INTERACT FORUM
More => Old Versions => Media Center 11 (Development Ended) => Topic started by: kragorn on January 09, 2004, 02:16:57 am
-
This morning I received one of the standard "Paypal Verification" scams in my e-mail. Nothing strange with that, delete and move on, but ...
I have my own domain and whenever I register somewhere I use a unique address, eg. when I registered for this forum I used 'fromjriver@'. This is the ONLY place I've used that address.
The Paypal scam was sent to 'fromjriver@'. How did the scammer get this unique address?
-
Funnily enough I got one yesterday too.
I generally use my hotmail account when registering with forums but this is one of the few places where I used my real address and that is where I received the email.
P.S. That's a good trick with the email addys. I am going to change to that system.
-
I received one E-Mail from Pay-pal too ?
-
Weird. I got one too. It went to my personal e-mail address, which is long and complicated, so I don't think they were just randomly generating addresses.
For those of you new to the subject, if you received an e-mail purporting to be from Paypal asking you to verify your identity, IGNORE IT. It is a scam to get your payment info. Paypal will only ever interact with you through their own website. Read their security guidelines.
If you received such an e-mail, please post to this thread.
-
I also have my own domain and create unique addresses for individual companies I deal with. I got the PayPal scam email to the address I used to register Media Center and register for this forum. I've never used it for anything else.
I'd like to hear JRiver's explanation.
-
Add me to the list of recipients.
-
I got one too ?
-
I got 2 some hours apart - How Lucky I am!!! ;D
They were both to my main address which I use for all software/forum registrations.
EDIT: Should have said that I did not purchase MC with PayPal - Just in case it helps JRiver get to the bottom of this.
-
I got one too.
Well actaully, I got a couple. different mail addresses for different versions.
Now, please, please, please tell me.....
I'm almost certain jriver don't sell e-mail lists. (If I'm wrong, It'll end my association with MC)
If jriver don't sell e-mail lists, then it looks quite likely they have been compromised in some way, if that's the case, is it only e-mails they got? or should I cancel my credit card?
-
Received 4 emails from Paypal, my jaguu email address is hardly known, just 2 or 3 very definite places such as this forum.
-
They are still sleeping....hard time when starting the day job.
I cannot beleive that they sell email adress-I really mean it-
I did not get any ,but i did not buy MC10
So ,did all of you updated to MC10?
How is the mail?
A real PayPal ?
Or a prank?
-
In a vain attempt to combat spam, I use special different email addresses for everything I sign up for on the 'net (my ISP allows anything@username.ips.com, so I set anything to be what I'm signing up for).
I used one email, prefixed 'jriver@', to purchase the jriver software. I use one prefixed mc@ to sign up for this forum.
I received a spam to both of these accounts this morning. This is rather worrying on both accounts. I've got 'hide email addresses from public' ticked in my profile, so my forum email address shouldn't be available to spam bots. My jriver@ one should only be stored securely with jriver.
I'm not suggesting you're selling our email addresses, but this is rather worrying. You may want to check over your security on where you store our emails. I'm sure I haven't used these emails anywhere else - definately not outside jriver.
The spams were paypal phishing. If anyone else got the same, please post here.
--------------------------------------------------
Good to see I'm not the only one who's looking for an explanation on this one.
I have not purchased v10, so that's not it.
-
I haven't updated to v10 and I got the email.
Maybe the board was hacked?
-
I've also received a Paypal scam message this morning using the same address as I used for JRiver :o
Mark.
-
look like good news that not only mc10 buyers got it
-
So ,did all of you updated to MC10?
How is the mail?
A real PayPal ?
Or a prank?
The e-mail address I received it on was only ever used to register on this forum .. I am not a registered MC user, only on this forum am I 'known' to JRiver, so this forum's member record for me is the only place I know of that 'fromjriver@xxx' is recorded.
RhinoBanga has a good point.
It's a scam .. using the by-now conventional means of obscuring the real destination of the link by appending lots of 0x01s to the URL which Outlook Express and Internet Explorer don't show .. I use Poco and Firebird so saw them ;).
PS, I'm STILL not a llama. :D
-
ok
so calm down
all of us
-
ok
so calm down
all of us
It's actually quite serious. Not only has my forum address been grabbed, but also the confidential one used to register to jriver.
If it was only the the forum one's it's not as serious - likely a bug in the forum software. But for the registration emails to somehow get in the hands of spammers could have compromised other data, such as CC details.
Can anyone else say for sure that it is specifically jriver registration email address that was spammed (NOT their forum one)?
The spams are called 'phishing' - pretending to be an official email and sending the user off to collect their information (such as passwords, or CC details) (see http://www.urbandictionary.com/define.php?term=phishing). The URL in the email uses the classic 'username' method - the URL looks like it's going to paypal.com, but actually it's going to another domain, logging in with the username 'www.paypal.com'. The actual domain you'll see at the end of the long URL, not usually in sight because of all the 0s obscuring it out of view.
-
I have my own domain and whenever I register somewhere I use a unique address, eg. when I registered for this forum I used 'fromjriver@'. This is the ONLY place I've used that address.
VERY cool idea!
No spam of this type received here.
-=Tim=-
-
We don't sell or otherwise provide your e-mail address to anyone.
Many of these schemes are based on worms that can read an e-mail address book and then use the addresses to send more and also use the addresses as the sender name. So if the address was in an e-mail address book anywhere, it's possible for the worm to find it.
A second possibility is that someone's e-mail server is being used to capture addresses.
Another possibility is that the addresses are publicly visible here on Interact. Can you see each other's addresses? If so, a robot can collect them.
Still another is that addresses are being randomly generated. fromjriver would be a logical one.
There are other possibilities, but WE DO NOT PROVIDE YOUR ADDRESS TO ANYONE ELSE.
