Forums

Hey guys,

I'm wondering if there is some kind of a security issue with the registration data here.

I'm starting to get spam (Subject: "<<<<<<<<<<<Love Love Best Pill>>>>>>>>>>> !!") on the email address I used to sign up.
I always use "service/website related" email addresses for everything, so the address in question would be prefix.macheist@mydomain.....
That way I can track where the spam is coming from... (rather: where the spammers got my address from).

Is anyone else having that problem (I assume there are a few others out there who are as paranoid as I am.... ;-)

Cheers,
Sebastian

Any errors in spelling, tact or fact are transmission errors!

Yep, same story here. I registered with macheist (at) mydomain (dot) com and received a spam mail with Subject "<<<<<<<VicodinPharma The best Discount>>>>>> !!!" a minute ago. I used this alias for macheist ONLY so there has to be a leak somewhere.

Interesting, I just got that exact email as well. Did it come from "noreply at usearchlocal.com" ?

Find deals on Mac apps at Mac App Deals

Sometimes spammers use common or likely prefixes on domains - thus some of my NovaStorm domains begin to receive spam even though the address is located in a PHP form.  It could be someone's decided to add macheist@ to their list.  Hard to say though.

NovaStorm Software || @NovaStormSW || @jfm429 || Dropbox + Extra Storage

"I invented the term Object-Oriented, and I can tell you I did not have C++ in mind."
- Alan Kay, inventor of Object-Oriented programming

Hmm, I'm pretty sure we don't have your email addresses publicly visible anywhere on this site. (Correct me if I'm wrong, but if you click someone's profile you don't see their email address right? Asking cause I do see your emails as admin, but I assume that's just me. )

I did just search for similar emails in my inbox/spam and didn't find anything... so I'm thinking this is some kind of a coincidence that we might deal with having so many members, but keep sleuthing around guys. I'll check in with Karl to see if he can look around behind the scenes as well.

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Macsebi, theome and izdale, can you report back here with the following:

did you participate in the MH3 referral program, and if so, did you claim Pop-Pop and Koingo Bundle?

Edit: Nevermind, we can look into that ourselves. However, to others reading this thread, please take the time to quickly check for the above spam, and if you DO find it, report back here and we can hunt for a pattern.

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Yes to all of the above. But unlike the others, I use the same email for a lot of things including MacHeist, so I can't say that MacHeist is the only possible source. I only brought it up because I got an email exactly like Theome, who does have an email only for MH.

Find deals on Mac apps at Mac App Deals

I'm pretty sure that my email address isn't just a coincidental match.

@phillryu: I'm not blaming you guys here directly.
I know that all of the participating developers also have the data. But maybe it's worth looking into it. Can't be in anyone's interest (incl. the developers), if data gets lost/stolen/harvested.

BTW: Today's spams subject is: "Re: VicodinPharma The best Discount !!!" from noreply@usearchlocal.com to "myprefix.macheist@mydomain"

Thanks for your help.
Macsebi

Any errors in spelling, tact or fact are transmission errors!

We are definitely really concerned and taking this seriously / investigating. What we could use right now is a larger sample size, so anyone else who has the time to quickly check their inbox, please let us know what you find.

To note we transitioned to a centralized mailing system for promotional mailings by developers starting with the free bundle, in large part to prevent potential issues like this, so at the very least... things like this should never happen in the future. But yah, to start let's figure out exactly what's going on here.

Perhaps if I framed this sleuthing as a heist and offered a freebie as a reward we'd get more people chiming in.

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Same problem here - e-mail address used only for MacHeist, got spam with subject     <<<<<<<Mdedical  Discount>>>>>> !!!

Received at 18:21 (GMT)

From:     noreply - at - message - dot - myspace - dot - com

In my account used for MacHeist I have email that came today that is similar.

I do use this account elsewhere so you won't find me carrying a pitchfork just yet.

Here are the ip address portion of the headers if that helps for each listed above.

For all I know I might have had similar looking email titles in the past and could have been from somewhere else.  I let gmail handle all of that and if anything sneaks by, Mail typically gets it.

