Forums

BEGIN MODERATOR NOTE

I'd like to apologize to Smiles for hi-jacking his post, but this is the only way I can get a notice in-line here. I've tried to make it clear where my note ends and his post begins.

I'd also like to give you a summary of events, but encourage you to read through the thread if that summary leaves you with more questions about the history of what took place. This topic is closed for discussion because, quite frankly, it degraded from "pertinent and useful inquiry" into "cyclical, annoying bickering". So, without any further delay, the summary of events is as follows:

MacHeist previously used the services of a company called iContact who provided bulk emailing management. At some point, they decided to handle that problem "in-house" and discontinued those services. However (and this is where the nefarious bits begin) a couple of untoward things happened:

1) iContact did not remove MacHeist customer information from their servers.
2) iContact experienced a "data leak" (ostensibly, they were hacked and customer data was stolen).

At this point, you might be asking what can be done to reverse this. Unfortunately, not much. The information (namely, email addresses) is out, and as they say, "You can't un-ring a bell." There isn't really a way for MacHeist or even iContact to stop the spam from coming. My personal advice would be to employ spam filters and/or contact your ISP to report spam. Essentially, the typical means for doing so.

I wish I had a better answer to all of this. We understand it's a terribly inconvenience and apologize on the behalf of that company for their negligence. If I have any further updates to add, I'll do so here - but I hope, at the very least, this explains the problem more clearly.

Regards,
Josh (aka "JPDyson").

END MODERATOR NOTE

This morning, I received seven (7!) targeted spams to seven e-mail addresses that I've used solely through MacHeist (starting with MH1).  They were all Apple-related, but all came from some botnet.

I believe MacHeist's address lists have been purloined.  It's possible that all the separate e-mail addresses (for separate companies) were listed through some middleman; I can't say for sure.  But the one thing they all had in common was MacHeist.

Sources: 1Password, Ambrosia Software, AppZapper, Boinx, CoverSutra, Delicious Monster, and Embraceware.
Now also: FotoMagico, Freeverse, Macromates, MidnightApps, RealMacSoftware, and MacHeist.

Total: 13, minimum.

Orange you glad you read this?

Quite possibly you elected to receive offers and email updates from those developers. At http://www.macheist.com/order ther is the option to change it for each developer for each bundle.

iOS developer and student

Can you provide more info on these emails, please? I'm subscribed to all mailings from our participating developers and I didn't receive any opt-in emails today.

This may be related to the iContact breach, but I'd like to be sure of what's going on. The likelihood of all of those developers sending emails on the same day to purchasers seems pretty low.

John Casasanta
MacHeist Director
tap tap tap chief

Yes, I expect to receive some e-mails at those addresses (the ones I opted into).  However, these are clearly not those; no legitimate organization needs to fake-up From and To addresses.

I was wondering the same thing about iContact, but I don't know what MacHeist (or these vendors) are/have used.

I would be happy to forward any of the spam e-mails to you, John, or do you just want to see the content?

Some relevant headers from one of the first "batch":
---------
From: huntsville Donovan <huntsvilleDonovanokf@hotmail.com>
Sender: <huntsvilledonovanokf@hotmail.com>
To: <1password@parkerbennett.com>
Subject: Apple | PC | Licensed software. Need good price? Pixologic ZBrush 3
MAC & other...
Date: Thu, 15 Apr 2010 04:54:00 -0500
---------

My address is not 1password@parkerbennett.com; the real address is in the Envelope-to and I won't be disclosing that except to Directorate if requested.

Second batch example:
---------
From: evanescent Terrell <TerrellcFxevanescent@hotmail.com>
Sender: <terrellcfxevanescent@hotmail.com>
To: <covertka@muohio.edu>
Subject: Apple and PC Licensed software. Need good price? Microsoft Office
OneNote 2003
Date: Thu, 15 Apr 2010 06:03:26 -0500
---------

The latest batch:
---------
From: Dena Rau <denarau259@hotmail.com>
To: <freeverse@silanus.de>
Subject: Need good price? Adobe Photoshop CS4 Extended
Date: Thu, 15 Apr 2010 15:46:37 -0400
---------

Orange you glad you read this?