-
Many of these schemes are based on worms that can read an e-mail address book and then use the addresses to send more and also use the addresses as the sender name. So if the address was in an e-mail address book anywhere, it's possible for the worm to find it.
A second possibility is that someone's e-mail server is being used to capture addresses.
Another possibility is that the addresses are publicly visible here on Interact. Can you see each other's addresses? If so, a robot can collect them.
Still another is that addresses are being randomly generated. fromjriver would be a logical one.
There are other possibilities, but WE DO NOT PROVIDE YOUR ADDRESS TO ANYONE ELSE.
1. My e-mail address would not be in ANY address book, I have never had e-mail contact with anyone else here, only your board's database knows it AFAICS.
2. Unlikely since I've never sent an e-mail from that address and only 1 has ever been delivered to me when I registered some time ago.
3. My e-mail address is marked "Hidden" in my member record.
4. 'fromjriver' is extremely UNLIKELY IMO.
MANY MEMBERS ARE REPORTING THIS. If you say you don't pass on e-mail addresses given to you then I'll accept that, however it seems highly suspicious that the recipt of this scam by so many members means the source of the e-mail addresses IS YOUR BOARD.
If you refuse to accept that as a possibility, as you are doing by invoking that list of possibilities which I have easily demolished, then clearly customers and potential users of this board need to be wary, because your systems could have been compromised and you appear to be doing nothing to look into it.
-
Did I say that we would not investigate it? Sorry for the omission. It's 7:00AM here.
fromjriver is extremely likely, IMO. from + domain name.
It would be nice if you would not make sinister assumptions about what has happened.
-
Can everyone add a reply here that tells us the domain name of your mail server? hotmail.com or aol.com, for example.
-
Just to add to the list of recipients I got one too. I was amazed as this is the first spam I've seen since I changed the e-mail address about 3 months ago. I too only use this address for MC so I was immediately worried about how on earth someone got hold of this address.
I can't imagine that any worm invaded my PC as I am very careful as to which sites I visit (mostly it's just interact) and NAV 2003 is constantly up to date. My wife uses the PC regularly and she has had no such e-mail - neither has anyone else I've spoken to at work or freinds or family.
-
OK
Please.let try to have the most indications ready for when they start to look at.
ME: email adress visible on interact==NO email sent to me-
adress yahooFR [ not COM]
NEXT!
-
I'm going to keep a creaful eye on my CC statement. I hope Jim confirms they'll look into this.
-
I have my own domain jdnet.co.uk.
They got my personal name too, jamie.
I can't see how both of these could have been randomly generated. Also my mail server did not pick up any non-deliverable messages.
Now my email address is only registered on 2 boards (this and another one). No-one on the other board has reported this situation whereas others have reported it here. The facts are pointing this way.
P.S. My email is hidden from public view on both boards.
-
I got two this morning from paypal to xxxx.freeserve.co.uk
-
It sounds to me like someone found a way to pull the database but doing a quick check, I haven't found any notifications of holes in this version of the software. I also tried a few tricks that would lead me to be able to pull the database but they didn't work.
I'll keep looking...
-
It's clearly not a dictionary attack, I've received no others.
-
Better post a sticky and an urgent announcement on the board, warning users about the fake mail. Most of us are pretty aware and won't fall for it, but others might not be so careful. Might also want to e-mail all users of the board and warn them of the compromise.
-
It just occurred to me there may have been one other place I entered my e-mail address .. when you download a trial version there's an optional registration page, I now can't recall if I entered it there or not, I usually don't offer my details unless I'm forced to but it is possible I may have done.
Clearly many of your members and customers would also have entered details on that page.
-
Funnily enough I got one yesterday too.
I generally use my hotmail account when registering with forums but this is one of the few places where I used my real address and that is where I received the email.
P.S. That's a good trick with the email addys. I am going to change to that system.
I already talked to paypal yesterday, and submitted the info from the orginal message.
it seems this is going around, per their message back to me
they are working on shutting down the spammer
the one i got also had a Virus attached to it that was stripped out by Road Runner (My Provider)
-
It could be just the time difference, but I notice that there are a lot of UK users here. Mail server hack in the UK?
I don't see where the e-mail address used to target me would ever have been present on any mail server other than yours. My domain is virtually hosted by mail is received using normal MX record resolution AFAIK and is not forwarded, hence anything sent from you to me would not be staged elsewhere.
Also it's hosted on a small local web hoster, the chances of 2 of their customers also being present here is very, very small IMHO.
-
Correct me if I'm wrong, but I believe that the e-mail address is visible in the packets forwarded from machine to machine across the Internet, so if any machine in between is compromised, they could be collected there.
-
my email is from my provider netvisao.pt
-
Here's a good summary of the growing "phishing" problem:
http://news.netcraft.com/archives/2004/01/07/jump_in_phishing_attacks_in_december.html
-
I got it too . . .
Yahoo.com
-
Can everyone add a reply here that tells us the domain name of your mail server? hotmail.com or aol.com, for example.
JimH, In case it helps mine is: dial.pipex.com
My email address is not used exclusively for this forum and/or registration of MC. I only opened a PayPal account on 20/09/2003 to purchase a shareware program that had no other payment options. I bought MC by CC.
If my memory serves me I also got one of these PayPal spoofs about 6-8 weeks ago.
Hope this helps.
David
-
Correct me if I'm wrong, but I believe that the e-mail address is visible in the packets forwarded from machine to machine across the Internet, so if any machine in between is compromised, they could be collected there.
But the suspicious fact here is that it's a high number of interact users that have been spammed.
I don't know of anyone else who has got it who isn't an interact user.
-
Hi Y'all,
A couple of things:
JLee, cc info is never on the machine that supports interact, though keeping a close eye on your statement is always a good thing.
