1. Thu28
    Jan2010
    @12:00

    Update: Likely Data Security Breach at iContact.com

    On the day I posted Suspected Data Security Breach at iContact.com I was contacted via Facebook by someone with an email address @icontact.com. I forwarded them the same information that I sent to their abuse team. I’ve not heard anything back since.

    Others have picked up on this likely breach at iContact.com:

    iContact have answered some concerns: they are looking into the problem.

    I have been contacted by one of the sites/services whose address-list has been breached, simply to ask to be kept in the loop with iContact.com’s response.

    I have done some further research into my mail folders. I have found one address which iContact.com have on record which has not yet received any spam. As a result, this address hasn’t been compromised and has been replaced by HIDDEN on this public website. iContact’s abuse team has been provided with the full details, however:

    Received: from smtp7.icpbounce.com ([::ffff:216.27.93.119])
 by faelix.net with esmtp; Tue, 01 Jan 2008 01:12:36 +0000
 id 000013C1.47799384.00003B72
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
       by smtp7.icpbounce.com (Postfix) with ESMTP id 43D6197750
       for <HIDDEN>; Mon, 31 Dec 2007 19:54:34 -0500 (EST)
Date: Mon, 31 Dec 2007 19:54:34 -0500

    This address hasn’t received any emails this month:

    mail:~# ls -l /var/log/mail.log*
-rw-r----- 1 root adm  9351785 2010-01-28 11:45 /var/log/mail.log
-rw-r----- 1 root adm 13870643 2010-01-24 06:23 /var/log/mail.log.1
-rw-r----- 1 root adm  1451508 2010-01-17 06:24 /var/log/mail.log.2.gz
-rw-r----- 1 root adm  1257403 2010-01-10 06:24 /var/log/mail.log.3.gz
-rw-r----- 1 root adm  1828195 2010-01-03 06:25 /var/log/mail.log.4.gz
mail:~# zgrep HIDDEN /var/log/mail.log*
mail:~#

    The last email sent to this address was via iContact.com on 17th July 2009:

    Received: from smtp15.icpbounce.com ([::ffff:216.27.93.111])
 by faelix.net with esmtp; Fri, 17 Jul 2009 23:30:51 +0100
 id 000010FE.4A60FB9D.000039C9
Received: from localhost.localdomain (localhost [127.0.0.1])
       by smtp15.icpbounce.com (Postfix) with ESMTP id D37AA6A0C98
       for <HIDDEN>; Fri, 17 Jul 2009 18:01:58 -0400 (EDT)
Date: Fri, 17 Jul 2009 18:01:58 -0400

    Timeline

    March 2002
    photonlight@maz.nu receives its first iContact.com mail
    1st January 2008
    HIDDEN receives its first iContact.com mail
    7th Feb 2009
    macheist.com@maz.nu receives its first iContact.com mail
    1st April 2009
    macheist.com@maz.nu receives its last iContact.com mail (address now blacklisted)
    2nd April 2009
    bloomsbury.com@maz.nu receives its first iContact.com mail
    14th May 2009
    slimes@maz.nu receives its first iContact.com mail
    17th July 2009
    HIDDEN receives its last iContact.com mail (address still valid)
    27th July 2009
    bloomsbury.com@maz.nu receives its last iContact.com mail (address now blacklisted)
    30th December 2009
    photonlight@maz.nu receives its last iContact.com mail (address now blacklisted)
    18th January 2010
    slimes@maz.nu receives its last iContact.com mail (address now blacklisted)

    At first I wondered if the anomalous address, HIDDEN, was an indicator that perhaps only addresses recently sent a newsletter by iContact.com had been breached (i.e. those contacted after 17th July 2009). The counter-example is macheist.com@maz.nu which has been receiving emails only via Google’s mailers since April 1st 2009, so that theory doesn’t hold water. However, it would appear that not all of my addresses on file at iContact have been spammed yet, so perhaps this isn’t a total breach… or perhaps I’m still waiting for HIDDEN to be hit!

    0 notes
    Comments (View)
  2. Mon25
    Jan2010
    @17:38

    Suspected Data Security Breach at iContact.com

    I suspect iContact.com has suffered a data security compromise.

    Summary

    I have received four nearly-identical spams to four different addresses known only to myself and four distinct websites. These four websites all use iContact.com for newsletter mailing. I have also received this spam to a spam-trap address, but importantly, to no other unique addresses that I use with other websites. The evidence points strongly to a data breach at iContact.com.

    Evidence

    Four addresses known only to four websites and myself have begun receiving spam today. Each address below links through to the spam in question.