<insert out-dated referral link here>

BTW, folks it really doesn't matter what the name and address is in the from field as that can be very easily spoofed. The ip addresses, to my knowledge, cannot be spoofed.

<insert out-dated referral link here>

Received the spam as well, two messages from noreplyATusearchlocalDOTcom and one from noreplyATsinglesnetDOTcom.

Interestingly enough, I have one coming in on the macheist-specific email address and the other two coming in on my paypal-specific address. This could possibly mean that the addresses were leaked/stolen from a developer who contributed to a previous MacHeist, but has since sold me an update to their app (for which I used my paypal-address). Either that, or MacHeist is the source of the leak (which I don't really believe).

Update: I looked up my old MacHeist receipts, turned out I used a different email address for the bundle of MH3, which means the leak could be amongst the developers in MH1&2 (or the free apps of MH3)?

Return-path: <noreply@singlesnet.com>
Received: from smtpin129.mac.com ([unknown] [10.150.68.129])
by ms233.mac.com (Sun Java(tm) System Messaging Server 7u3-12.01 64bit (built
Oct 15 2009)) with ESMTP id <0KWV008U8248ZX00@ms233.mac.com> for
ib4tun8@me.com; Tue, 26 Jan 2010 07:38:32 -0800 (PST)
Original-recipient: rfc822;@me.com
Received: from laxo-purwokerto.net ([119.2.45.58])
by smtpin129.mac.com (Sun Java(tm) System Messaging Server 7u3-14.01 64bit
(built Dec 27 2009)) with SMTP id <0KWV00B4423UCZ50@smtpin129.mac.com> for
@me.com (ORCPT @me.com); Tue, 26 Jan 2010 07:38:31 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure
engine=1.12.8161:2.4.5,1.2.40,4.0.166
definitions=2010-01-26_10:2010-01-20,2010-01-26,2010-01-26 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-0908210000 definitions=main-1001260090
Message-id: <0KWV00B4E23ZCZ50@smtpin129.mac.com>
From: noreply@singlesnet.com
To: @me.com
Subject: <<<<<<<VicodinPharma The best Discount>>>>>> !!!
Date: Tue, 26 Jan 2010 22:38:25 +0700
MIME-version: 1.0
Content-type: text/html
Content-transfer-encoding: 7bit

Proud member of Team Green
My DropBox referral

Here are 3 more

Status:  U
Return-Path: <noreply@singlesnet.com>
Received: from mx-bracke.atl.sa.earthlink.net ([127.0.0.1])
    by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1nzoST4Nc3Nl34i0; Mon, 25 Jan 2010 08:21:39 -0500 (EST)
Received: from al-83ab5bda32a6 ([109.82.105.70])
    by mx-bracke.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1nzoSQ3MK3Nl34i0
    for <@earthlink.net>; Mon, 25 Jan 2010 08:21:37 -0500 (EST)
Received: from localhost (127.0.0.1) by mail.al-83ab5bda32a6
(109.82.105.70) with Microsoft SMTP Server id 8.0.685.24; Fri, 25 Jan 2002 16:22:38 +0300
From: "Percocet.Vicodin.Adderall" <noreply@singlesnet.com>
To: @earthlink.net
Subject: <<<<<<<<<<<Love Love Best Pill>>>>>>>>>>> !!
Date: Fri, 25 Jan 2002 16:22:38 +0300
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <201001250821.1nzoSQ3MK3Nl34i0@mx-bracke.atl.sa.earthlink.net>
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=000;