Those of you who are SURE that you got the spam because of this board, did you use the chat room? Is that a possible source of the spam?
j
-
Hi Y'all,
Those of you who are SURE that you got the spam because of this board, did you use the chat room? Is that a possible source of the spam?
j
No as I have a fake email addy on irc, usually me@you.com.
-
But the question was "did you use the chat room?"
Sounds like you did.
-
By the way i don't have an paypal account
-
But the question was "did you use the chat room?"
Sounds like you did.
Correct but I am pointing out that my IRC email address is fake so a whois on me would have resulted in a fake address.
-
I don't believe I've ever used the Chat Room - In fact I didn't even know we had one available...
I'm wondering if maybe a 'plugin' has required us to provide our email address somewhere along the line - and maybe that person has been hacked somehow...
I can't remember though if I've had to provide my email details for any plug-ins.
My email address is hosted by plus.net in the UK
Cheers,
Mark
P.S. Good job I was running Mailwasher - which highlighted that this was a dodgy email from Paypal..
-
I have two email addresses: optonline.net and yahoo.com. Both emails received the PayPal spoof.
I use my Yahoo account for anything that I think will generate spam.
I use my optonline account here at Interact, and I *never* get spam in that account.
I am located in NY.
Hope this helps,
crow
-
If you got the spam, could you please post the header info (minus personal details) here please? I need to know if they all came from the same mailer.
Rhino - did you use a real e-mail address when registering, and was it the same one as here? I know the public one wasn't, but it is possible the chat room was hacked.
j
-
Got two emails... one yesterday the other one today. Reported the first one to paypal.
The address is the one I use with this forum and to register Media Center, but I use it for other purposes too, so I cannot be sure of the origin.
The address is xxxx @ yahoo (not .com but .es)
Edit: Never used the chat room. My email is hidden here on my Interact profile.
-
got one on my xxx@comcast.net account...
Actually...looking at header, it was my attbi.com account, forwarded to comcast.
-
Sorry, I deleted the email (can't paste the header).
Oh, BTW, my email is also set to "hide from public" here on interact.
I did sign into the message board for a minute the other day. But I used the generic login that is filled in by default, something like "Visitor247" or whatever. I did not have to provide an email address. I just clicked the link that was provided in a post here on Interact, then clicked the Sign In button at the chat forum.
Hope it helps,
crow
-
Late to the party, but I received two of them. One at my original address here (xxx@comcast.net) and one at the address I'm currently using (xxx@yahoo.com).
-
I'm wondering if the e-mail address could be collected by a virus on your PC that sweeps through the web browser cache.
If someone sends you a private message on Interact, can you see their e-mail address? That page would be stored in the local cache on a PC.
-
If you got the spam, could you please post the header info (minus personal details) here please? I need to know if they all came from the same mailer.
I'll post it when I get home in an hour.
Rhino - did you use a real e-mail address when registering
With what? MC, my IRC nick?
but it is possible the chat room was hacked.
Even if it was how could they have got my real addy when I configured my IRC client (called Klient and not that rubbish mIRC) with a bogus email addy?
-
The address is xxxx @ yahoo (not .com but .es)
When anyone reports their domain, please report the domain name as, for example, yahoo.com or yahoo.es. There is no need to use any spaces or otherwise obscure the domain.
-
If you got the spam, could you please post the header info (minus personal details) here please? I need to know if they all came from the same mailer.
j
X-Apparently-To: xxxxxx@yahoo.com via 216.136.130.XX; Thu, 08 Jan 2004 21:36:43 -0800
X-YahooFilteredBulk: 193.28.100.XXX
Date: Fri, 9 Jan 2004 06:36:42 +0100 (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: xxxxxx@yahoo.com
Subject: Verify your identity
(obviously I blocked out the info behind the "X's"
-
Even if it was how could they have got my real addy when I configured my IRC client (called Klient and not that rubbish mIRC) with a bogus email addy?
Because any application on your PC could potentially look through your trash (cache).
-
We don't sell or otherwise provide your e-mail address to anyone.
Many of these schemes are based on worms that can read an e-mail address book and then use the addresses to send more and also use the addresses as the sender name. So if the address was in an e-mail address book anywhere, it's possible for the worm to find it.
A second possibility is that someone's e-mail server is being used to capture addresses.
Another possibility is that the addresses are publicly visible here on Interact. Can you see each other's addresses? If so, a robot can collect them.
Still another is that addresses are being randomly generated. fromjriver would be a logical one.
There are other possibilities, but WE DO NOT PROVIDE YOUR ADDRESS TO ANYONE ELSE.
I don't think it's any of these possibilities. My email addies won't be in anyone's email address book, because they are not visible. They aren't visible on the forum (I've got hthe 'hidden' check.
I don't think mine could be guessed. The format of the email is anything@username.vispa.co.uk (not a well-known ISP). the 'anything' bit in question is 'mc' and 'jriver'.
As I have mentioned earlier I'm sure that both of my jriver email addies have been spammed - my forum one and my registration email address for the software. But as no one else is reporting this, perhaps mine is an anomily.
Again I'm not suggesting you are selling email addresses from paying customers - but could it not be possible uknown to you your database has been compromised?
I'd be suprised if it was a general spambot - so many specific jriver people have been targetted and have been sent the same email in such a short space of time. Sounds like someone is specifically targetting the forum and/or your registration database.
Also I highly doubt that it's a virus unless the virus - again, because it's happened to so many people on the forum (unless, of course, it came with the software...). And I'm, as I'm sure many others are, highly vigilent when it comes to virus scanning & protection.
-
Even if it was how could they have got my real addy when I configured my IRC client (called Klient and not that rubbish mIRC) with a bogus email addy?
Because any application on your PC could potentially look through your trash (cache).