    All four websites in question (photonlight, slimelight, macheist and bloomsbury) have sent me emails via iContact. Extracts of the beginning headers of legitimate emails are as follows:

    Received: from drone15.ral.icpbounce.com ([::ffff:66.192.165.135])
  by mx10.faelix.net with esmtp; Wed, 30 Dec 2009 19:16:37 +0000
  id 0000C014.4B3BA715.00001A1E
Received: from localhost.localdomain (localhost [127.0.0.1])
	by drone15.ral.icpbounce.com (Postfix) with ESMTP id CA9D776C0CC
	for <photonlight@maz.nu>; Wed, 30 Dec 2009 14:16:36 -0500 (EST)
Date: Wed, 30 Dec 2009 14:16:36 -0500
To: photonlight@maz.nu

    Received: from drone5.rtp.icpbounce.com ([::ffff:74.202.227.45])
  by mx10.faelix.net with esmtp; Mon, 27 Jul 2009 10:17:55 +0000
  id 00006005.4A6D7ED3.000023ED
Received: from localhost.localdomain (localhost [127.0.0.1])
	by drone5.rtp.icpbounce.com (Postfix) with ESMTP id A13E6438A76
	for <bloomsbury.com@maz.nu>; Mon, 27 Jul 2009 06:17:50 -0400 (EDT)
Date: Mon, 27 Jul 2009 06:17:50 -0400
To: bloomsbury.com@maz.nu

    Received: from smtp8.icpbounce.com ([::ffff:216.27.93.118])
  by faelix.net with esmtp; Sun, 15 Mar 2009 01:02:05 +0000
  id 000013D9.49BC538D.0000767F
Received: from localhost.localdomain (localhost [127.0.0.1])
	by smtp8.icpbounce.com (Postfix) with ESMTP id 6E1AF97161
	for <macheist.com@maz.nu>; Sat, 14 Mar 2009 21:01:44 -0400 (EDT)
Date: Sat, 14 Mar 2009 21:01:44 -0400
To: macheist.com@maz.nu

    Received: from smtp3.icpbounce.com ([::ffff:216.27.93.123])
  by mx10.faelix.net with esmtp; Thu, 14 Jan 2010 17:59:02 +0000
  id 0000C00A.4B4F5B66.0000129A
Received: from localhost.localdomain (localhost [127.0.0.1])
	by smtp3.icpbounce.com (Postfix) with ESMTP id 4124C596396
	for <slimes@maz.nu>; Thu, 14 Jan 2010 12:58:58 -0500 (EST)
Date: Thu, 14 Jan 2010 12:58:58 -0500
To: slimes@maz.nu

    The only other addresses to receive the junk-mail in question are spam-traps, known to receive large amounts of spam: my Debian consultant email address. No other addresses I use (there are several hundred) has received this spam today. Therefore I do not feel that a virus on my laptop or a compromise of my mail servers has leaked these addresses.

    I feel it is highly unlikely that four different websites would all have their mailing list databases separately compromised. Applying Occam’s Razor, the simplest explanation is that the common element — iContact.com — is the source of these email addresses of mine.

    It is my belief, having read their website and spoken to customer services, that iContact do abide by their strict privacy and anti-spam policies. I do not believe they have sold their address database to spammers. I fear they have been victims of an attack against their database servers, or possibly an disgruntled insider has leaked their database.

    Their abuse team has been notified, and I await their feedback.

    0 notes
    Comments (View)
  3. Mon25
    Jan2010
    @15:07
    Photonlight Email Leak I bought a product from Photonlight in 2002, and have been on their mailing list ever since. I last received something from them on 30th December 2009. Alas, now I&#8217;m also receiving spam to the address previously only known to them. Both Photonlight and Slimelight use iContact.com as mailing list providers. I spoke to iContact customer services via web-chat, and was told their privacy policy is to not share addresses with anybody.

    Photonlight Email Leak

    I bought a product from Photonlight in 2002, and have been on their mailing list ever since. I last received something from them on 30th December 2009. Alas, now I’m also receiving spam to the address previously only known to them.

    Both Photonlight and Slimelight use iContact.com as mailing list providers. I spoke to iContact customer services via web-chat, and was told their privacy policy is to not share addresses with anybody.

    Notes
    Comments (View)
  4. Mon25
    Jan2010
    @15:03
    Slimelight Spam Another private address bites the dust. Slimelight&#8217;s webserver has MySQL open to the Internet.

    Slimelight Spam

    Another private address bites the dust. Slimelight’s webserver has MySQL open to the Internet.