Return-path: <noreply@message.myspace.com>
Received: from smtpin125-bge351000 ([unknown] [10.150.68.125])
by ms233.mac.com (Sun Java(tm) System Messaging Server 7u3-12.01 64bit (built
Oct 15 2009)) with ESMTP id <0KWL002RJXZ8D2J0@ms233.mac.com> for
@mac.com; Thu, 21 Jan 2010 09:30:44 -0800 (PST)
Original-recipient: rfc822;@mac.com
Received: from maq01 ([unknown] [201.200.149.245])
by smtpin125.mac.com (Sun Java(tm) System Messaging Server 7u2-7.04 32bit
(built Jul  2 2009)) with SMTP id <0KWL004G6XZ6IN00@smtpin125.mac.com> for
@mac.com (ORCPT @mac.com); Thu, 21 Jan 2010 09:30:44 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure
engine=1.12.8161:2.4.5,1.2.40,4.0.166
definitions=2010-01-21_09:2010-01-20,2010-01-21,2010-01-21 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=9 spamscore=9
ipscore=0 phishscore=1 bulkscore=0 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-0908210000 definitions=main-1001210140
Date-warning: Date header was inserted by smtpin125.mac.com
Date: Thu, 21 Jan 2010 09:30:44 -0800 (PST)
Received: from maq01 (201.200.149.245) by maq01 with SMTP;
Message-id: <43679917819.oxopd@maq01>
From: noreply@message.myspace.com
To: @mac.com
Subject: Best Online Drug!!!
MIME-version: 1.0
Content-type: text/html
Content-transfer-encoding: 8bit
Return-path: <noreply@message.myspace.com>

Return-path: <monstn@googlemail.com>
Received: from smtpin136-bge351000 ([unknown] [10.150.68.136])
by ms233.mac.com (Sun Java(tm) System Messaging Server 7u3-12.01 64bit (built
Oct 15 2009)) with ESMTP id <0KWI0080JN3HSLM0@ms233.mac.com> for
@mac.com; Tue, 19 Jan 2010 14:42:53 -0800 (PST)
Original-recipient: rfc822;@mac.com
Received: from wimax-cpe-189-213-80-134 ([unknown] [189.213.80.134])
by smtpin136.mac.com
(Sun Java(tm) System Messaging Server 7u2-7.04 32bit (built Jul  2 2009))
with SMTP id <0KWI00CKXN3G9Q70@smtpin136.mac.com> for @mac.com
(ORCPT @mac.com); Tue, 19 Jan 2010 14:42:53 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure
engine=1.12.8161:2.4.5,1.2.40,4.0.166
definitions=2010-01-19_17:2010-01-05,2010-01-19,2010-01-19 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=40 spamscore=40
ipscore=0 phishscore=0 bulkscore=3 adultscore=0 classifier=spam adjust=0
reason=mlx engine=5.0.0-0908210000 definitions=main-1001190203
Message-id: <0KWI00CL3N3G9Q70@smtpin136.mac.com>
Received: from localhost (127.0.0.1) by mail.wimax-cpe-189-213-80-134
(189.213.80.134) with Microsoft SMTP Server id 8.0.685.24; Tue,
19 Jan 2010 16:42:53 -0600
From: monstn@googlemail.com
To: @mac.com
Subject: <<<<< Medical Online >>>>
Date: Tue, 19 Jan 2010 16:42:53 -0600
MIME-version: 1.0
Content-type: text/html
Content-transfer-encoding: 8bit

Proud member of Team Green
My DropBox referral

Well.... I got the same spam but not on the account that I use on macheist.... BUT I used that email to sign up for the NanoBundle...

DropBox Referral: 2.25GB FreeSpace

Okay, well I did an arin whois lookup of the ip addresses, and they both seem to be registered in Amsterdam and everything else is the same.

And we're back!

I got the same spam on two of my macheist test accounts (two out of 49), the email I used to sign up for nowrepublic.com and the email I used to register JW Player.

Everything is my fault

Luckily, I still have yet to get one.... No spam here!

And we're back!

I gifted someone AppZapper from the second MacHeist bundle, and they've received the spam as well, maybe a clue?

I did a search through all of my email and there was not any subject lines with "<<<<<<<"  in it.

Go Orange

Get an extra 250MB for both of us by signing up with my Dropbox referral link!

Same here: spam on a specific Macheist email address that is not very likely to have been randomly created: macheist at submain.domain.tld. Don't recall if I signed up for any nanobundle, but surely did never participate in any referral thing.

All are marked as spam so don't really come into my Inbox.