What you are suggesting is that the IRC server we connected to knew a) what client we were using and b) knew of exploits for that client (and we are not talking about mIRC here but others too including Java based ones) is unlikely I think.
Mind you the fact that others who never used the chat room are reporting the spam sort of kills that idea.
-
using the chat room and no spam
Beside it ,i do not see how to be in the chat room can tell to one what my email his
-
But the question was "did you use the chat room?"
Sounds like you did.
I use the chat room, but I haven't gotten phished.
Which is strange, 'cause I get a ton of spam anyway :-) Maybe my ISP (SBCGlobal) was kind enough to block it for me?
Scott-
-
I don't think mine could be guessed. The format of the email is anything@username.vispa.co.uk (not a well-known ISP). the 'anything' bit in question is 'mc' and 'jriver'.
Anything is possible. We're still gathering facts.
It is definitely possible to guess the address you've given. Lists are now being compiled by brute force methods. Here is an example:
For every domain known
E-mail is sent to
aaaaaaaa@domain.com
aaaaaaab@domain.com
aaaaaaac@domain.com
and so on.
Bounces are recorded. Lists of addresses sent and bounces received are compared to extract the list of addresses that do not bounce.
-
I use the chat room too... I have not received the email... Incidentally however it is the email address I used to register with MC in the first place...
Adam
-
Jim and JRiver,
I use MyIE2 for all surfing, including Interact. Every time I close it, it clears the cache and history. I've also never used the PMs here.
Hope this helps,
crow
-
I've used the same email address to register for this forum (hidden) and purchase MC 10.0.
I used the chat room for about a minute, although I never provided an email address.
No spam here.
-
Here's the headers.
I have replaced my email address with !!!!!!
Microsoft Mail Internet Headers Version 2.0
Received: from exchange-pop3-connector.com ([127.0.0.1]) by fileserver.jdnet.co.uk.local with Microsoft SMTPSVC(6.0.3790.0);
Thu, 8 Jan 2004 16:25:25 +0000
Return-path: <verification@paypal.com>
Envelope-to: !!!!!!!!!!!!!!
Delivery-date: Thu, 08 Jan 2004 16:24:30 +0000
Received: from [193.28.100.167] (helo=mail.epost.de)
by delta.eukhost.com with esmtp (Exim 4.24)
id 1AecxN-0006d1-3i
for !!!!!!!!!!!!!!; Thu, 08 Jan 2004 16:24:25 +0000
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as barney@epost.de)
id 3FFD68CE00003DDD for !!!!!!!!!!!!!!; Thu, 8 Jan 2004 17:24:28 +0100
Date: Thu, 8 Jan 2004 17:24:28 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FFD68CE00003DDD@PPD27104.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: !!!!!!!!!!!!!!
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-OriginalArrivalTime: 08 Jan 2004 16:25:25.0765 (UTC) FILETIME=[058A0350:01C3D604]
-
My own e-mail address is entered multiple times on Interact and I have not received this spam in the last three days. I have seen similar messages before.
-
We've now spent an hour or so checking for known security problems in the (well known) software we use for the forum. We can't find any so far. We will keep looking.
-
The message I got had original sender nathaly@epost.de
I can pretty much guarantee that my system is secure, for reasons that I won't get into in a compromised forum ;-)
I own a domain, and if someone had been trying permutations of e-mail addresses based on it I would have seen all the variants. Any e-mail to my domain that doesn't match a valid address is not bounced - it is captured in a default account.
Lilkeliest hypothesis is that the forum, and possibly the registration database, have been compromised. Good security policy is to assume this is the case, and take remedial measures.
As I said before, better post/e-mail users of the board and warn them about the possibility, especially about the fake PayPal e-mail - there are a lot of newbies on this board who may be taken! THIS SHOULD BE DONE AT ONCE EVEN IF THERE IS ONLY THE POSSIBILITY THAT THE FORUM HAS BEEN COMPROMISED.
The other thing to do is to warn Paypal at spoof@paypal.com - tracking down whoever got these addresses is a clue to the identity of whoever is sending out the phishing e-mails.
-
Unfortunately I deleted the email when I received it earlier.
However, I did have a look at the header before I deleted it - and I can confirm that mine also had 'epost.de' in the header.
Cheers,
Mark
-
What do you mean by HEADERS??
Both email addresses have been given to JRiver and I received an email on both.
@sympatico.ca
@hotmail.com
-
The epost.de is common to all the headers so far.
So it sounds like they had an open SMTP server.
-
Or that they are a spam service provider.
-
Or that they are a spam service provider.
The German postal service?
-
Didnt use chat rm/dont belong to paypal/use window washer.
Received one yesterday to my main garb. acct. Hotmail.
Deleted it.
Have another acct. bellsouth only two people have this addr. and not JRiver.
Got one today in it.
Return-Path: <verification@paypal.com>
Received: from mail.epost.de ([193.28.100.164])
by imf00aec.mail.bellsouth.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id <20040109053017.QAOT1877.imf00aec.mail.bellsouth.net@mail.epost.de>
for <xxxxxxxx@bellsouth.net>; Fri, 9 Jan 2004 00:30:17 -0500
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as nathaly@epost.de)
id 3FFDEAA50000FD05 for xxxxxxxx@bellsouth.net; Fri, 9 Jan 2004 06:30:17 +0100
Date: Fri, 9 Jan 2004 06:30:17 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FFDEAA50000FD05@PPD27101.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: xxxxxxxx@bellsouth.net
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
Jim if I didnt xx out enough, please do so for me
Dont know much about this stuff
Griff
-
epost.de is connected to Germany's formerly state run mail service....
I don't think they want to serve spammers, but they are probably as clueless in their ebusiness as the are in the rest of their stuff.
Ingo
-
Have another acct. bellsouth only two people have this addr. and not JRiver. Got one today in it.
