URGENT: Spam Through our vBulletin Forums!

Hi,

Just last night a spam email was sent out through our vBulletin forums. Here's the message and header information, provided by a fellow member: This email form was sent to the address of lancerforums AT ptooi DOT com:

Message Headers:
Code: 
Received: from smtp-in4.blueyonder.co.uk ([172.23.146.15]) by cluster6 with Microsoft SMTPSVC(5.0.2195.5329);
	 Sun, 28 Dec 2003 08:07:04 +0000
Received: from exim15.blueyonder.co.uk ([195.188.213.50]) by smtp-in4.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600);
	 Sun, 28 Dec 2003 08:07:04 +0000
Received: from [212.4.208.118] (helo=ultra18.uk2net.com)
	by exim15.blueyonder.co.uk with esmtp (Exim 4.14)
	id 1AaVwo-00007R-HW
	for gm011f6418@blueyonder.co.uk; Sun, 28 Dec 2003 08:06:50 +0000
Received: from [64.246.58.99] (helo=evom.evolutionm.net)
	by ultra18.uk2net.com with esmtp (Exim 4.22)
	id 1AaVwo-00024T-5r
	for lancerforums AT ptooi DOT com; Sun, 28 Dec 2003 08:06:50 +0000
Received: (from apache@localhost)
	by evom.evolutionm.net (8.11.6/8.11.6) id hBS8KYN31808;
	Sun, 28 Dec 2003 02:20:34 -0600
Date: Sun, 28 Dec 2003 02:20:34 -0600
Message-Id: <200312280820.hBS8KYN31808@evom.evolutionm.net>
To: lancerforums AT ptooi DOT com
From: "davidz" <davidz04@yahoo.com>
X-SA-Exim-Mail-From: apache@evom.evolutionm.net
Subject: Re: (no subject)
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
	ultra18.uk2net.com
X-Spam-Level: *****
X-Spam-Status: No, hits=5.9 required=99.0 tests=FORGED_YAHOO_RCVD,
	FROM_ENDS_IN_NUMS,MAILTO_TO_SPAM_ADDR,MORTGAGE_PITCH,MORTGAGE_RATES 
	autolearn=no version=2.61
X-SA-Exim-Version: 3.0 (built Tue May 27 21:41:10 CEST 2003)
X-SA-Exim-Scanned: Yes
X-Sent-To: gm011f6418@blueyonder.co.uk
Return-Path: apache@evom.evolutionm.net
X-OriginalArrivalTime: 28 Dec 2003 08:07:04.0287 (UTC) FILETIME=[94534EF0:01C3CD19]
Email Message:

This is a message from davidz at evolutionm.net ( http://forums.evolutionm.net/index.php ). The evolutionm.net owners cannot accept any responsibility for the contents of the email.

To email davidz, you can use this online form:
http://forums.evolutionm.net/member....m&userid=17350

OR, by email:
mailto:davidz04@yahoo.com

This is the message:

MORTGAGE RATES DROPPED AGAIN 2 HOURS AGO! You can refinance, consolidate debt, lower your monthly payments and much more by filling out our FREE online form which only takes 2 minutes! Take action now and stop delaying! Visit the following link to get started! http://www.itsyourtimetosave.com/ind....php?a=htothez


----------------------------------------------------------
/
/ REGISTER YOUR LANCER ON OUR SITE
/
----------------------------------------------------------
- Upload multiple images of your vehicle.
- List each modification you have completed, along with prices, ratings, and pics.
- Vote and comment on other member's vehicles.

To add your car to the registry, please visit:
http://registry.evolutionm.net

------------------------------ END MESSAGE ------------------------------

We run a RH7.3 server w/ vB 2.2.5 heavily modified. Apparently this came through our email a user form, which is only available to registered members. If you read the message, it shows that it came from a member named davidz. Here's the member info that I pulled up in this person:

Username: davidz
Email: davidz04@yahoo.com
Date Registered: 2003-12-28 01:03:43
IP Address: 209.178.146.208

The person who first notified me of the spam (after I received it) was named david2z4 who has an email address of david2z4 AT hotmail DOT com. He's been a member for a while, but I thought maybe he has a new trojan or something that could be doing this?

I think a bot or something of that nature did this since the user was registered AND sent an email through a form to every member on the forums.

I was hoping for some suggestions on how to prevent this in the future. I have banned the user account and I can ip block through the forum control panel. I guess that's about all I can do, huh?

Thanks,

Mark

 

 

 

 

Top