Unexplained subscription to a Linode form

I haven't visited the forum in a few weeks, and I never subscribed to any one of the Linux forums. But for some reason, just a few minutes ago, I got 8 messages about posts in the Linux Networking forum. I clicked the Unsubscribe link in the email and got the message that I am unsubscribed, AND I changed my forum password, but I've received an additional 13 messages since. Clicking the unsubscribe link in the new emails just takes me straight to the Linux Networking forum.

17 Replies

Now the emails are getting strange. Some refer to me as "kcarahan" while some have no name at all. The dates seem to be skewed (I know my laptop's time/date are correct, just verified), and they are all to "Undisclosed Recipients". I'm suspecting a forum hacking. If any of the admins want me to send in any of the messages, I've saved the most recent batch (20+).

Also, I'll add that I marked all forums read right before starting this thread, I've been receiving the emails since before marking the forums read, and I'm still getting the emails, all for Linux Networking, but there don't seem to be any new posts, or at least, the new posts are no longer new since I already marked them read.

@Piki:

I haven't visited the forum in a few weeks
Really? Then someone must have been using your account to write all these posts. Very odd. Definitely suspicious.

@hybinet:

@Piki:

I haven't visited the forum in a few weeks

Really? Then someone must have been using your account to write all these posts. Very odd. Definitely suspicious.

Very funny…

Yeah, those are my posts, I thought those were a couple weeks ago. Been under a lot of stress lately, so I guess my judgement of time is getting jumbled.

But I know for fact I'm not subscribing to any forums. I don't even know how to do that on phpBB or any other forum software, nor have I ever cared to.

If I did subscribe, it shouldn't be saying "Hello kcarahan!" or "Hello !" on the first line of the email. I've already confirmed it isn't my desktop email client -- I just signed into webmail to confirm it, and it shows the strange oddity there too.

As I already mentioned, I've saved the latest batch of the emails in case they're needed. They seem to have stopped coming in.

What do the headers look like? That should indicate where they came from…

````
From forums-admin@linode.com Mon Nov 14 12:03:39 2011
Delivered-To: xyz@gmail.com
Received: by 10.52.116.35 with SMTP id jt3cs12956vdb;
Thu, 17 Nov 2011 16:52:14 -0800 (PST)
Received: by 10.52.72.104 with SMTP id c8mr967535vdv.105.1321577533424;
Thu, 17 Nov 2011 16:52:13 -0800 (PST)
Return-Path: forums-admin@linode.com
[b]Received: from www.youdolinux.com (linuxjutsu.com. [66.228.33.45])
by mx.google.com with ESMTP id z14si7705416vcv.101.2011.11.17.16.52.13;
Thu, 17 Nov 2011 16:52:13 -0800 (PST)
Received-SPF: neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of forums-admin@linode.com) client-ip=66.228.33.45;
Authentication-Results: mx.google.com; spf=neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of forums-admin@linode.com) smtp.mail=forums-admin@linode.com[/b]
Received: from www.linode.com (mail.linode.com [67.18.92.99])
by www.youdolinux.com (Postfix) with ESMTP id 8D49B40FF3
for xyz@youdolinux.com; Mon, 14 Nov 2011 12:03:41 -0500 (EST)
Received: from mail.linode.com (li20-140.members.linode.com [67.18.187.140])
by www.linode.com (8.13.6/8.9.1) with SMTP id pAEH3dvT008881;
Mon, 14 Nov 2011 12:03:39 -0500
Subject: Topic Reply Notification for forum "Linux Networking" - constant IO
To: Undisclosed-recipients:;
Reply-to: forums-admin@linode.com
From: forums-admin@linode.com
Message-ID: 623d61344230eeb49316d1781521e76b@forum.linode.com
MIME-Version: 1.0
Content-type: text/plain;
charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Mon, 14 Nov 2011 12:03:39 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-UID: 595
X-Length: 2246
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:

Hello !

Ericson578 has posted a new reply to "constant IO" in the "Linux Networking" forum. You can use the following link to view the replies made:

http://forum.linode.com/viewtopic.php?p=45830#45830

You are receiving this email because you are watching the forum, "Linux Networking" at Linode Forum. If you no longer wish to watch this forum you can either click the "Stop watching this forum link" found at the bottom of the "Linux Networking" forum, or by clicking the following link:

http://forum.linode.com/viewforum.php?f=19&unwatch=forum

--
Thanks, The Linode.com Team
````