Thanks. That's what I've been looking for. That's an important clue.
-
Or that they are a spam service provider.
The domain epost.de domain looks like a German postal service and and they are not on the popular spam blacklist lists my mailserver uses:
list.dsbl.org
blackholes.mail-abuse.org
relays.ordb.org
bl.spamcop.net
spl.spamhaus.org
EDIT: Sorry ... I just noticed ingo's post.
-
I don't think mine could be guessed. The format of the email is anything@username.vispa.co.uk (not a well-known ISP). the 'anything' bit in question is 'mc' and 'jriver'.
Anything is possible. We're still gathering facts.
It is definitely possible to guess the address you've given. Lists are now being compiled by brute force methods. Here is an example:
For every domain known
E-mail is sent to
aaaaaaaa@domain.com
aaaaaaab@domain.com
aaaaaaac@domain.com
and so on.
Bounces are recorded. Lists of addresses sent and bounces received are compared to extract the list of addresses that do not bounce.
If this was the case, I would have received emails to aaaaaaaa@username.vispa.co.uk, aaaaaaab@username.vispa.co.uk etc. I've only recieved them to mc@ and jriver@.
-
Fri, 9 Jan 2004 05:58:12 +0100 (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
To: xxx@yahoo.com
Subject: Verify your identity
I got this to. I take it that credit card numbers have not been compromised. just email addresses.
I just registered for MC10 a few days ago.
Cheers Tangodude
-
I have received all 4 penpal mails at the email address of my J River Jaguu account. My business mail address I used to buy Media Center was not touched, so it looks as the J River registration/buy database is not the culprit.
Do not use chat, send messages to individual users on Interact from time to time, my email in Interact profile was not hidden so far, is hidden now!
Return-Path: <verification@paypal.com>
Original-Recipient: rfc822;xxxxxx@xxxxxx.ch
Received: from mail.epost.de (193.28.100.166) by mx1.xxxxx.ch (6.7.019)
id 3FFAAC8700086E0F for xxxxxx@xxxxxi.ch; Fri, 9 Jan 2004 02:25:46 +0100
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as barney@epost.de)
id 3FF19CFB0012A262 for xxxxxx@xxxxxx.ch; Fri, 9 Jan 2004 02:25:46 +0100
Date: Fri, 9 Jan 2004 02:25:46 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FF19CFB0012A262@PPD27103.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: xxxxxx@xxxxxx.ch
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
-
We now believe that the database was accessed from the outside. It exists on a machine that is outside our firewall (it has to be). The only thing on it that would affect you is the e-mail address database.
We'll report more when we know it.
-
Count me in as well... Here are the headers...
X-Apparently-To: XXX@yahoo.com via 66.218.79.42; Thu, 08 Jan 2004 18:02:54 -0800
X-YahooFilteredBulk: 193.28.100.187
Return-Path: <verification@paypal.com>
Received: from 193.28.100.187 (EHLO mail.epost.de) (193.28.100.187) by mta233.mail.scd.yahoo.com with SMTP; Thu, 08 Jan 2004 18:02:54 -0800
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as barney@epost.de) id 3FEB549800205B1A for XXX@yahoo.com; Fri, 9 Jan 2004 03:02:54 +0100
Date: Fri, 9 Jan 2004 03:02:54 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FEB549800205B1A@ppd27106.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com> Add to Address Book
X-Mailer: PayPal Mailer
Reply-to: "PayPal" <verification@paypal.com>
To: XXX@yahoo.com
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
<head>
Content-Length: 1899
-
How do I get the headers??
-
Hi folks,
imjustagamer, in outlook right click on message and select Options you will get the header.
I received one yesterday with following header :
Return-Path: <verification@paypal.com>
Received: (qmail 8230 invoked from network); 8 Jan 2004 05:45:57 -0000
Received: from mail.epost.de (193.28.100.187)
by mrelay5-2.free.fr with SMTP; 8 Jan 2004 05:45:57 -0000
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as barney@epost.de)
id 3FEB5498001DD309 Thu, 8 Jan 2004 06:45:56 +0100
Date: Thu, 8 Jan 2004 06:45:56 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FEB5498001DD309@ppd27106.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To:
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
<head>
thanks,
C.
-
I spoke to 10 people at work that use paypal and knowone else received the emails.
Seems to only be people from here??
I don't want to sound paranoid and I will only ask this once... Jim are the Credit Card #'s at risk or was it just the email addresses...
If there is a possiblity that someone may have been able to get the #'s I would like to know.
Jim, if you say that they are secure, I will not raise this issue again.
Thanks and have a good weekend.
-
this is the one I got yesterday
Return-path: <Do_Not_Reply@paypal.com>
Received: from ms-mta-01-eri0 (ms-mta-01-qfe1 [10.10.5.70])
by ms-mss-03.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with ESMTP id <0HR6002RFK8DD3@ms-mss-03.southeast.rr.com> for
xxxxxx%nc.rr.com@ims-ms-daemon; Thu, 08 Jan 2004 11:53:01 -0500 (EST)
Received: from vamx02.mgw.rr.com (vamx02.mgw.rr.com [24.30.200.18])
by ms-mta-01.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with ESMTP id <0HR60018PK8DX0@ms-mta-01.southeast.rr.com> for
xxxxxx@nc.rr.com (ORCPT xxxxxx@nc.rr.com); Thu,
08 Jan 2004 11:53:01 -0500 (EST)
Received: from localhost (conm200-58-214-227.epm.net.co [200.58.214.227])
by vamx02.mgw.rr.com (8.12.10/8.12.8) with SMTP id i08GqcgG016208 for
<xxxxxx@nc.rr.com>; Thu, 08 Jan 2004 11:52:48 -0500 (EST)
Date: Thu, 08 Jan 2004 11:52:38 -0500 (EST)
From: "PayPal.com" <Do_Not_Reply@paypal.com>
Subject: IMPORTANT kohkeeke
To: xxxxxx <xxxxxx@nc.rr.com>
Reply-to: Do_Not_Reply@paypal.com
Message-id: <200401081652.i08GqcgG016208@vamx02.mgw.rr.com>
MIME-version: 1.0
Content-type: multipart/mixed; boundary=----------A48617900047D5F
X-Priority: 1 (High)
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scan-Result: Repaired 26464 W32.Mimail.J@mm
Original-recipient: rfc822;xxxxxx@nc.rr.com
X-NAS-Bayes: #0: 1.47046E-142; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 993
X-NAS-Validation: {0D2F3A99-1329-496D-8DE4-4BE9CAF74458}
-
We now believe that the database was accessed from the outside. It exists on a machine that is outside our firewall (it has to be). The only thing on it that would affect you is the e-mail address database.