I'm also getting them,  and they most definitely are not legitimate mails.   Its someone pretending to be Apple Australia but sending the email via Hotmail 

This first one was to an address I used for Macheist3
-----
From:     Emmy Thomasson <emmythomass248@hotmail.com>
    Subject:     Need good price? DAZ Bryce 6.1 MAC
    Date:     15 April 2010 21:58:52 GMT+01:00
    To:     ####
    Return-Path:     <emmythomass248@hotmail.com>
    X-Original-To:     ####
    Delivered-To:     ####
    Received:     from mailsa1.servage.net (unknown [10.253.0.11]) by mailstor4.servage.net (Postfix) with ESMTP id 07AF837B28 for #### ; Thu, 15 Apr 2010 21:00:04 +0000 (UTC)
    Received:     from localhost (localhost [127.0.0.1]) by mailsa1.servage.net (Postfix) with ESMTP id F2F121F3073 for <####>; Thu, 15 Apr 2010 21:00:03 +0000 (UTC)
    Received:     from mailsa1.servage.net ([127.0.0.1]) by localhost (servage.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wTLyVpjCpkYV for <####k>; Thu, 15 Apr 2010 21:00:03 +0000 (UTC)
    Received:     from snt0-omc1-s36.snt0.hotmail.com (snt0-omc1-s36.snt0.hotmail.com [65.55.90.47]) by mailsa1.servage.net (Postfix) with ESMTP id 6415E1F3068 for <####>; Thu, 15 Apr 2010 21:00:02 +0000 (UTC)
    Received:     from SNT127-W18 ([65.55.90.9]) by snt0-omc1-s36.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 15 Apr 2010 13:58:52 -0700
    X-Greylist:     domain auto-whitelisted by SQLgrey-1.6.8
    Message-Id:     <SNT127-W18504DD378B565BE5C550D920F0@phx.gbl>
    Content-Type:     multipart/alternative; boundary="_a47ba506-790f-447c-a46f-26c6811af6ec_"
    X-Originating-Ip:     [220.255.7.169]
    Importance:     Normal
    Mime-Version:     1.0
    X-Originalarrivaltime:     15 Apr 2010 20:58:52.0679 (UTC) FILETIME=[74602970:01CADCDE]
-----

This one was to an address I used for a gifted licence to my daughter not sure if it was Macheist 2 or 3 though
----
    From:     dissociable Mercado <MercadodissociableQt@hotmail.com>
    Subject:     Apple and PC Licensed software. Need good price? Adobe Creative Suite 4 Master Collection
    Date:     15 April 2010 12:10:04 GMT+01:00
    To:    
    Return-Path:     <mercadodissociableqt@hotmail.com>
    X-Original-To:     ####
    Delivered-To:     ####
    Received:     from mailsa1.servage.net (unknown [10.253.0.11]) by mailstor4.servage.net (Postfix) with ESMTP id 1FA7937996; Thu, 15 Apr 2010 11:10:07 +0000 (UTC)
    Received:     from localhost (localhost [127.0.0.1]) by mailsa1.servage.net (Postfix) with ESMTP id 192E41F3085; Thu, 15 Apr 2010 11:10:07 +0000 (UTC)
    Received:     from mailsa1.servage.net ([127.0.0.1]) by localhost (servage.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id XfrlnaTxufjK; Thu, 15 Apr 2010 11:10:07 +0000 (UTC)
    Received:     from snt0-omc3-s13.snt0.hotmail.com (snt0-omc3-s13.snt0.hotmail.com [65.55.90.152]) by mailsa1.servage.net (Postfix) with ESMTP id 7CF551F30B6 for <####>; Thu, 15 Apr 2010 11:10:05 +0000 (UTC)
    Received:     from SNT112-W47 ([65.55.90.137]) by snt0-omc3-s13.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 15 Apr 2010 04:10:05 -0700
    X-Greylist:     domain auto-whitelisted by SQLgrey-1.6.8
    Message-Id:     <SNT112-W47D4F5532B8FD07524B4C2DB0F0@phx.gbl>
    Content-Type:     multipart/alternative; boundary="_40f65c87-5e1a-4beb-abbf-4723ab3f0199_"
    X-Originating-Ip:     [95.0.133.76]
    Sender:     <mercadodissociableqt@hotmail.com>
    Importance:     Normal
    Mime-Version:     1.0
    X-Originalarrivaltime:     15 Apr 2010 11:10:05.0194 (UTC) FILETIME=[338DBEA0:01CADC8C]
----

#### is where I have blanked out my email addresses

Here's an image of the mail

Thankfully I have my own domain and use unique addresses everytime so I quickly knew it was addresses harvested from Macheist.  This allows me to easily blocked both addresses and so I will no longer allow mail to be sent to either of them. Unfortunately this will now mean legitimate mail to these address will no longer get through either.

