I got one too, so she does have some Common[wealth] sense Sorry- royalist joke.
Not being in the market I thought I would leave her for some of the younger contributors.
I think the picture is pretty much painted that just about everybody got it (although strangely, I didn't).
I can't find any info on The Google about a VB e-mail exploit, Nick, at least not for this particular version or those after it, but please do let me know if you've found something I missed.
I did find a programming error in the main RP site that could have possibly exposed e-mail addresses to a phisher if they knew where to look. This bug would have been in place since the site was first coded, so it's surprising that it took this long to show its face. I've removed the bug, and hopefully this has corrected the vulnerability.
Apologies (I've been doing that a lot lately, so it would seem ) for the unwanted inconvenience.
__________________
Chris Kilroy
Editor, RailPictures.Net
- View My Photos at RailPictures.Net!
- View My Photos at JetPhotos.Net!
The Hoe just emailed me... I suppose the whole "Remeber the distance or colour does not matter but love matters alot in life" really does apply to me in a sense . My guess is that this is Jully from Amtrak finally giving me a chance after calling her so much for updates!
The Hoe just emailed me... I suppose the whole "Remeber the distance or colour does not matter but love matters alot in life" really does apply to me in a sense . My guess is that this is Jully from Amtrak finally giving me a chance after calling her so much for updates!
It would be helpful if someone who got the e-mail could either forward it to me (chris.kilroy [ta] railpictures.net) or post the headers here so I could see where the e-mail actually originated.
__________________
Chris Kilroy
Editor, RailPictures.Net
- View My Photos at RailPictures.Net!
- View My Photos at JetPhotos.Net!
I can't find any info on The Google about a VB e-mail exploit, Nick, at least not for this particular version or those after it, but please do let me know if you've found something I missed.
I did find a programming error in the main RP site that could have possibly exposed e-mail addresses to a phisher if they knew where to look. This bug would have been in place since the site was first coded, so it's surprising that it took this long to show its face. I've removed the bug, and hopefully this has corrected the vulnerability.
If you Google ("Jully arnauld" "profile today"), a few miscellaneous websites pop up with copies of the same message, but with different websites listed (squidu.com, arrse.co.uk, etc.), all of which seem to have a forum that looks like vBulletin.
That said, it's also possible that the addresses were obtained via some sort of SQL injection - my buddy Dan Kwarciany reported getting a copy of the email, and, as far as he knows, he doesn't have an account on the forums... I did a member search for his name (dkwarc1751, Dan, Kwarciany, etc.) and wasn't able to find an account for him here on the forums, so, maybe it wasn't from the forum software.
If you can confirm that Dan doesn't have an account on the forums, then we know it's a problem with the RP.net code, rather than vBulletin. If he does, then we can't be sure either way.
It would be helpful if someone who got the e-mail could either forward it to me (chris.kilroy [ta] railpictures.net) or post the headers here so I could see where the e-mail actually originated.
PHP Code:
Delivered-To: ottergoose@gmail.com
Received: by 10.223.126.82 with SMTP id b18cs342728fas;
Mon, 11 Jan 2010 12:36:14 -0800 (PST)
Received: by 10.100.35.6 with SMTP id i6mr6280757ani.178.1263242170433;
Mon, 11 Jan 2010 12:36:10 -0800 (PST)
Return-Path: <jullyarnauld@yahoo.com>
Received: from web59302.mail.re1.yahoo.com (web59302.mail.re1.yahoo.com [66.196.101.43])
by mx.google.com with SMTP id 3si146863929yxe.43.2010.01.11.12.36.08;
Mon, 11 Jan 2010 12:36:09 -0800 (PST)
Received-SPF: pass (google.com: domain of jullyarnauld@yahoo.com designates 66.196.101.43 as permitted sender) client-ip=66.196.101.43;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of jullyarnauld@yahoo.com designates 66.196.101.43 as permitted sender) smtp.mail=jullyarnauld@yahoo.com; dkim=pass (test mode) header.i=@yahoo.com
Received: (qmail 96369 invoked by uid 60001); 11 Jan 2010 20:36:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1263242168; bh=A0OuUypcykEKyQXBI2TNi1CQ5l4spj7yKFtKzGTtN94=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=SO6uJYhvbbOPrVqbDwVmb+qeMvCpietxoaYRZFMN5fjKjDFQuqc75Y1+N7J9+RmZCzDuDP0cUN7CKq32USq8rZWns4Hj7G3o8rrE4dF1Yz1wqK8oNaCSvx/YBGxnO3szVnmBHH/IaaDyUIgi5+e+Y4SGOHCQPKqYKvCEAKWXUP0=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=JhULtB3LQNk+ld0qUc4AoKcB6O267pRlHsgxWFmLP/Q97J5+JLhbA8zR1eAo/jGnSCWaWOjx6thDjsgj/dPVxpuyW4t81vfSv2KXRHLBJ/AS0XRitcW/1ibymJbtmrh5oXj87xL5GvWqiNPZvtw1RIwp9zvfW5Af9agZxiyGZ3s=;
Message-ID: <623120.95017.qm@web59302.mail.re1.yahoo.com>