Pharmacy Best Product Vicodin.Viagra!!!
January 27, 2010 12:15:48 PM GMT+01:00
Received: from localhost (localhost [222.254.93.17] (may be forged))

<<<<<<<Mdedical  Discount>>>>>> !!!
January 26, 2010 7:12:27 PM GMT+01:00
Received: from c906dd7b.virtua.com.br (c906dd7b.virtua.com.br [201.6.221.123])

<<<<<<<<<<<Love Love Best Pill>>>>>>>>>>> !!
January 26, 2010 3:02:31 PM GMT+01:00
Received: from 190-48-139-176.speedy.com.ar (190-48-139-176.speedy.com.ar [190.48.139.176] (may be forged))

<<<<<<<<<<<Discount Sale>>>>>>>>>>>> !!
January 25, 2010 2:55:20 PM GMT+01:00
Received: from 218-215-22-235.people.net.au (218-215-22-235.people.net.au [218.215.22.235])

I'm getting these as well; I didn't use any special email address for MH3, but I'm getting messages like the one described above on an account where I almost never get spam.

PM me | Twitter

At first I thought there was a pattern here, but now it's falling apart. Somebody call Walter Bishop.

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

I see what you did there...

Well here's a possible hit for you then Phill. I'm an early adopter on the bundles so it would make sense if I got these spam messages. In April 2008, I changed my email address and domain for that address. That would have put it after MH2.

I sort of wish I kept the domain now. I could have looked into it a lot better, but it's still something that might affirm this:

To anyone with this spam, would you detail also if you have of have not purchased a bundle prior to MH3?

䷟䷽䷏䷁ — Dying of the Light.

For now it should suffice if members can report here simply saying whether they find the spam or not. We can look up member's purchased bundles, and picked up loot.

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Fair enough, but keep this in mind if you think a pattern is decaying. If memory serves, we didn't need an account to purchase the MH1 or MH2 bundles. If you have a person that's claiming to have this spam and their email address doesn't show up in the past bundle database, the reason might be due to using a different email address.

Hm, that reminds me. Now I *really* wish I kept that domain. I didn't trust MH during the first season, so my MH1 bundle was (I think) macheist@domain.tld and MH2 was miah@domain.tld. And now some squatter has it, so I can't just snatch it up again.

䷟䷽䷏䷁ — Dying of the Light.

Good point, I guess if you can also list whether or not you've picked up the MacHeist 2, 3 or nanobundle in your post that would be appreciated.

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Or his cow....

And we're back!

Googling for 'noreply@singlesnet.com" found some interesting stuff, including this unanswered thread in a Microsoft site:

http://social.technet.microsoft.com/For … 677c61e42d

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Hi!

1.) I also receive spam mails since yesterday. I used that specific mail address in march 2009 for registration with the Overflow app from Stunt software. That's it.

I did register other email addresses for the main Macheist bundles, but there were no spam mails at all to date.

2.) The mail address contents 'macheist' before the at sign. The other mail addresses don't.

Greetings

I received spam today to a unique address I gave MacHeist as well (an OtherInbox.com address). I cannot put in my full email transcrpit because it includes URLs and email addresses ("New Members can not post links, images or email addresses until they become more active.", and had to substitute in the below addresses.

To: givingtree.macheist<dot>com-20081222<at>h.otherinbox.com
Subject: Elite World Casino: Bonus 3500$ USA Player Welcome!!!
URL in body: www<dot>3500-pastwin<dot>net (there was nothing else in the body)
Message source: 114-33-181-53<dot>HINET-IP<dot>hinet<dot>net [114.33.181.53]

Keep in mind that some isp's do some of their own spam filtering and might be catching this so some may not receive it.

<insert out-dated referral link here>

got three spams today to my macheist email address.  i figure the list was either sold or stolen by someone.

i use otherinbox so it's not a huge deal.  but i would like to change my email address with macheist.  anyone know how to do that?  I looked through the site and i didn't see a way to do it.

thanks

Shepherd.

Alright, I've just received more spam, this time on the MH3 address as well...