{edit}
The links in the email point here BTW 
http:// valgapk.edu.ee / fr/includes/js/tabs/index.php  (I've added spaces to prevent it showing as a link)

I got this one too, but the links point to an entirely different domain.
(loshalcones.edu.co)

EDIT: Full header
    Da:     Dixie Hollinger <dixieholli466@hotmail.com>
    Oggetto:     Need good price? Corel Painter X MAC
    Data:     15 aprile 2010 22.05.49 GMT+02.00
    A:     idario@mac.com (not my real address)
    X-Apparently-To:     <my actual address> via 217.12.10.241; Thu, 15 Apr 2010 13:08:01 -0700
    X-Yahoofilteredbulk:     65.55.34.205
    X-Ymailisg:     OOagz9IWLDuKxDzAyPTzSb6q1PysgalT8yHt.l9R95v1pSKm6BRgQlaktI4yhag.VgjoCwMpn4KZEzB5va1i4g8co3FaKfJcm0.3MNrHR_kXUXk508LE52lvxONwU.dRZjU80gVH5suKtaKs6Bnt7XpGfQHh43xxF8KV2NVIkZ_P3AbHkogO2Ldn6MhL_M8OD5kFMCrmsvNYl.Lf4W5Ef4B.aFSDY0OkZO5JEBD3BsC8NWhHxVtaCncZddNDoP9__IK8RIw4EDqq3_iJUqO8kNxKQGG3_Dml5uuImyAxgAmo4421HbcT8s75fAUTs.RCRVnb78VnfEW1alwLGSc72_hfUNWtpTETWJPYO1AU2dOfhbomOoL.qzok9bnO55fgq1v.ZCgIPCpuyEzyZIT1LhBQi6B7oafgElsSuJcg_ye.sQFjy31.X6TycHH.83ygj2ddS_iQ
    X-Originating-Ip:     [65.55.34.205]
    X-Originating-Ip:     [201.223.165.29]
    Authentication-Results:     mta1082.mail.mud.yahoo.com  from=hotmail.com; domainkeys=neutral (no sig);  from=hotmail.com; dkim=neutral (no sig)
    Received:     from 127.0.0.1  (EHLO col0-omc4-s3.col0.hotmail.com) (65.55.34.205) by mta1082.mail.mud.yahoo.com with SMTP; Thu, 15 Apr 2010 13:08:01 -0700
    Received:     from COL111-W48 ([65.55.34.200]) by col0-omc4-s3.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 15 Apr 2010 13:05:49 -0700
    Message-Id:     <COL111-W48BE223F3233BFACD4465CEC0F0@phx.gbl>
    Content-Type:     multipart/alternative; boundary="_5f81c19a-d69f-4749-abb8-709187f6ef5b_"
    Importance:     Normal
    Mime-Version:     1.0
    X-Originalarrivaltime:     15 Apr 2010 20:05:49.0349 (UTC) FILETIME=[0AF68D50:01CADCD7]

Right, and that's the problem.  I can immediately dispose of each violated address, but legitimate e-mails from those vendors (or, say, license key retrievals) will be more complicated or, more likely, be forgotten about.

Orange you glad you read this?

I got one of these too. It's my university account so I can't just stop using it either.

He attacked everything in life with a mix of extraordinary genius and naive incompetence, and it was often difficult to tell which was which. ~Douglas Adams

Yes, not a good situation really but at least its only a few people being blocked.  It would be better if the vendors allowed us to change addresses so each could be unique rather than grouped under the single address.

Yup, add me to the list too. Received the same email as shown by cypher. Different headers/source:

Return-Path:     <emmamcgough385-at-hotmail.com>
Received:     from murder ([unix socket]) by myserver.net (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA; Fri, 16 Apr 2010 07:31:59 +1000
Received:     from localhost (localhost [127.0.0.1]) by myserver.net (Postfix) with ESMTP id C2736C7383 for <jay-at-myserver.net>; Fri, 16 Apr 2010 07:31:58 +1000 (EST)
Received:     from myserver.net ([127.0.0.1]) by localhost (myserver.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8gZMnsy-r0j for <jay-at-myserver.net>; Fri, 16 Apr 2010 07:31:50 +1000 (EST)
Received:     from col0-omc4-s4.col0.hotmail.com (col0-omc4-s4.col0.hotmail.com [65.55.34.206]) by myserver.net (Postfix) with ESMTP id 8516EC7382 for <macheist.com-at-myserver.com>; Fri, 16 Apr 2010 07:31:49 +1000 (EST)
Received:     from COL104-W18 ([65.55.34.199]) by col0-omc4-s4.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 15 Apr 2010 13:58:41 -0700

I'm happy to kill this address, but am concerned about how it will affect the licensing of my apps?