We'll report more when we know it.
-
Return-Path: <verification@paypal.com>
Delivered-To: xxxxx@surewest.net
Received: (qmail 24155 invoked from network); 9 Jan 2004 04:23:32 -0000
Received: from unknown (HELO mx1.mc.surewest.net) (66.60.130.44)
by core1.mc.surewest.net with SMTP; 9 Jan 2004 04:23:32 -0000
Received: (qmail 2041 invoked from network); 9 Jan 2004 04:23:32 -0000
Received: from unknown (HELO mail.epost.de) (193.28.100.187)
by mx1.mc.surewest.net with SMTP; 9 Jan 2004 04:23:32 -0000
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as barney@epost.de)
id 3FEB54980020C6CA for xxxx@surewest.net; Fri, 9 Jan 2004 05:23:31 +0100
Date: Fri, 9 Jan 2004 05:23:31 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FEB54980020C6CA@ppd27106.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: xxxx@surewest.net
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
<head>
X-TST: mx1 SNWK2
xxx done by me.. hope this helps..
-
I spoke to 10 people at work that use paypal and knowone else received the emails.
Seems to only be people from here??
I don't want to sound paranoid and I will only ask this once... Jim are the Credit Card #'s at risk or was it just the email addresses...
If there is a possiblity that someone may have been able to get the #'s I would like to know.
Jim, if you say that they are secure, I will not raise this issue again.
Thanks and have a good weekend.
Even if they were (and I like you sincerely hope not) it's not your problem. It's the banks problem provided you have not been reckless and have conformed with the terms and conditions of the card.
-
In addition to the PayPal email today, I got another spam on Monday.
I'm not sure if it's related at all, but this one actually displayed a link on the jriver site where they pulled my email address. It was a mailto: link tied to my megaskin
Jim, fwiw, I'll forward you that email.
The email address I use here has been virtually spam-free - probably two emails in all of last year. And then two this week.
My other email address, a personal one which I've never used here or with any website, just got its first spam ever today. Not a good sign.
-
I spoke to 10 people at work that use paypal and knowone else received the emails.
Seems to only be people from here??
I don't want to sound paranoid and I will only ask this once... Jim are the Credit Card #'s at risk or was it just the email addresses...
If there is a possiblity that someone may have been able to get the #'s I would like to know.
Jim, if you say that they are secure, I will not raise this issue again.
Thanks and have a good weekend.
Even if they were (and I like you sincerely hope not) it's not your problem. It's the banks problem provided you have not been reckless and have conformed with the terms and conditions of the card.
You're right about the financial loss. But I've gone through the process of cleaning up my credit reports after credit fraud, and it's a really big deal. Lots of paperwork and phone calls stretching on for countless months.
-
I just went through clicking on people's user names in this thread... Quite a few have they're email addresses visible.
It doesn't really take a hacker to automatically collect email addresses this way. Not sure if this is how they did it, but hiding your email address is probably a good precaution.
-
Me too. Promptly deleted.
-
I also got a couple of paypal emls. I do not have a paypal account. They were sent to the address I originally registered MC with, not the address I used for interact.
-
Sam
my mail is visible and i did not get any mail.
Beside this ,people may have more than one mail.
No difficult: X Yahoo mails NOT .com
forward to a pop up accompt , use your email client to consult it.
Et viola...
-
Zev,
Tu doit te couche. C'est un peu tard de marcher sans dormir. C'est dangereux aux autres.
Jim
-
Isn't there something in the Homeland Security Act about talking en francais? :o
-=Tim=-
-
I just went through clicking on people's user names in this thread... Quite a few have they're email addresses visible.
It doesn't really take a hacker to automatically collect email addresses this way. Not sure if this is how they did it, but hiding your email address is probably a good precaution.
Well, just because an e-mail address is listing in the forums, doesn't mean that same address was used to register. You'll find my address (scottraymond@sbcglobal.net) posted frequently. I don't like munging my address - though I can't really say I have a rational reason.
But this is a a "throw-away" address that I use everywhere that is publicly viewable (i.e. here, Usenet, etc.) I run all incoming mail through POPFile, which does a darn good job of seperating out that spam/virii. But I accept that I might miss some stuff - that's OK.
My concern here (which is significant) is that JRiver has my "e-mail for life" address - and not by my own volition. I was once locked out of INTERACT and I was told to reregister. Of course, the throw-away was already taken (INTERACT wouldn't let me use it again), so I used my "e-mail for life". Now, if that account were to get ruined by spam/virii, I'd be quite upset. In hindsight, I shouldn't have done that - but I got personal assurances from JimH that addresses were never released outside of JRiver.
By ruined... I mean that the good/bad ratio gets so small that I can't expect to find the good stuff. I was getting over 300 virii a day (the MS Update one) with my sbcglobal.net account for a while. Imagine trying to make sure that urgent and important business is not lost under that mountain of junk!
