[DentArthurDent]

I was wondering if any other BBO users have encountered this problem and if BBO is aware of it going on.

Back on November 22nd, 2005 my email inbox started getting flooded with emails that had a virus attached. I was getting over 100 emails a day all with the same Virus attachment (avast signature: Win32:Sober-AB2). The emails had a variety of subjects (about 8 or 9 different ones) and senders were a wide variety.

Then one day while IMing with a friend, I happened to mention this to her and she indicated having the same problem and that it was BBO.

So, I changed my BBO profile and removed my email address and voila, the virus emails stopped flooding my inbox the next day.

I recently asked my friend how she had known and she indicated that she had deduced it from the fact that the email address she had in her profile was only used in association with BBO and that the senders were all variations of existing bbo ids.

Is anyone else experiencing this problem? Is BBO aware of it? Is or has anything been done about it?


Stoned in Stony

[inquiry]

so you think someone checked, saw you removed your address from the bbo profile and then went and removed your email from their email servers. I doubt that is why. It would be particularily tricky to harvest email addresses from BBO profiles. But, i get hundreds of virus emails a day at accounts without good spam filters.

[DentArthurDent]

I am only reporting an observed behaviour and asking if others have observed the same thing. My email inbox rarely gets viruses, but this occurrence started on the specified day and was over 100 emails a day, all with the same virus. Then it stopped the day after I took my email address out of my profile on BBO.

This observed behaviour for me and my friend both should be an alarm that is worthy of investigating. The attitude of saying it cannot be is absurd.

As to whether or not BBO IDs can have email addresses harvested, I am not familiar with the inner workings of BBO or their servers. But it seems to me that the problem might be rooted in the servers being hacked into.

Also, being a programmer myself, I can say that I could easily write a program that traps the stream of data thats comes into my machine from BBO and harvest email addresses off that stream (assuming it is not encrypted). Alternately, there are many ways to trap system calls from a running copy of BBO and indeed emulate BBO to the end of trying to harvest email addresses from the IDs.

But a far more likely cause is that the BBO servers have been hacked into and are having the email addresses automatically and regularily harvested.

But this is not the main point of this discussion. I am wondering of others who have legitimate email addresses in their profile are being flooded with emails.

[inquiry]

I didn't mean to suggest it would be impossible for emails to be captured from bbo... because i am not computer literate enough to know how it might or might not be done.

What i suggested was once the virus senders GOT your mail address, they were not going to go in and remove just because you removed it from you BBO account name. It is the stopping of your receiving such emails that makes it seem senseless.

However, to test your theory i created a new user name and a new email address, and posted it on that user name. Let's see if I get a lot spam/virus emails.

Ben

[cherdano]

I suppose the email flood stopped either because it was coming from just one infected computer, where it got removed, or (more likely) your email provider added a filter for this Sober-variant. That's what made it stop in my case at least.

As for where the virus got your e-mail address: it certainly didn't get it directly from logging in to BBO. Such a virus always gets analyzed in detail by security specialists, and this behavior would be quite unusual.

The most likely explanation is that someone whose PC got infected by this virus had your e-mail in his/her addressbook. It could well have been the same person for both of you, actually.

Arend

[FrancesHinden]

I gave BBO a real email address, and have not had any problems with it (that email address only gets viruses thanks to a Quebecois hotel I corresponded with once).

I also suggest that the removal of your address from BBO and the stopping of the virus was a coincidence.

By the way, I've had spam and/or virus emails at work from systems that (I think) make up 'obvious sounding' email addresses and see if they work or not.... I bet JohnSmith@hotmail.com gets a lot more spam than I do.

[DentArthurDent]

Arend: Yes, I had figured it was possible for my email provider to be blocking the viruses as it seems that they do that for me. I am not 100% positive about this though. The reason is that this went on for a month and a half. In the past, when new viruses were released 'in the wild', I would occasionally get an email or two which my anti-virus software would not initially catch. Then a new signature file would be released and it would trap them. Then I would not even see them anymore (supporting your premise that my provider is filtering them). The timing on this one doesn't make any sense as I had to put up with the flood for so long.

As to the source being an infected computer that a) has both me and my friend in their address book and was fixed just when I happened to remove my email address from my BBO profile. This doesn't seem very likely. I may have to ask my friend when exactly she removed her email address from her profile as this might shed further light on it.