By the way, I'd just like to say that I got that same exact "Top Mac and Win Software" email today. So, I'm thinking that it may be the iContact Breach... Oh and the email looks like the nanoBundle page

Purple Team Rules!
My Portfolio (New-ish!)

I received it as well.  Looks like someone did their homework to make it look heisty.  It would be truly great if this was the beginning heist.

Referrals for your consideration:
Dropbox:  https://www.dropbox.com/referrals/NTE1N … src=global

Got it on different addresses as well, including one used only for the Squeeze nanobundle teaser - which we didn't get until a month after the iContact breach.

Edit: Just to make sure it doesn't look like I blame LateNiteSoft, I'd better tell that I also got the spammail on other MH addresses that LateNiteSoft has never seen.

⎈⎈⎈   What is it... that makes life a little greener?   ⎈⎈⎈

Please respond in this thread if you've received any of these emails. A simple "I have" will do for now. Thanks in advance.

John Casasanta
MacHeist Director
tap tap tap chief

I actually did not receive any of these new emails at my MacHeist address, though I did get the last spam emails when it happened last.

Also, the icon shown for Parallels was version 3, and it states version 4. Just one more problem with it looking real. But it is the best looking spam email I have ever seen

Find deals on Mac apps at Mac App Deals

I have as well, sent to the filter I use for spam.

It's pretty funny that they're trying to spam Macheist users. Most, if not all of the people who are active on the forum aren't going to be tricked by something like this. I guess Macheist has many emails for people who aren't active, but it still seems like an unlikely target to me.

EDIT: Per phillyru's request, yes that is the spam message I received.

If I was helpful, consider signing up for Dropbox on my referral by clicking here.

I have.

Edited to add info per Phillryu's post on Ars:

"It'd also be nice if you could let us know if the spam was sent to an email address set up specifically for a particular developer or us, and when you first participated in a MacHeist thing, even if it was buying a bundle without or before you created an account."

It was my standard email address for what I consider "solid" companies.  No special address for either MacHeist or any developers affiliated with MacHeist.  I purchased the MacHeist 1 bundle and have not purchase any of the bundles since then.

I received the one with 'Top Mac & Win Software' looking a lot like the nano bundle.

I have.

I got it too, but it went to my spam filter.

I'm Such a Twit | My Blog | My Chi.mp
Swanny14 On IRC
Come Visit Us in #Macheist !

I have.

Proud member of Team Green
My DropBox referral

I didn't notice any increase in spam...  But my spam box generally holds around 10,000 messages (30 days worth) so unless its a huge increase its hard for me to tell...

-Bobby
Dropbox - 2.25 GB of online space that auto syncs with all your computers!

Gmail filtered it correctly into my spam folder, but I did receive it.

Gorange!

I got the mail as well

EDIT: Per phillyru's request, yes that is the spam message I received.

I got it as well

There is NO signature, do you see a signature?

I received this email as well. But, I got my first spam to my MacHeist-specific email address a month ago, on March 15.
I'll post that email in a new message, since the forum won't let me post it yet

Okay, well I don't have enough posts in the forum to post content containing email addresses. Here's a pastebin of the first MacHeist-derived spam I received, on March 15, 2010:

pastebin.com/PguLNJHf

Yup me too. This is my first spam on this account since I set it up three years ago and i'm understandably annoyed.

Me too

▛▞▞▟ Proud Member of the BLUE Team™ ▙▚▚▜
Use my DROPBOX link and we both get an extra 250mb free!
https://www.getdropbox.com/referrals/NTYxNTMzNDk

I have also got it

EDIT
It was the one phillryu show in post 40

Got it to the email address I used for buying bundles - not the one I have in my forum profile.

In my spam mail all links went to the columbian edu site and was redirected to the "apple-shop" (can't remeber the name but the same as other reported

Get DropBox - 2 GB + 250 MB for free

I got it. Though I'm uncertain how since it's To: header is not me :S Could just be gmails wonky aliasing though I guess. Oh and it came from a hotmail address.

EDIT.
Its the one posted in the picture below.

For the record, I have not.