Well, it's too early to tell if there's been any real damage done...
Scott-
-
Even if they were (and I like you sincerely hope not) it's not your problem. It's the banks problem provided you have not been reckless and have conformed with the terms and conditions of the card.
True of you have a credit card... Of course many people hav VISA (of MC / AMEX) debit cards and in the UK a debit card does not have the same protections as a credit card and the money is out of your account before you have a chance to correct it.. Instead of the security of VISA witholding the merchants money (usually 90 days with VISA merchants) the bank faces an actual money loss and is therefore MUCH tougher about paying back funds. Moral is use a credit card instead of a debit card every time...
For those with SPAM issues I strongly recomend Cloudmarks Spamnet... I have my email public all over forums and get a >10:1 spam ratio but its not a problem as spamnet gets 99% of it and cleans it all out for me to a SPAM folder... The community reporting method works great.
-
Hi Y'all,
CCs are very safe. If there were any chance of compromise there, you would have heard from us already.
Thanks again for the patience and the calm tone!
j
-
Hi Y'all,
CCs are very safe. If there were any chance of compromise there, you would have heard from us already.
Thanks again for the patience and the calm tone!
j
What information did they get?
Names and addresses?
-
Hi Guys,
Sorry only just read all of this. I got 1 too, immediately reported it to spoof@paypal.com.
My domain is a uk one, @btconnect.com
Cheers
Graham
-
I got it also thru hotmail account. I dont use the IRC chatroom.
-
Hi Y'all,
Thanks for the info, we've got enough now.
I saw a few people mention they don't have paypal accounts. The fraud spam is not directed at individuals, they just blast away to whatever e-mail addresses they have, and those who happen to have paypal will sometimes respond. JRiver doesn't have ANY info on your paypal account, we don't accept paypal.
j
-
John,
As I asked before ... what information did they get?
Just our email addresses or more?
-
Even if they were (and I like you sincerely hope not) it's not your problem. It's the banks problem provided you have not been reckless and have conformed with the terms and conditions of the card.
True of you have a credit card... Of course many people hav VISA (of MC / AMEX) debit cards and in the UK a debit card does not have the same protections as a credit card and the money is out of your account before you have a chance to correct it.. Instead of the security of VISA witholding the merchants money (usually 90 days with VISA merchants) the bank faces an actual money loss and is therefore MUCH tougher about paying back funds. Moral is use a credit card instead of a debit card every time...
For those with SPAM issues I strongly recomend Cloudmarks Spamnet... I have my email public all over forums and get a >10:1 spam ratio but its not a problem as spamnet gets 99% of it and cleans it all out for me to a SPAM folder... The community reporting method works great.
The principle remains the same whether it's credit or debit card. If the retailer cannot provide your signature or other proof that you initiated the transaction for a purchase of goods/service and you have not done anything silly or fraudulent then you will get a refund. I take your point though that the ease with which you get your refund will vary depending on the attitude of the representative of your bank.
(I work for a very large global bank based in the UK.)
-
email addresses were the only problem.
This was reported above.
-
email addresses were the only problem.
This was reported above.
Is it possible to change the e-mail address associated with INTERACT?
I'm sure it'll never happen again, but I'd really like to keep my "e-mail for life" account safe-as-can-be.
Scott-
-
You can modify your profile.
-
email addresses were the only problem.
This was reported above.
Where?
On this page or on pages 1 or two?
I couldn't see it hence the question.
-
Jamie,
For security reasons, I would prefer to minimize discussion of any detail. I hope you'll understand.
Jim
We now believe that the database was accessed from the outside. It exists on a machine that is outside our firewall (it has to be). The only thing on it that would affect you is the e-mail address database.
-
Got 2 emails from the fake PayPal scam. Headers were identical for both so I'm including only one: (personal info x'ed out)
========================
Status: U
Return-Path: <verification@paypal.com>
Received: from mail.epost.de ([193.28.100.164])
by james.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP id 1aEEq4J83Nl3r10
for <xxxxxxx@mindspring.com>; Thu, 8 Jan 2004 12:58:07 -0500 (EST)
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as nathaly@epost.de)
id 3FFBD47C0003A462 for xxxxxxxx@mindspring.com; Thu, 8 Jan 2004 18:58:07 +0100
Date: Thu, 8 Jan 2004 18:58:07 +0100 (added by postmaster@mail.epost.de)
Message-ID: <3FFBD47C0003A462@PPD27101.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: xxxxxxx@mindspring.com
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
=============================================
BTW all- prior to knowing that JRiver may be the source, I notified PayPal and sent them the headers as well.
Hang the bastard!
Dennis
-
After the PayPal email, I changed the email address in my profile and my megaskin (I think they're separate) to a new "temporary" address that I just created. I just got a new PayPal email to that address today!
-
Well when this stuff happen , I sent it to Ebay.
They were out of two people who had the private addr., the only other one that I could assume their database was compromised.
-
I've received two of the paypal emails, I was not sure till now they were spam, but I always delete stuff like that, so I simply deleted them. My mother says I'm too paranoid....
-
I got one too. But my email is used for several forums friends/family. @insightbb.com and I've had relatively little spam, mostly junk email from manufacturers or vendors I have done business with. I won't bother posting the header, since John said he has enought info, but it was the epost.de one.
-
I received one of these "paypal" scam emails as well just today. In Outlook/IE it was almost impossible to tell it was faked.
I *just* paid for MC10 as well.