A more likely possibility would be the BBO server being infected with a spam-bot and it was regularily harvesting and re-harvesting email addresses sending out the virus emails. This fits well with the assertions and evidence (timing and the fact that my friend said the senders were all BBO IDs). This was why I posed the question to the forum to see if others had experienced the problem. Note that the BBO server may have been fixed and the BBO powers didnt make it public.

I think I will reinsert my email address into my profile and see if this causes a recurrence. While it doesn't eliminate BBO being the culprit (or, more appropriately, victim) if it doesn't recur. It certainly will clarify it if it does.

I will post an update in a couple of days.

[uday]

Quote

A more likely possibility would be the BBO server being infected with a spam-bot and it was regularily harvesting and re-harvesting email addresses

As likely as the Pope fasting for Yom Kippur. I can explain why this is an extremely unlikely scenario ( the infected server, not the Pope) if you care.

Profiles are indeed cached on each PC. It is possible that an infected customer PC scans all files on the hard drive looking for email addresses to harvest. It is extremely unlikely that a BBO user is manually culling email addresses from profiles (think of the work required, when it is so easy to get these in other ways).

If you have ever used the email address in question (sent email with it, or received email with it) then it is possible that the other side of this transaction was infected.

It is also possible that you have made an enemy of a crazy customer who is spamming you with viruses.

Regards - uday

[cherdano]

uday, on Jan 27 2006, 06:07 PM, said:

Profiles are indeed cached on each PC. It is possible that an infected customer PC scans all files on the hard drive looking for email addresses to harvest.

Maybe this is a bit unfortunate. This indeed means that if someone puts his email address in his BBO profile, it gets duplicated on tens of thousands of PCs around the world. Not something desirable given how many spam bots are running on infected private PCs.

In my humble opinion, you should either recommend people not to put cleartext e-mail addresses in their profile, or obfuscate them in the profile caching.

Arend

[uday]

Agree. I intend to eliminate the email in the profiles at some point. ie, set it up so that emails in profiles are only visible to the system, not to casual users.

[FrancesHinden]

FrancesHinden, on Jan 27 2006, 02:09 PM, said:

I gave BBO a real email address, and have not had any problems with it.

Sorry, ignore that.
I gave BBO forums my email address; it's not in my BBO profile.

[barmar]

I think the time frame you refer to is around when the last outbreak of the Sober worm was going around. What probably happened is that your ISP updated their filters to block this worm, and it's just a coincidence that it was at the same time as you changed your forum profile.

Once a spammer harvests an address, it's in their list, so removing it from a web site should not slow down the spam. It won't even prevent you from getting onto other spammers' lists, because they sell them to each other.

[csdenmark]

barmar, on Jan 28 2006, 12:04 AM, said:

I think the time frame you refer to is around when the last outbreak of the Sober worm was going around.  What probably happened is that your ISP updated their filters to block this worm, and it's just a coincidence that it was at the same time as you changed your forum profile.

Once a spammer harvests an address, it's in their list, so removing it from a web site should not slow down the spam.  It won't even prevent you from getting onto other spammers' lists, because they sell them to each other.

Sounds right. I received I think 6 phising mails pretending to come from BBO. After Ben informed they were likely to come from Sober Virus they have stopped. All other phising mails seems to have stopped too. I have wondered - but likely Microsoft has updated their filter to catch them.

I have not my Email adress on ID but instead my web-address. There my Email is public and I think I am not especially hurted from spamming(3-4 a day normally). I doubt it has anything to do with BBO.

[doc_jo]

I got many mails with the Sober Virus, but I have never put the e-mail address on my profile.When i changed all my passwords, it stopped.
Jo

[Rain]

I was thinking maybe these scammers use programs that are sophisticated enough to scan your computer first and disguise subject lines with subjects that you often get, or disguise their email addresses with emails of people you would expect to get emails from.

I've been getting these emails for a while, but antivirus/filters are able to filter them out so far.

These are crimes! People who do this should be punished severely.

[yoder]

When I first joined BBO, I gave an email address that had never been used or seen anywhere else before, and within one day, I was receiving huge amounts of spam, some of it viruses, most of it just you-know-what enhancements and the like.

I emailed support@bbo and told them about it. I got a reply assuring me that this couldn't happen, but the problem continued. I changed my email address in my profile to the same email but with a space in it, and slowly the spam died out.

I am 100% convinced that someone is able to access the email addresses from the BBO server. It has to be electronically, because if it were someone just copying addresses from profiles, they would still be able to get mine. As long as I keep a space in the address (xxxx@ yyyy.com <---- note the space after the @), I don't get the spam/viruses anymore.

