Received spam at my dedicated Flyertalk email address
Sep 6, 2010, 11:25 am
#1
Original Poster
Join Date: Oct 2002
Location: UK
Posts: 7,560
Received spam at my dedicated Flyertalk email address
I have a dedicated email address that I use for Flyertalk and Flyertalk only.
It is stored in my account preferences. It receives Talkmail and notifications about PMs and subscribed threads. It receives occasional emails from moderators (e.g., when I have reported a bad post).
It has never been used for any other purpose. It has never been used to send email.
I have today received a spam message at this unique dedicated address.
It was sent from a Hotmail account - almost definitely a hacked account.
It was one of those messages that are designed to lure the recipient to a web site with promises of cheap electronic gadgets. As I understand it anyone who goes that web site will end up downloading a Trojan (and their webmail accounts will be the next to send out these messages...)
My address must have, somehow, leaked out from Flyertalk - either direct (i.e., via an infected machine in Flyertalk's network) or, possibly more likely, via a moderator who was unfortunate enough to get infected.
Has anyone else received any spam/viruses/etc at dedicated Flyertalk email addresses?
BTW, the spam I received came from a Chinese IP address (222.88.234.61). The hacked Hotmail account was in a female name of Spanish/Portuguese origin.
It is stored in my account preferences. It receives Talkmail and notifications about PMs and subscribed threads. It receives occasional emails from moderators (e.g., when I have reported a bad post).
It has never been used for any other purpose. It has never been used to send email.
I have today received a spam message at this unique dedicated address.
It was sent from a Hotmail account - almost definitely a hacked account.
It was one of those messages that are designed to lure the recipient to a web site with promises of cheap electronic gadgets. As I understand it anyone who goes that web site will end up downloading a Trojan (and their webmail accounts will be the next to send out these messages...)
My address must have, somehow, leaked out from Flyertalk - either direct (i.e., via an infected machine in Flyertalk's network) or, possibly more likely, via a moderator who was unfortunate enough to get infected.
Has anyone else received any spam/viruses/etc at dedicated Flyertalk email addresses?
BTW, the spam I received came from a Chinese IP address (222.88.234.61). The hacked Hotmail account was in a female name of Spanish/Portuguese origin.
Sep 10, 2010, 3:32 pm
#2
Join Date: Feb 2009
Posts: 959
Aviatrix,
We have no reason to believe that Flyertalk's database of user emails has been compromised, and we just finished a security sweep of the site's servers that would have notified us of any infected machines on the network.
It's also worth noting that the only time any outside party has access to user email addresses is for the newsletter. Even moderators can't see your email addresses. The only exception to this is when you use the "email user" function of the site. Whenever you contact member through the "email member" option, you are giving them your forum email address. (which is why there is a warning on that page that reads "Note: By using this form, your email address will become available to the user who you are emailing.")
Other than that, I can't think of how this address ended up out in the ether.
We have no reason to believe that Flyertalk's database of user emails has been compromised, and we just finished a security sweep of the site's servers that would have notified us of any infected machines on the network.
It's also worth noting that the only time any outside party has access to user email addresses is for the newsletter. Even moderators can't see your email addresses. The only exception to this is when you use the "email user" function of the site. Whenever you contact member through the "email member" option, you are giving them your forum email address. (which is why there is a warning on that page that reads "Note: By using this form, your email address will become available to the user who you are emailing.")
Other than that, I can't think of how this address ended up out in the ether.
Sep 10, 2010, 3:35 pm
#3
Join Date: May 2008
Location: YYZ
Programs: AC*SE, SPG Gold, HH D
Posts: 1,130
Some spammers just try a dictionary of combinations looking for a hit.
Eg:
[email protected]
[email protected]
It's possible that this is how it got to you.
One of my favourite techniques is to use myemailaddress+<siteaddress>@domain.com. For example, [email protected] to sign up to sites. That one really lets you know who's selling, as most dictionary attacks won't use the + sign designation in their routines.
