MyBB Community Forums

MyBB Community Forums > MyBB Project > MyBB Project & Site Issues > SPAM - email address sourced from this forum
Full Version: SPAM - email address sourced from this forum
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

peterr

2008-05-29, 05:42 AM
Hi,

I got some spam today, which is no big deal, EXCEPT I have been able to verify HOW the spammer got my email address.

The email address they used, is ONLY stored on this forum, so somehow, a person/s have been able to get to the database (maybe SQL injection weakness ?? ) and retrieve my email address.

I can supply the script they used, as it is shown in the email headers. I won't post it publically, but if a moderator or 'admin' person PM's me, I will supply all the details.

HTH

Chris Boulton

2008-05-29, 06:17 AM
Hi peterr,

Can you please send a copy of the email, with full headers, to myself via Private Message?

Thanks

peterr

2008-05-29, 06:29 AM
Thanks Chris, the PM has now been sent.

Peter

peterr

2008-05-31, 05:44 AM
Chris,

How are your investigations proceeding ? I sent you several other PM's, with additional information, about how my email address could have been 'harvested' from this site.

Whether it was unauthorised or authorised access, somehow the email address was either viewable through my profile (exploit found ??), or the database (sql injection possibly ??).

Peter

Ryan Gordon

2008-05-31, 05:54 AM
Hi peterr,

There are no exploits or sql injections that have been reported to us that haven't already been fixed and released.

peterr

2008-05-31, 06:08 AM
Hi Tikitiki,

There is a resource site, that shows all the exploits, etc, try:

http://www.milw0rm.com/search.php?dong=Mybb

No doubt these have all been addressed though.

Peter

Ryan Gordon

2008-05-31, 06:38 AM
I am well aware of sites like that and I am well aware that there have been no reported vulnerabilities that have not been fixed already.

Anything else?

Eegee

2008-05-31, 09:08 PM
I too have received spam (yesterday) on addresses used only on this forum. I use two addresses (one general and one for mods) and on both I received the same spam.

User 2877

2008-06-01, 12:37 AM
Spam can occur even if you NEVER publish the email address. Have you considered that?

Chris Boulton

2008-06-01, 12:45 AM
Hi,

There are no known issues (as has been mentioned) n MyBB which allows sourcing of email addresses. (SQL injection or otherwise) I've also scoured the log files (we have an intrusion detection system that logs all suspicious looking requests) for anything that looks like an SQL injection.

Because you registered such a long time ago, there may have been an issue a while ago that allowed something like this.
Pages: 1 2
MyBB Community Forums > MyBB Project > MyBB Project & Site Issues > SPAM - email address sourced from this forum