Man is a genius when he is dreaming.
- Akira Kurosawa

And me. Spam received yesterday (15th).

Edited 18th April: Confirming spam was same as that shown in phillryu's post below.

I have received the very email pictured in the first page.

And yes, it is the one PhillRyu has pictured below.

Got it as well - to an address ONLY used to receive the free nanoBundle. Never bought a heist prior to that one.

And yes, it is the one PhillRyu has pictured below

I didn't receive the first round of spam, but I did get this one.

Sometimes I feel so blue
It makes me twitter.

I've just got spam from Tap Tap Tap or something... about a game and asking for me to verify my email address to get free coins???

I don't have an iphone, and I haven't subscribed to anything, and this seems to be coming from MacHeist too....

Might be from John Reds company, but looks a bit strange....

▛▞▞▟ Proud Member of the BLUE Team™ ▙▚▚▜
Use my DROPBOX link and we both get an extra 250mb free!
https://www.getdropbox.com/referrals/NTYxNTMzNDk

Received the spam shown in the image posted by cypher above at both emails I've used at MacHeist (filtered properly as spam).

"I merely took the energy it takes to pout and wrote some blues." -- Duke Ellington

I found one in my spam folder. Dated Apr 16th.

links in the e-mail redirect to:
http:// www.loshalcones.edu.co /website/images/stories/headers/programasenhome/index.php

then to:
apple-magazine.net

FISHY!!!

EDIT: This was the same type of email as the one phillryu posted below.

Hey, one request to you guys reporting in: can you edit your posts to confirm that the email you found is this one? And if not, can note that as well?

We have set up a backend tool now to help keep track of reports / make it easier for us to find any patterns, so I'll be entering you guys in, but I'd also like to keep track of who's received this particular spam email in particular as it seems to be the most recent one and very targeted.

Thanks everyone for the reports so far…

Co-Creator of MacHeist, Clear, Partner at tap tap tap | follow me on twitter

I got the same 15 April but the links was to

http://www.acen. edu.au/libraries/ pattemplate/ patTemplate/ TemplateCache/index.php
(I put in some space to not making it as a link)

This link worked then and was redirected to the shop but gives 404-page now

I got it to an address I only use here. Started to use it, I think, a year ago
It was sent to me as bcc. If you want the address it was sent to - do tell me where to send it as I don't want to put it here if it belongs to a member.

Dropbox - up to 11 GB free (students get more)
Start today -  use this link and sign up for a free account, incl bonus.
Then put on another 1 GB by go here and continue here

I received the April 15th spam e-mail specifically mentioned in phil's post. Given what I've read in this thread, Macheist and its affiliated developers are most probable source(s) where they could have obtained this e-mail address. The bogus sender e-mail is befogkyVGomes [at]hotmail.com The recipient e-mail listed when mousing over does not match mine and this mail was caught by my spam filter. I do not use iContact. Even though I'd never posted prior to today, I've been a registered Macheist member for more than a year. (I mention this because I'm not sure if the registry for bundle purchasers and community members is one and the same or kept separate.) I have not tried clicking on any links.

I received a couple of spam emails with the nanoBundle-esque graphic.

Interestingly, one was sent to the dedicated address I'd set up for MyDreamApp (which is different than the one I have for MacHeist).

I can't seem to find the other email at the moment.

Day Late & Dollar Short Software for Mac | tricochet for iPhone

i got that as well and today i got one from a bank asking me to verify my password ! I dont even have an account with that bank

I got that one.

received it too as posted in the "Is Macheist save" thread

Get Dropbox through my referral link (you get 250MB more than usually): https://www.dropbox.com/referrals/NTY0NDU4MzQ5
Many thanks!

The mail in my post above was indeed the one from the screenshot in cypher and Phil's posts. As was a couple of other mails to different addresses. One might be of interest, as the Envelope-to part of the headers contains two email addresses - both the one I used for MH2 and the one I used for MH3 and nanoBunddle1.

⎈⎈⎈   What is it... that makes life a little greener?   ⎈⎈⎈

Reconfirming that I got this specific email on Thursday, April 15, 2010 at 5:29 PM from "Florrie Commander" <florriecom635@hotmail.com>, sent to newsfire@endeweb.de...which is not my email address by the way. I can't determine what's spoofed and what's real, but it's all spam.

Sometimes I feel so blue
It makes me twitter.

Can you post more info on this?

John Casasanta
MacHeist Director
tap tap tap chief

I have.