Email domain is sbcglobal.net
Header:
X-Apparently-To: xxxxx@sbcglobal.net via web80407.mail.yahoo.com; Sat, 10 Jan 2004 15:54:56 -0800
X-YahooFilteredBulk: 193.28.100.167
Return-Path: <verification@paypal.com>
Received: from vmb-ext.prodigy.net (207.115.63.87)
by mta820.mail.sc5.yahoo.com with SMTP; Sat, 10 Jan 2004 15:54:55 -0800
X-Header-Overseas: Mail.from.Overseas.source.193.28.100.167
X-Originating-IP: [193.28.100.167]
Received: from mail.epost.de (mail.epost.de [193.28.100.167] (may be forged))
by vmb-ext.prodigy.net (8.12.10/8.12.10) with ESMTP id i0ANssCE484674
for <xxxxx@sbcglobal.net>; Sat, 10 Jan 2004 18:54:54 -0500
Received: from [62.111.240.130] (62.111.240.130) by mail.epost.de (6.7.015) (authenticated as nathaly@epost.de)
id 40007E6E0000310A for xxxxx@sbcglobal.net; Sun, 11 Jan 2004 00:54:52 +0100
Date: Sun, 11 Jan 2004 00:54:52 +0100 (added by postmaster@mail.epost.de)
Message-ID: <40007E6E0000310A@PPD27104.x.de> (added by postmaster@mail.epost.de)
From: "PayPal" <verification@paypal.com>
X-Mailer: PayPal Mailer
Reply-To: "PayPal" <verification@paypal.com>
To: xxxxx@sbcglobal.net
Subject: Verify your identity
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit<html>
X-Text-Classification: personal
-
I *just* paid for MC10 as well.
It was sent to your forum address, not to the address you used for payment (even though they may be the same).
Again: purchase data is secure. It's not the same machine, it's not the same location, it's not the same data, and security is a lot tighter on that machine.
On a side note, one of the things that confused me was I had a couple of e-mail addresses in the forum that were unique, and I didn't receive the spam. It arrived today :(
j
-
It's not just Interact. I have several of those fake's on several different addresses, some of which are on neither Interact or Ebay.
-
On a side note, one of the things that confused me was I had a couple of e-mail addresses in the forum that were unique, and I didn't receive the spam. It arrived today
It's not just Interact. I have several of those fake's on several different addresses, some of which are on neither Interact or Ebay.
So whats in common here?
-
It's not just Interact. I have several of those fake's on several different addresses, some of which are on neither Interact or Ebay.
Thanks for reminding me, I've been meaning to say this.
I've been getting the paypal fraud for over a month now, they will use whatever addresses they can find, attained in whatever way they can.
I'm sure they purchase e-mail addresses from other spammers, and now I know they resort to illicit means to get addresses as well. This is probably the "logical next step" to the recent news that spammers and hackers were joining forces to create viruses/trojans that invade computers and then use them to send spam.
If you get the paypal scam, it may or may not be from Interact.
j
-
YAY! I finally got TWO PayPal emails! I was beginning to feel left out there!
The header is identical to all the others, so I won't bother posting it.
One of the addresses I used to sign up on Interact and purchase MC9, and the other I used to purchase MC10.
EDIT - Deleted a, on second thoughts, foolish comment.
Scott.
-
On a side note, one of the things that confused me was I had a couple of e-mail addresses in the forum that were unique, and I didn't receive the spam. It arrived today
It's not just Interact. I have several of those fake's on several different addresses, some of which are on neither Interact or Ebay.
So whats in common here?
Nothing, really. I have been receiving the paypal scam for a while. But I didn't receive it at the addresses on the forum until today.
j
-
But I didn't receive it at the addresses on the forum until today.
Thats what bugs me.
i dont think its this place.
But it might be some place we all frequent.
Thats what I meant by in common.
-
Hi Griff,
They are pulling addresses from multiple places using multiple techniques. They are sending millions of e-mails, not a few hundred or even a few thousand.
j
-
Yeah, I finally got hit today as well. :o It's a good thing, too, because after three pages of this thread, I was starting to feel a little left out. ;D
-
Shouldn't J River send out an email to all email addresses used to register for this forum, warning people about this scam? I almost clicked on the link, and I'm far from a newbie. Some forum users *will* lose money because of this scam, and they won't be happy to learn that J River knew about the problem but didn't inform them.
-
Shouldn't J River send out an email to all email addresses used to register for this forum, warning people about this scam? I almost clicked on the link, and I'm far from a newbie. Some forum users *will* lose money because of this scam, and they won't be happy to learn that J River knew about the problem but didn't inform them.
Agreed. Though Darwin might not share our viewpoint!
Scott-
-
Ok, got two Spam Mails too. Just wondering why they wait so long ?
Uwe
-
i very much hope that jriver has reported this (as far as I'm concerned) MASSIVE security flaw to YaBB since from readiong this forum it seems clear that somehow they have pooled our adresses for the board's database. I very much hope then, if they can get our addy's, they can't / haven't already got our passwords. I'm sure several less paranoid users than myself will use the same password for more critical services than a message board.
-
i very much hope that jriver has reported this (as far as I'm concerned) MASSIVE security flaw to YaBB since from reading this forum it seems clear that somehow they have pooled our adresses for the board's database. I very much hope then, if they can get our addy's, they can't / haven't already got our passwords. I'm sure several less paranoid users than myself will use the same password for more critical services than a message board.
For security reasons, we are not yet saying much about what we know. Please don't assume that you know. It only adds to the confusion.
Changing passwords is always a good idea.
-
Please reconsider the reasons that you have your database outside the firewall. If there are app servers outside your firewall that need access to it, give them static IPs and poke a hole in the firewall.
-
Hi Griff,
They are pulling addresses from multiple places using multiple techniques. They are sending millions of e-mails, not a few hundred or even a few thousand.
j
This scam is not new . . . this has happened several times in the past, but with eBay letters instead of PayPal.
-
I'm closing this thread now. I think everything that can be said has been said several times.
As I've said above, we won't say more right now.