the ins and outs of vBulletin.

I believe it would be easy for the vBulletin designers to avoid such a problem.

John

PS

I did read your reference

Wardsweb
06-15-2004, 09:38 AM
Yes, from what I understand, they are using that file. It is easy to block access to it via a robot.txt file or just password protecting the folder. It is all in the article I posted the link to. Isn't admin-ing fun. :D

John Nebel
06-15-2004, 09:52 AM
Wardsweb,

membership.php is the code behind the members button and doesn't appear to be harmful, but then I haven't spend several days hacking at it.

What a hacker/spammer could do is to call the private e-mail script and loop through the member numbers from 1 to the total number and use vBulletin to send out the spam. There is not an easy protection against that.

I still don't see a way for a robot to extract e-mail addresses from other than the content of the posts. The reason for the vBulletin designers to go to the trouble of private e-mail indirection was to avoid the problem we are discussing.

There doesn't appear to be a reason for not including membership.php in a robots.txt file, however, I'm really wary of unexpected side effects.

John

PS

Upon reflection... robots.txt is only recognized by well-manner search engines and will actually tell a hacker where he shouldn't be looking, but can if he wants.

Don McRitchie
06-15-2004, 01:14 PM
Originally posted by Wardsweb
It is called Silent Spamming and done by robots reading the members file. We had the same issue over on Audiokarmar.org until we came across this article:

http://www.britecorp.co.uk/articles/webmaster-resources/warning-website/

Don - read this article and make some of the changes as described. I think the biggest change for us came when I password protected the memberslist folder. You will also need to go into the admins forum and manually delete the bot's registered as members. Because the system is already "infected" you may have to remove them for a few days until the changes take affect.

To my knowledge, we have not had a problem with bots registering as members. I check the new registrants fairly regularly and have yet to come across any member profiles linked to inappropriate sites. I have not implemented robots.txt on this site, although I did have it on our previous host. As John points out, only legitimate spiders recognize it and it can have the opposite effect of highlighting information intended to be kept private. Further, I think it is of benefit to have our forum content indexed by the major search engines to help new netizens find us and know what we are about. Just to be clear, we have a number of private forums on the site associated with Project May. These forums are protected and not indexed.

I was having a significant issue with guestbook spammers, but that is now moot since our guestbook is down. It should be active again shortly, but it will likely have to be policed regularly. The biggest irritant I have with spammers right now is that some are forging our domain as the return address. Therefore, I get a number of "undeliverable" and "virus detected" bouncebacks for emails that were never sent by myself or our forum.

Don McRitchie
06-15-2004, 01:29 PM
Originally posted by John Nebel
This morning, I received two virii from audiokarma.org.....John

Wards.

BAD adim...BAD (Don swats Wardsweb with a rolled up newspaper) What did John ever do to you that you would send him virii?

Actually I find it interesting that a spammer would forge your domain to spam an email address picked up from our forum. I'm guessing that it is because there are a number of cross-links between our sites. It actually indicates a level of sophistication that is a little scary. It would appear that the spammers are forging domains that have a good prospect of being known to the addressee in hopes that they will open it on trust.

Wardsweb
06-15-2004, 02:41 PM
(Wardsweb ducking rolled up newspaper)...hey, it wasn't me, I promise. :rolleyes:

Having now taken the time to read more carefully. I now see where you were coming from. No, you haven't had an issue with the silent spamming or referral spamming. There is an issue with spidering the forums and/or guestbook looking for email addy's.

I get bouncebacks, denied access, "you have a virus" replies everyday from emails I never sent from Wardsweb.org and Audiokarma.org :(

John Nebel
06-15-2004, 03:21 PM
Wardsweb,

Right, I realize how some of them work and have even saved them as they are occasionally useful for testing.

Mail $ dire pmdf:[vsweep.virii],pmdf:[vsweep.virii_new] /grand

Grand total of 2 directories, 82479 files.

Each of those files is a real live virus, if you need any for testing, just ask :)

John

John Nebel
06-16-2004, 06:44 AM
Avoiding spam turns out to be pretty simple - don't give out your e-mail address. Until I looked into it, I'd thought there was some magical way spammers had of finding me and spam was inevitable. They don't and it isn't. Naive of someone who should have known better.

The purpose of this thread - AH posts are a place to not use e-mail addresses although the spam resulting from that test has been pretty slight.

This is dependent on the ISP being honest and not working behind the scenes to give ones address out. Widget pointed out that nasty little problem and the big free or ultra-cheap services are probably the worst offenders.

John