Just food for thought
Eg:
[email protected]
[email protected]
It's possible that this is how it got to you.
One of my favourite techniques is to use myemailaddress+<siteaddress>@domain.com. For example, [email protected] to sign up to sites. That one really lets you know who's selling, as most dictionary attacks won't use the + sign designation in their routines.
Just food for thought
Sep 10, 2010, 5:00 pm
#4
Join Date: Feb 1999
Location: San Jose, California, USA
Programs: AS 100K, UA MM, AA MM, IC Plat Amb, Marriott Gold, Hilton Gold, Hyatt Explorist
Posts: 3,146
I always provide a dedicated email address to each Web site. Many times I've received spam at these addresses, but not yet at my FlyerTalk email address.
The one disturbing trend is that whenever I report what seems like a breach, the issue has always been dismissed for the reasons stated above.
But in most of these cases, none of those reasons apply: The email addresses were given only to one site, were never used to send mail, and were not subject to a dictionary attack (or else my catch-all address would have evidence of that).
My only conclusion is there is a breach somewhere (perhaps even on my side), but IME, nobody seems to want to take it seriously enough to investigate. I always end up disabling the dedicated email address, updating the site with a new dedicated one, and crossing my fingers that it was a fluke.
The one disturbing trend is that whenever I report what seems like a breach, the issue has always been dismissed for the reasons stated above.
But in most of these cases, none of those reasons apply: The email addresses were given only to one site, were never used to send mail, and were not subject to a dictionary attack (or else my catch-all address would have evidence of that).
My only conclusion is there is a breach somewhere (perhaps even on my side), but IME, nobody seems to want to take it seriously enough to investigate. I always end up disabling the dedicated email address, updating the site with a new dedicated one, and crossing my fingers that it was a fluke.
Sep 11, 2010, 1:09 pm
#5
Join Date: Feb 2009
Posts: 959
I always provide a dedicated email address to each Web site. Many times I've received spam at these addresses, but not yet at my FlyerTalk email address.
The one disturbing trend is that whenever I report what seems like a breach, the issue has always been dismissed for the reasons stated above.
But in most of these cases, none of those reasons apply: The email addresses were given only to one site, were never used to send mail, and were not subject to a dictionary attack (or else my catch-all address would have evidence of that).
My only conclusion is there is a breach somewhere (perhaps even on my side), but IME, nobody seems to want to take it seriously enough to investigate. I always end up disabling the dedicated email address, updating the site with a new dedicated one, and crossing my fingers that it was a fluke.
The one disturbing trend is that whenever I report what seems like a breach, the issue has always been dismissed for the reasons stated above.
But in most of these cases, none of those reasons apply: The email addresses were given only to one site, were never used to send mail, and were not subject to a dictionary attack (or else my catch-all address would have evidence of that).
My only conclusion is there is a breach somewhere (perhaps even on my side), but IME, nobody seems to want to take it seriously enough to investigate. I always end up disabling the dedicated email address, updating the site with a new dedicated one, and crossing my fingers that it was a fluke.
I can think of one other time when someone posted that their private flyertalk-only email address was receiving spam "from internet brands" and that was disproved.
I want to ensure all Flyertalkers that we do make sure to keep your private information secure.
Sep 11, 2010, 4:56 pm
#6
Join Date: Feb 1999
Location: San Jose, California, USA
Programs: AS 100K, UA MM, AA MM, IC Plat Amb, Marriott Gold, Hilton Gold, Hyatt Explorist
Posts: 3,146
Two sites where it's happened include Dell and Priceline (twice!). Glad to see that you take these reports seriously and investigate. ^
Mar 9, 2011, 4:40 pm
#7
Join Date: Nov 2006
Programs: AA PLT/2MM, SWA A+, SPG Titanium, Avis Chairman
Posts: 1,024
I just stopped by to post a similar thread. My isolated, FT only email just received its first ever spam, strangely enough claiming to be from a quilting message board. This email has never been posted anywhere, nor used for anything else. Hopefully it is isolated, and more people don't start getting it too.