I can do it via the "Profile" .

Get 2.5GB for Dropbox for free. 1) Use this link to get you and me 250MB extra for Dropbox. 2) Then click  here and become a guru. Thank you.

Got another spam...

DropBox Referral: 2.25GB FreeSpace

I received this email, and although it was not from an address associated with MacHeist, they were sent to the addresses I used to sign up for a number of other mailing lists  (for which I also signed up using very unique and specific addresses).

What email service provider does MacHeist use to send out newsletters and/or other updates? Could there have been a leak there?

Was this list hosted by iContact? Josh Baer (founder of OtherInbox) mentioned in a FB update today that they believe iContact may have been breached; he's (OtherInbox has) been getting multiple complaints from lists they host. I can't post URLs or I'd post a link to his thread, but he's 'joshuabaer' on Twitter.

Bingo!

We used to use iContact, but right before we launched the nanoBundle, we rolled our own mailer.

Now my big question is why the hell did iContact retain our list after we cancelled?

http://twitter.com/joshuabaer/status/8285833622

John Casasanta
MacHeist Director
tap tap tap chief

My bet would either a flat database structure w/inexpensive hardware and an open source DBMS (resulting in expensive delete statements that they wouldn't execute until necessary) or lax business processes that forgets about your data once you stopped subscribing to their service.

In either case I'd check your contract to see what obligations they had regarding data retention. Luckily for you guys, 99.9% of all subscribers won't be able to tell where the 1 or 2 additional spam messages came from, and the rest of us can just block their old MacHeist email address.

It's still a hit to our own credability even if we weren't the reason for it.

I for one would love to pick through the contract to see what could be done about it. I take data privacy very very seriously.

䷟䷽䷏䷁ — Dying of the Light.

In case it matters, I can confirm that the other three unique email addresses I have (which were uniquely registered to receive mail on other mailing lists, and which all received the same spam more-or-less simultaneously) were sent from organizations that appear to use, or appear to have used in the past, iContact. So, it seems very, very likely that they are the source of this problem.

Interestingly, though, I registered with MacHeist some time ago and I did /not/ receive a message to that unique email address. Perhaps this was after MH stopped using iContact's services?

I went through my spam folder @ gmail, and found spam messages like the ones above. However not from my MacHeist address but another one. (I use +filter in Gmail, recommend it to everybody!) I talked to the guy running that site and he blamed AWeber for the security breach.

And I agree with Miah, this is something I take very seriously as well, and just to be clear in no way is accusing MH of any wrongdoing.

Think Purple.

Do you still need examples, or are you pretty sure it was a breach at iContact in some way or another?  I've got four in my gMail spam folder I can forward or quote if needed.

I don't want to build character, I want to buy it pre-fabricated -- Roy Jacobsen
Team Green

I think we have enough examples of the actual spam. I'm not going to say we're 'sure' of anything yet, but the supposed iContact breach does seem to fit in with everything here atm. (When I was complaining about the lack of a pattern earlier it had to do with overlapping developers/apps in our promotions that you guys had picked up, none of which matched up. But iContact as the source of the leak? Puzzle pieces fit together again.)

Here's a blog post at iContact from yesterday where they acknowledge a potential security leak: http://www.icontact.com/blog/index.php? … &tb=1&pb=1

And another blog post where someone (and a MacHeist member among other things) connects the dots and figures out the pattern:
http://blog.maz.nu/post/352842080/suspe … qus_thread

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

Me too.

Used a new email address on a newly registered domain… pretty much unguessable and I haven’t used it anywhere else.

All mine are coming from noreply [AT] message [DOT] myspace [DOT] com

I got a similar email except with <<<<<< PHARMA BEST LOVE !!!!>>>>>> in the subject and it was from "itunes@new-music.itunes.com". Hmmmm....

May the Mac be with you
Get free Dropbox space for both of us!

Alright, the iContact breach is a plausible explanation, but I would like to know how they received my paypal-email address? I make it a point to only use that for payments, never as a contact address. Is it possible that iContact got a hold of it through MacHeist?