    Notes
    Comments (View)
  5. Mon25
    Jan2010
    @15:01
    Identical Spam (including headers) This email was sent to an address I know the spammers have (it is listed on the Debian Consultants page). It is almost identical to several other spams I have been receiving to what I had considered to be private, unique addresses.

    Identical Spam (including headers)

    This email was sent to an address I know the spammers have (it is listed on the Debian Consultants page). It is almost identical to several other spams I have been receiving to what I had considered to be private, unique addresses.

    Notes
    Comments (View)
  6. Mon25
    Jan2010
    @14:56

    Email Addresses Receiving Spam

    I give out different email addresses to different providers, mailing-lists and websites to see how what gets leaked. It’s partly a check on privacy policies, and partly a way to ensure I can blacklist emails efficiently. I’ve run various schemes with email addresses on my domain maz.nu over the last eleven years. Here is what I have found.

    iana

    Registered with IANA for a private enterprise number for OIDs, iana is listed on a public website. It gets a lot of junk. There are a number of variations, however, which also receive spam:

    3aiana
3eiana
iana
ianan
ianann
ianar

    I see the appending of “n” and “nn” and prepending of “3a”, “3e”, et cetera for other addresses in my block list. “3a” and “3e” might correspond to ASCII characters “:” and “>”. The “n”s and “r” might be C-style “\n” and “\r”.

    kinterbasdb

    Listed somewhere on SourceForge, kinterbasdb was an address I used for a software project I contributed to back in 2001/2002.

    kinterbasdb
kinterbasdbd
kinterbasdbdd
kinterbasdbi

    I’m not sure how these corruptions could have occurred, but they’re clearly on some spammers’ databases now.

    Weird

    And here are a list which don’t fit any of my schemes for addressing but have received a huge amount of spam in their time:

    4m3yseg
5ln
amymc-rus
begoxo
cuoya
hy953j0tr
ln4kc6xvpt
nuxero-geoy
pmb
wmware2003

    A million monkeys must have generated these and had them included into the spammers’ lists.

    0 notes
    Comments (View)
  7. Mon25
    Jan2010
    @13:01
    Macheist Privacy Failure Sorry, macheist.com, but if you can&#8217;t keep my email address private, I don&#8217;t want to hear from you any more. Received: from zulaa ([::ffff:124.158.125.66]) by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:54:44 +0000 id 0000C007.4B5D9494.00004E67 Received: from localhost (127.0.0.1) by mail.zulaa (124.158.125.66) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 21:08:09 -0800 From: "Percocet.Vicodin.Adderall"

    Macheist Privacy Failure

    Sorry, macheist.com, but if you can’t keep my email address private, I don’t want to hear from you any more.

    Received: from zulaa ([::ffff:124.158.125.66])
  by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:54:44 +0000
  id 0000C007.4B5D9494.00004E67
Received: from localhost (127.0.0.1) by mail.zulaa
 (124.158.125.66) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 21:08:09 -0800
From: "Percocet.Vicodin.Adderall"
    Notes
    Comments (View)
  8. Mon25
    Jan2010
    @12:58
    Bloomsbury Privacy Failure I give unique addresses to each web site or service I sign up to. Bloomsbury became the latest in a long string to pass on or leak my email address to spammers: a local bathrooms/plumbing supplies business an old alternative scene website (now defunct) a South Manchester estate agent Received: from pc-233-137-45-190.cm.vtr.net ([::ffff:190.45.137.233]) by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:19:04 +0000 id 0000C007.4B5D8C39.00004B4D Received: from localhost (127.0.0.1) by mail.pc-233-137-45-190.cm.vtr.net (190.45.137.233) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 09:22:20 +0100 From: "Percocet.Vicodin.Adderall"

    Bloomsbury Privacy Failure

    I give unique addresses to each web site or service I sign up to. Bloomsbury became the latest in a long string to pass on or leak my email address to spammers:

    • a local bathrooms/plumbing supplies business
    • an old alternative scene website (now defunct)
    • a South Manchester estate agent
    Received: from pc-233-137-45-190.cm.vtr.net ([::ffff:190.45.137.233])
  by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:19:04 +0000
  id 0000C007.4B5D8C39.00004B4D
Received: from localhost (127.0.0.1) by mail.pc-233-137-45-190.cm.vtr.net
 (190.45.137.233) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 09:22:20 +0100
From: "Percocet.Vicodin.Adderall"
    Notes
    Comments (View)
  9. Thu02
    Jul2009
    @15:52