X-YMail-OSG: twmyvFQVM1nbQiPyN5S.4QqbtIoC9pFL5hOt_qJGLk3zpsMNjS2NoLaFy05OaRIeffPR4_.Wuri4wO8OCA4qry9HF.x.zKY0zUNKiBFlbSHuEOdLRcuN6TEEsIicyx3wO5r4t2uhsrXDcLWFoN1BX5uNbpbU6lIY_6jnGERJvD.XCHcz0xw8j3ILAS1qWDrMpngjEhWVJ3Kv40le0SJ9G4fvgjLwk6ZWrzY1sjJJW8w5wABIRVKrvUw3_h8GMA6YhLtWQVJTYFtYXX1AQUcEq2jPTmJKwFeOvLlL3aAsh21yU92jdMLLFd6TCJGZUCC1ExHBRpnYiqC_k9NS8RbdVEHCF6S9m0SM5lp5zjMTc_ByL2g5pt1oek9JCnAlK1m5FlJHh8VQqxXi90Rs50S5eXiwraE5EkWG__6vDog8zpk0zQjd1J9h5xQpRmtlJcet_pL7vfxJNicZuB5fxgb28mO.t_KFK1Wt4bmc5fwvqZY8V.rqjdtjai9KW9ojSzDke04SWu6MaSzLoJVx0ZvGoDzqCKzDICoLnohBQC8r_AUvJ7cj0Lxy1G4VmU0wDacSjvfzjveb6ImBXPIefeQK7KsZMJjdzOwb0LlKX_zRXEfxHK7hvvOo3lWOB1W9IjelsrzzYr3buwLGKuEfBJLxFD0NbPsm1Ztc8klqRJkUfQC55sFZIBwxrc2KN9nKDeVJw226EQ--
Received: from [196.207.194.120] by web59302.mail.re1.yahoo.com via HTTP; Mon, 11 Jan 2010 12:36:08 PST
X-Mailer: YahooMailClassic/9.0.20 YahooMailWebService/0.8.100.260964
Date: Mon, 11 Jan 2010 12:36:08 -0800 (PST)
From: Jully Arnauld <jullyarnauld@yahoo.com>
Subject: hi
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-2117887435-1263242168=:95017"
HI
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0AMy name is Jully arnauld ,i saw your profile =
today in (
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0Awww.railpictures.net) and i=A0 became intrest=
ed in you,i will also like=0Ato know you=A0 more,and i want you to send an =
email to my email address=0Aso i can give you my picture for you to know wh=
om i am.
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0AHere is my email address (jullyarnauld@yahoo.=
com)
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0AI believe we can move from here!
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0AI am waiting for your mail to my email addres=
s above..
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0A(Remeber the distance or colour does not matt=
er but love matters alot in life) yours
=0A=0A=0A=0A=0A=0A=0A=0A=0A=0Ain love Jully =0A=0A=0A
--0-2117887435-1263242168=:95017
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" ><tr><td valign=3D"=
top" style=3D"font: inherit;">HI=0A=0A=0A=0A=0A=0A=0A=0A=0A=0AMy name i=
s Jully arnauld ,i saw your profile today in (=0A=0A=0A=0A=0A=0A=0A=0A=
=0A=0Awww.railpictures.net) and i became intrested in you,i will also=
like=0Ato know you more,and i want you to send an email to my email =
address=0Aso i can give you my picture for you to know whom i am.=0A=0A=
=0A=0A=0A=0A=0A=0A=0A=0AHere is my email address (jullyarnauld@yahoo.com)<b=
r>=0A=0A=0A=0A=0A=0A=0A=0A=0A=0AI believe we can move from here!=0A=0A=
=0A=0A=0A=0A=0A=0A=0A=0AI am waiting for your mail to my email address abov=
e..=0A=0A=0A=0A=0A=0A=0A=0A=0A=0A(Remeber the distance or colour does n=
ot matter but love matters alot in life) yours=0A=0A=0A=0A=0A=0A=0A=0A=
=0A=0Ain love Jully </td></tr></table>=0A=0A
--0-2117887435-1263242168=:95017--
I just realized that my forum account and website account each have a different email address associated with them (although both get forwarded to the same Gmail account). I just sent a pair of test emails from my Yahoo mail account (same as Jully) and was able to confirm that the email was sent to the address associated with my RP.net account, and not my forum account.
In other words, it's definitely a vulnerability from the RP.net code base, not vBulletin.
Thanks, Nick, and also to the others who e-mailed me the headers for review.
I did see an instance of sendmail going crazy earlier today (which happens from time to time), so I wanted to make sure this wasn't connected. The headers seem to confirm that the e-mail came directly from Yahoo.
The vulnerability I found earlier was in the RP member contact script, where the form was invisibly echoing the intended recipient's e-mail address as a hidden form field. This was done by my "programming helper" back in 2002 when the site was first coded, and I never picked up on it. I would have probably never noticed it had not this event happened.
If someone were to have picked up on that vulnerability (which it appears they might've), it would be very easy to automate some sort of script to collect e-mail addresses simply by changing the userid in the URL, then use them later to e-mail from a Yahoo account.
I've e-mailed Yahoo's abuse department with the e-mail headers in the hopes that they can do something about this particular user, but of course, I won't be holding my breath to even hear back from them on it.
I hope this is simply a one time thing that's been resolved. Unfortunately, honesty compels me to admit that once an e-mail address has been compromised, there's no sure bet that spam won't continue to be delivered, since the spammer and all of their friends already have the e-mail address. I hope that doesn't turn out to be the case here.
Again, many apologies from our side for this unfortunate issue. I, and the rest of the team, are doing our level best to keep things like this from happening again in the future.
__________________
Chris Kilroy
Editor, RailPictures.Net
- View My Photos at RailPictures.Net!
- View My Photos at JetPhotos.Net!
I've e-mailed Yahoo's abuse department with the e-mail headers in the hopes that they can do something about this particular user, but of course, I won't be holding my breath to even hear back from them on it.
I have contacted Yahoo! Abuse previously and they were very quick to respond and extremely apologetic.
Sorry- royalist joke.
) for the unwanted inconvenience.
Linear Mode