Both linuxjutsu.com and youdolinux.com are owned by me and hosted on my Linode. I have a mail server for youdolinux.com hosted on my Linode, and I have it setup to forward to my Gmail. I think that should explain the references to Google/youdolinux, though I don't know why it's pulling in linuxjutsu because the only reference to it on my entire Linode is in nginx. No references at all in postfix/dovecot, the linuxjutsu DNS records are with my domain registrar, and my Linode's hostname is set to it's default. Also, my iptables only allow ssh through an alternate port, http, ftp (outbound requests only for apt-get), and secure imap/smtp. Unless I've got someone telnet'ing into port 587 and tricking my server into sending via linuxjutsu.com, I doubt that would be my problem.

EDIT: I forgot to mention, I masked my gmail and youdolinux email addresses, they are the xyz@gmail.com and xyz@youdolinux.com. Don't want anybody sending unsolicited emails, nor anybody mistaking them as someone else's addresses :-)

Note the ~3 day gap in time between when Linode generated the message and when it transitioned from www.youdolinux.com to google's servers. Looks like it got stuck for several days on your system.

Perhaps you accidentally got subscribed to a thread (it's not that hard to accidentally check the box), and even though you eventually unsubscribed there was already bunch of messages sitting in a queue on your youdolinux system from each of a number of prior posts to the thread. So the stuff you kept getting today had been already sent several days ago.

– David

The details I've mentioned so far (strange or missing name, and pulling in my other domain when postfix/dovecot shouldn't know about it) it seem way too suspicious for that. Plus, the checkbox on the post screen is only for a single thread, not for the entire forum to which the the messages refer. It's possible the messages got hung up in my system, but that's

Just to be thorough, here's a paste of an email that mentions "kcarahan" (including the headers), since the other email was a no-name one:

From <email email="forums-admin@linode.com">forums-admin@linode.com</email> Sat Nov 12 21:13:42 2011

Delivered-To: <email email="xyz@gmail.com">xyz@gmail.com</email>

Received: by 10.52.116.35 with SMTP id jt3cs12885vdb;

        Thu, 17 Nov 2011 16:42:14 -0800 (PST)

Received: by 10.52.19.177 with SMTP id g17mr987222vde.107.1321576933889;

        Thu, 17 Nov 2011 16:42:13 -0800 (PST)

Return-Path: <<email email="forums-admin@linode.com">forums-admin@linode.com</email>>

Received: from <url url="http://www.youdolinux.com">www.youdolinux.com</url> (linuxjutsu.com. [66.228.33.45])

        by mx.google.com with ESMTP id z14si7692921vcv.205.2011.11.17.16.42.13;

        Thu, 17 Nov 2011 16:42:13 -0800 (PST)

Received-SPF: neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of <email email="forums-admin@linode.com">forums-admin@linode.com</email>) client-ip=66.228.33.45;

Authentication-Results: mx.google.com; spf=neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of <email email="forums-admin@linode.com">forums-admin@linode.com</email>) smtp.mail=<email email="forums-admin@linode.com">forums-admin@linode.com</email>

Received: from <url url="http://www.linode.com">www.linode.com</url> (mail.linode.com [67.18.92.99])

    by <url url="http://www.youdolinux.com">www.youdolinux.com</url> (Postfix) with ESMTP id D71C540FE4

    for <<email email="xyz@youdolinux.com">xyz@youdolinux.com</email>>; Sat, 12 Nov 2011 21:13:46 -0500 (EST)

Received: from mail.linode.com (li20-140.members.linode.com [67.18.187.140])

    by <url url="http://www.linode.com">www.linode.com</url> (8.13.6/8.9.1) with SMTP id pAD2Dg3P012864;

    Sat, 12 Nov 2011 21:13:42 -0500

Subject: New Topic Notification for forum "Linux Networking" - netstat output question

To: Undisclosed-recipients:;

Reply-to: <email email="forums-admin@linode.com">forums-admin@linode.com</email>

From: <email email="forums-admin@linode.com">forums-admin@linode.com</email>

Message-ID: <<email email="635db1ac5f395e9166c64fdefefe4fc2@forum.linode.com">635db1ac5f395e9166c64fdefefe4fc2@forum.linode.com</email>>

MIME-Version: 1.0

Content-type: text/plain;

  charset=iso-8859-1

Content-transfer-encoding: 8bit

Date: Sat, 12 Nov 2011 21:13:42 -0500

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: PHP

X-MimeOLE: Produced By phpBB2

X-UID: 591

X-Length: 2290

Status: R

X-Status: NC

X-KMail-EncryptionState:  

X-KMail-SignatureState:  

X-KMail-MDN-Sent:  

Hello kcarahan!