Mar 9, 2011, 4:56 pm
#8
Join Date: Feb 2008
Location: EGPH
Posts: 18
Houston, we have a problem
I just stopped by to post a similar thread. My isolated, FT only email just received its first ever spam, strangely enough claiming to be from a quilting message board. This email has never been posted anywhere, nor used for anything else. Hopefully it is isolated, and more people don't start getting it too.
Headers (censored)
Received: from mta.travel.ibemail.com ([66.231.95.39]:39508)
by <my server> with esmtp (my server)
(envelope-from <bounce-87_TEXT-46339873-183580-1022693-0@bounce.travel.ibemail.com>)
id 1PxSri-00099o-En
for (my e-mail); Wed, 09 Mar 2011 18:32:30 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=lifestyle.ibemail.com;
h=From:To:Subject
ate:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:Content-Type:Content-Transfer-Encoding; [email protected];
bh=4ukm8rFM99VmObnxG9gv+//8eFQ=;
b=jbOof+bAzSS4tF19aqNBZkIcRtvWtznsjBK6dshG19iHHGTm VCc30ZkCLN9obvwqx6euDizLZJ9m
D0jVAEQFb34pBl4CmDoKbXMyBKCYiy0ZtvDuNsS35e8LBkkV2D DmEUApy0AWQYWbVgJZ81xkVrv2
hTUW2UIf4a5J9v9gLns=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=200608; d=lifestyle.ibemail.com;
b=E7m5pht6CH34GoRrMOYfmhnu/VYWi3+6WLiOVVCb8t50pOm0m5fMLkuY2k0RshxaD+1513WZd85 x
GWn2SS4gqcn813wsqhT8WUnYbwKUU8oBY31JIYB8xlfih4iKdi hXLPyYFPzHUixx+nBkTxDbD4X1
f0o/XglCYVjyU0JQ9HY=;
Received: by mta.travel.ibemail.com (PowerMTA(TM) v3.5r13) id hf18qc0ie1s0 for <my email>; Wed, 9 Mar 2011 22:19:52 -0600 (envelope-from <bounce-87_TEXT-46339873-183580-1022693-0@bounce.travel.ibemail.com>)
From: "Leisure" <[email protected]>
To: <my email>
Subject: Hello Valued Customer here is your March 9 Quilting Newsletter
Date: Wed, 09 Mar 2011 17:31:06 -0600
List-Unsubscribe: <mailto:leave-fd6c1c771a20513531-fe54107676670d757217-fec6157876610c7d-fe9815707766027476-ffcf14@leave.travel.ibemail.com>
MIME-Version: 1.0
Reply-To: "Quilted Paradise" <reply-fec6157876610c7d-87_TEXT-46339873-1022693-0@lifestyle.ibemail.com>
x-job: 1022693_183580
Message-ID: <[email protected]>
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
by <my server> with esmtp (my server)
(envelope-from <bounce-87_TEXT-46339873-183580-1022693-0@bounce.travel.ibemail.com>)
id 1PxSri-00099o-En
for (my e-mail); Wed, 09 Mar 2011 18:32:30 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=lifestyle.ibemail.com;
h=From:To:Subject
ate:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:Content-Type:Content-Transfer-Encoding; [email protected];bh=4ukm8rFM99VmObnxG9gv+//8eFQ=;
b=jbOof+bAzSS4tF19aqNBZkIcRtvWtznsjBK6dshG19iHHGTm VCc30ZkCLN9obvwqx6euDizLZJ9m
D0jVAEQFb34pBl4CmDoKbXMyBKCYiy0ZtvDuNsS35e8LBkkV2D DmEUApy0AWQYWbVgJZ81xkVrv2
hTUW2UIf4a5J9v9gLns=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=200608; d=lifestyle.ibemail.com;
b=E7m5pht6CH34GoRrMOYfmhnu/VYWi3+6WLiOVVCb8t50pOm0m5fMLkuY2k0RshxaD+1513WZd85 x
GWn2SS4gqcn813wsqhT8WUnYbwKUU8oBY31JIYB8xlfih4iKdi hXLPyYFPzHUixx+nBkTxDbD4X1
f0o/XglCYVjyU0JQ9HY=;
Received: by mta.travel.ibemail.com (PowerMTA(TM) v3.5r13) id hf18qc0ie1s0 for <my email>; Wed, 9 Mar 2011 22:19:52 -0600 (envelope-from <bounce-87_TEXT-46339873-183580-1022693-0@bounce.travel.ibemail.com>)
From: "Leisure" <[email protected]>
To: <my email>
Subject: Hello Valued Customer here is your March 9 Quilting Newsletter
Date: Wed, 09 Mar 2011 17:31:06 -0600