I think it should be pretty easy to test this -- if BBO admin wants my help to do so, I'll be happy to give it. I can set up emails that have never been used or seen anywhere except BBO, and see how quickly they become spam targets.

[fred]

Well if you are 100% convinced, there is no point in me trying to change your mind, but in an attempt to prevent other of our members from becoming hysterical about this, I suggest you reread Uday's post earlier in this thread.

If someone was breaking into our server we would know about it.

You might be thinking "maybe BBO does know about this and won't admit it". Well you can choose to believe that if you want, but those of you who have been BBO members for a long time know that our company is unusually open about sharing sensitive information with our members. You can choose to believe me or not, but we would admit this if it was happening. Of course we would also stop it.

As Uday explained, user profile information is stored in a file on your hard disk. This is done to speed up log ins (and this method is extremely effective in that regard).

I can (barely) believe that spammers scan these files in order to extract e-mail addresses (however anyone smart enough to do this is likely smart enough to know that there are much much more effective ways to harvest vastly greater numbers of e-mail addresses).

However, I cannot believe that our server's security is being compromised.

I actually know something about the steps we take to prevent this from happening as well as what we do to try to detect breaches in security. Uday knows a lot more about this. This is not a matter we take lightly. If some of the information that was stored on our server was made public, it would be the end of the world for us.

I do not have a certain explanation for what happened to you, but I am 100% confident that I know what did not happen to you. Someone might have got your e-mail address from the database file on their hard disk. They did NOT get it by breaking in to our server.

Fred Gitelman
Bridge Base Inc.
www.bridgebase.com

[Trumpace]

yoder, on Jan 29 2006, 10:44 PM, said:

When I first joined BBO, I gave an email address that had never been used or seen anywhere else before, and within one day, I was receiving huge amounts of spam, some of it viruses, most of it just you-know-what enhancements and the like.

I emailed support@bbo and told them about it.  I got a reply assuring me that this couldn't happen, but the problem continued.  I changed my email address in my profile to the same email but with a space in it, and slowly the spam died out.

I am 100% convinced that someone is able to access the email addresses from the BBO server.  It has to be electronically, because if it were someone just copying addresses from profiles, they would still be able to get mine.  As long as I keep a space in the address (xxxx@ yyyy.com <---- note the space after the @), I don't get the spam/viruses anymore.

I think it should be pretty easy to test this -- if BBO admin wants my help to do so, I'll be happy to give it.  I can set up emails that have never been used or seen anywhere except BBO, and see how quickly they become spam targets.

The spam mailers are pretty smart these days.

For instance I had a very old yahoo account JohnSmith@yahoo.com (actual name changed). Now when I created a gmail account with the same name, i.e JohnSmith@gmail.com, I started receiving spam the very next hour! AND I hadn't given that email address to _anyone_.

Did you use an email alias name which could possibly have been used before, but with a different email provider? In that case, I don't think you can claim it is 100% because of BBO. Circumstantial evidence.

Some spam mailers even try different combinations of well known names... like JohnSmith007 etc.

btw, I have an email address which I have given only to BBO. Haven't yet received spam on that account.

[yoder]

Fred, I understand your concern and your sincerity. It would be easy enough to test out. I can make a new BBO account, with an email address that has never been seen before in the history of the world, and won't be visible anywhere in the universe except on BBO. Then we can see if spam starts arriving.

[fred]

yoder, on Feb 2 2006, 01:15 AM, said:

Fred, I understand your concern and your sincerity. It would be easy enough to test out. I can make a new BBO account, with an email address that has never been seen before in the history of the world, and won't be visible anywhere in the universe except on BBO. Then we can see if spam starts arriving.

And I appreciate your willingness to help, but this test won't prove anything about the method that is being used to harvest e-mail addresses from our members (presuming someone is really doing this).

As soon as you log in to BBO, the info in your new profile will appear on the hard disk of the cache files of everyone who is currently logged in. Similarly, if you modify an existing profile to include an new e-mail address, the cache file of every person who is logged in at the time will be updated to contain this information.

If someone was really intent on spamming our members, reading these cache files would be by far the easiest and by far the least risky way to do this.

The reason this is relevant is because people should know that they put personal information in their profiles at their own risk and that we cannot protect this information. However, there is other information about our members that is stored only on our servers and it is important that our members trust us to keep this information secure.

This is a responsibility we take very seriously. It would be bad for BBO if rumors started to spread that our servers were not secure.

Fred Gitelman
Bridge Base Inc.
www.bridgebase.com