Ericson578 has posted a new topic called "netstat output question" in the "Linux Networking" forum at Linode Forum. You can use the following link to view the topic:

<url url="http://forum.linode.com/viewtopic.php?p=45784#45784">http://forum.linode.com/viewtopic.php?p=45784#45784</url>

You are receiving this email because you are watching the forum, "Linux Networking" at Linode Forum. If you no longer wish to watch this forum you can either click the "Stop watching this forum link" found at the bottom of the "Linux Networking" forum, or by clicking the following link:

<url url="http://forum.linode.com/viewforum.php?f=19&amp;unwatch=forum"><link_text text="http://forum.linode.com/viewforum.php?f ... atch=forum">http://forum.linode.com/viewforum.php?f=19&unwatch=forum</link_text></url>

-- 

Thanks, The Linode.com Team

Just at a quick glance, it appears only the dates and message IDs changed.

@Piki:

I have a mail server for youdolinux.com hosted on my Linode, and I have it setup to forward to my Gmail. I think that should explain the references to Google/youdolinux, though I don't know why it's pulling in linuxjutsu because the only reference to it on my entire Linode is in nginx.

Reverse DNS.

[root@server:~] host youdolinux.com

youdolinux.com has address 66.228.33.45

[root@server:~] host 66.228.33.45

45.33.228.66.in-addr.arpa domain name pointer linuxjutsu.com.

Well, accidentally following a forum isn't that hard either (it's just a link near the bottom of the page when viewing the forum). Similar to the last, this message was stuck for a while on your system (even longer at almost 5 days this time), so again you could have a whole slew of pent up notifications that you didn't know about before you finally unsubscribed. My guess is something got fixed recently that ended up flushing out your outgoing queue.

Can't necessarily address the kcarahan bit, but I'd assume if anyone else was getting a lot of unsolicited notifications that they'd have posted by now. I hesitate to even wonder, since I presume you wouldn't have brought it up otherwise, but is there no chance you had "kcarahan" at any point involved with your forum registration, even if you later edited it out, say at some point after 11/12?

Otherwise, I'm probably out of ideas, but hopefully if anyone else encounters anything similar they'll post here.

– David

@sleddog:

@Piki:

I have a mail server for youdolinux.com hosted on my Linode, and I have it setup to forward to my Gmail. I think that should explain the references to Google/youdolinux, though I don't know why it's pulling in linuxjutsu because the only reference to it on my entire Linode is in nginx.

Reverse DNS.

[root@server:~] host youdolinux.com

youdolinux.com has address 66.228.33.45

[root@server:~] host 66.228.33.45

45.33.228.66.in-addr.arpa domain name pointer linuxjutsu.com.

Ah, right… I changed it to linuxjutsu awhile back, completely forgot about that one.

@db3l:

Well, accidentally following a forum isn't that hard either (it's just a link near the bottom of the page when viewing the forum). Similar to the last, this message was stuck for a while on your system (even longer at almost 5 days this time), so again you could have a whole slew of pent up notifications that you didn't know about before you finally unsubscribed. My guess is something got fixed recently that ended up flushing out your outgoing queue.

I didn't even notice the link at the bottom.

No reboots recently or dist-upgrades at least since I was here last (unless my Linode crashed recently and got rebooted by the Lassie thing).

@db3l:

Can't necessarily address the kcarahan bit, but I'd assume if anyone else was getting a lot of unsolicited notifications that they'd have posted by now. I hesitate to even wonder, since I presume you wouldn't have brought it up otherwise, but is there no chance you had "kcarahan" at any point involved with your forum registration, even if you later edited it out, say at some point after 11/12?

Otherwise, I'm probably out of ideas, but hopefully if anyone else encounters anything similar they'll post here.

"kcarahan" doesn't look remotely familiar. Plus, I didn't have my youdolinux.com email until after I was already registered, I setup postfix after and then changed my email address on the forum.

The "undisclosed recipients" can be easily explained if forum notifications are sent with all recipients in the BCC field. This prevents recipients from seeing the e-mail address of others who are also subscribed to the same thread, which is good from a privacy point of view.