List-Unsubscribe: <mailto:leave-fd6c1c771a20513531-fe54107676670d757217-fec6157876610c7d-fe9815707766027476-ffcf14@leave.travel.ibemail.com>
MIME-Version: 1.0
Reply-To: "Quilted Paradise" <reply-fec6157876610c7d-87_TEXT-46339873-1022693-0@lifestyle.ibemail.com>
x-job: 1022693_183580
Message-ID: <[email protected]>
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
P.S. sorry, the headers appear to have been mangled somehow, particularly the long DKIM lines
Last edited by scotty72; Mar 9, 2011 at 4:57 pm Reason: add P.S.
Mar 9, 2011, 5:04 pm
#9
Original Poster
Join Date: Oct 2002
Location: UK
Posts: 7,560
Got it too
I got the quilting spam too.
And I've just done a Whois on the sending domain (hostname mta.travel.ibemail.com) and it turns out that ibemail.com is registered to none other than Internet Brands.
In other words
We are being spammed by the people who run Flyertalk.
How dare they????
And I've just done a Whois on the sending domain (hostname mta.travel.ibemail.com) and it turns out that ibemail.com is registered to none other than Internet Brands.
In other words
We are being spammed by the people who run Flyertalk.
How dare they????
Mar 9, 2011, 5:17 pm
#11
Join Date: Aug 2009
Posts: 39
I got the quilting spam too.
And I've just done a Whois on the sending domain (hostname mta.travel.ibemail.com) and it turns out that ibemail.com is registered to none other than Internet Brands.
In other words
We are being spammed by the people who run Flyertalk.
How dare they????
And I've just done a Whois on the sending domain (hostname mta.travel.ibemail.com) and it turns out that ibemail.com is registered to none other than Internet Brands.
In other words
We are being spammed by the people who run Flyertalk.
How dare they????
- Tim
Mar 9, 2011, 5:23 pm
#12
Join Date: Feb 2008
Location: EGPH
Posts: 18
I suspect that someone at IB screwed up and sent the quilting message to the wrong group of users. However it is a mistake that should have been caught much much earlier in the process and there is automation that could have prevented this from happening in the first place.
Still, we need IB to step forward and admit the screw up and tell us what happened and what they're going to do to stop it from happening again, or my e-mail account will vanish and they won't be able to send me any more e-mail EVER AGAIN.
Still, we need IB to step forward and admit the screw up and tell us what happened and what they're going to do to stop it from happening again, or my e-mail account will vanish and they won't be able to send me any more e-mail EVER AGAIN.
Mar 9, 2011, 5:27 pm
#13
Join Date: Mar 2001
Location: AUS
Posts: 203
So will this new marketing push be confirmed by the powers that be? In a decade I have never received any message at this address other than Flyertalk communications, until I received this quilting spam today. I suppose it's marginally reassuring that it is not a security breach or a sale of our contact information to a third party.
Mar 9, 2011, 5:45 pm
#15
Join Date: May 2007
Location: SEA
Programs: Delta Platinum Medallion, Marriott Platinum
Posts: 624
So will this new marketing push be confirmed by the powers that be? In a decade I have never received any message at this address other than Flyertalk communications, until I received this quilting spam today. I suppose it's marginally reassuring that it is not a security breach or a sale of our contact information to a third party.