Both notices seem to have been generated when Ericson578 posted in the Networking forum. Did other emails also mention the same username? If so, that could be one clue in this detective game…

It could also be a bug in phpBB. Ever tried clicking "Memberlist" in this forum and attempt to sort by any column? The code that deals with the user database is completely bonkers. I wouldn't be surprised if this made notifications to go to the wrong user. Apparently, there have been instances in another site where PMs went to the wrong user.

@hybinet:

Both notices seem to have been generated when Ericson578 posted in the Networking forum. Did other emails also mention the same username? If so, that could be one clue in this detective game…

Some of them were from him, not all of them.

> It could also be a bug in phpBB. Ever tried clicking "Memberlist" in this forum and attempt to sort by any column? The code that deals with the user database is completely bonkers. I wouldn't be surprised if this made notifications to go to the wrong user. Apparently, there have been instances in another site where PMs went to the wrong user.

Possible. It's very likely that phpBB was modified by Linode. I used to run phpBB2 on a forum awhile back, before phpBB3 was released, never had the memberlist bug.

@Piki:

Yeah, those are my posts, I thought those were a couple weeks ago. Been under a lot of stress lately, so I guess my judgement of time is getting jumbled.

@Piki:

Ah, right… I changed it to linuxjutsu awhile back, completely forgot about that one.

Dude, you ok? I'm half-joking, half-serious, but did you hit your head or something and just…. forgot stuff? Checked your Id or driver's license? Maybe YOU are the kcarahan? :mrgreen:

@Azathoth:

@Piki:

Yeah, those are my posts, I thought those were a couple weeks ago. Been under a lot of stress lately, so I guess my judgement of time is getting jumbled.

@Piki:

Ah, right… I changed it to linuxjutsu awhile back, completely forgot about that one.

Dude, you ok? I'm half-joking, half-serious, but did you hit your head or something and just…. forgot stuff? Checked your Id or driver's license? Maybe YOU are the kcarahan? :mrgreen:

I know for fact I have nothing to do with kcarahan. If I was having that much trouble registering kcarahan, I'd have probably emailed Linode about it, and I would have registered another email address since I had already expected an activation email (remember, my youdolinux mail server didn't exist until after I had registered).

I have a habit of forgetting the smaller stuff, even in the best of times. Hence it would be easy for me to forget doing the rDNS if I did it in a hurry at some point.

When I'm highly stressed, my memory gets much worse. Right now, I am highly stressed; sometimes I'm in a big hurry, other times I'm sitting around for several with hardly anything to do. Combine that with my increasing real life worries and trouble sleeping, and you've got yourself a great recipe for high stress levels.

I'm certainly not asking for any sympathy. I just came on to post in case there was some sort of security exploitation. Getting all those emails at once was completely unexpected, and with them coming through over a period of roughly 20 minutes, it was rather annoying. With all the security hackings that have been happing with my friends, and the ones that happened to me several months before I discovered Linode, I'm a bit paranoid about my digital security.

@Piki:

I'm certainly not asking for any sympathy. I just came on to post in case there was some sort of security exploitation. Getting all those emails at once was completely unexpected, and with them coming through over a period of roughly 20 minutes, it was rather annoying. With all the security hackings that have been happing with my friends, and the ones that happened to me several months before I discovered Linode, I'm a bit paranoid about my digital security.
Completely understood. You can't be too paranoid about security 8)

But I'm still suspecting that it was just another bug with the already bug-riddled member database code, rather than the result of malicious activity. Bugs like this can stay hidden for years, suddenly show up when there's a rare coincidence of user IDs, thread IDs, and the current phase of the moon, and then disappear again until the next time. Even as we speak, somebody somewhere might be wondering why he's not getting notification e-mails for threads he subscribed to. But that's a lot less noticeable than getting spammed, hence it doesn't get reported.

Since you posted the full headers including Message IDs, Linode staff may be able to track them down – or at least change their settings so that any future incidence of this bug goes on the record. While they're doing so, just change your passwords and relax. If you get any more e-mails, please post those Message IDs, too.

Take it easy, life's too short to get all stressed up.

I'm not discounting a potential bug, nor am I discounting a potential security flaw in an old unmaintained forum software. It could be either one. I'll let Linode check that out. In the mean time, I'll save all the emails to my hard disk, in case Linode asks for them. After looking at the headers, though, I don't think they were forged; I think they were actually sent by the forum, and that it's a matter of if there's a bug in the forum that needs fixed.

And yes, all my passwords are changed. I also changed the email address I have on my forum profile.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct