Unexplained subscription to a Linode form
17 Replies
@Piki:
I haven't visited the forum in a few weeks
Really? Then someone must have been using your account to write. Very odd. Definitely suspicious. all these posts
@Piki:
I haven't visited the forum in a few weeks
Really? Then someone must have been using your account to write all these posts. Very odd. Definitely suspicious.
Very funny…
Yeah, those are my posts, I thought those were a couple weeks ago. Been under a lot of stress lately, so I guess my judgement of time is getting jumbled.
But I know for fact I'm not subscribing to any forums. I don't even know how to do that on phpBB or any other forum software, nor have I ever cared to.
If I did subscribe, it shouldn't be saying "Hello kcarahan!" or "Hello !" on the first line of the email. I've already confirmed it isn't my desktop email client -- I just signed into webmail to confirm it, and it shows the strange oddity there too.
As I already mentioned, I've saved the latest batch of the emails in case they're needed. They seem to have stopped coming in.
From forums-admin@linode.com Mon Nov 14 12:03:39 2011
Delivered-To: xyz@gmail.com
Received: by 10.52.116.35 with SMTP id jt3cs12956vdb;
Thu, 17 Nov 2011 16:52:14 -0800 (PST)
Received: by 10.52.72.104 with SMTP id c8mr967535vdv.105.1321577533424;
Thu, 17 Nov 2011 16:52:13 -0800 (PST)
Return-Path: forums-admin@linode.com
[b]Received: from www.youdolinux.com (linuxjutsu.com. [66.228.33.45])
by mx.google.com with ESMTP id z14si7705416vcv.101.2011.11.17.16.52.13;
Thu, 17 Nov 2011 16:52:13 -0800 (PST)
Received-SPF: neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of forums-admin@linode.com) client-ip=66.228.33.45;
Authentication-Results: mx.google.com; spf=neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of forums-admin@linode.com) smtp.mail=forums-admin@linode.com[/b]
Received: from www.linode.com (mail.linode.com [67.18.92.99])
by www.youdolinux.com (Postfix) with ESMTP id 8D49B40FF3
for xyz@youdolinux.com; Mon, 14 Nov 2011 12:03:41 -0500 (EST)
Received: from mail.linode.com (li20-140.members.linode.com [67.18.187.140])
by www.linode.com (8.13.6/8.9.1) with SMTP id pAEH3dvT008881;
Mon, 14 Nov 2011 12:03:39 -0500
Subject: Topic Reply Notification for forum "Linux Networking" - constant IO
To: Undisclosed-recipients:;
Reply-to: forums-admin@linode.com
From: forums-admin@linode.com
Message-ID: 623d61344230eeb49316d1781521e76b@forum.linode.com
MIME-Version: 1.0
Content-type: text/plain;
charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Mon, 14 Nov 2011 12:03:39 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-UID: 595
X-Length: 2246
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
Hello !
Ericson578 has posted a new reply to "constant IO" in the "Linux Networking" forum. You can use the following link to view the replies made:
http://forum.linode.com/viewtopic.php?p=45830#45830
You are receiving this email because you are watching the forum, "Linux Networking" at Linode Forum. If you no longer wish to watch this forum you can either click the "Stop watching this forum link" found at the bottom of the "Linux Networking" forum, or by clicking the following link:
http://forum.linode.com/viewforum.php?f=19&unwatch=forum
--
Thanks, The Linode.com Team
````
Both linuxjutsu.com and youdolinux.com are owned by me and hosted on my Linode. I have a mail server for youdolinux.com hosted on my Linode, and I have it setup to forward to my Gmail. I think that should explain the references to Google/youdolinux, though I don't know why it's pulling in linuxjutsu because the only reference to it on my entire Linode is in nginx. No references at all in postfix/dovecot, the linuxjutsu DNS records are with my domain registrar, and my Linode's hostname is set to it's default. Also, my iptables only allow ssh through an alternate port, http, ftp (outbound requests only for apt-get), and secure imap/smtp. Unless I've got someone telnet'ing into port 587 and tricking my server into sending via linuxjutsu.com, I doubt that would be my problem.
EDIT: I forgot to mention, I masked my gmail and youdolinux email addresses, they are the
Perhaps you accidentally got subscribed to a thread (it's not that hard to accidentally check the box), and even though you eventually unsubscribed there was already bunch of messages sitting in a queue on your youdolinux system from each of a number of prior posts to the thread. So the stuff you kept getting today had been already sent several days ago.
– David
Just to be thorough, here's a paste of an email that mentions "kcarahan" (including the headers), since the other email was a no-name one:
From <email email="forums-admin@linode.com">forums-admin@linode.com</email> Sat Nov 12 21:13:42 2011
Delivered-To: <email email="xyz@gmail.com">xyz@gmail.com</email>
Received: by 10.52.116.35 with SMTP id jt3cs12885vdb;
Thu, 17 Nov 2011 16:42:14 -0800 (PST)
Received: by 10.52.19.177 with SMTP id g17mr987222vde.107.1321576933889;
Thu, 17 Nov 2011 16:42:13 -0800 (PST)
Return-Path: <<email email="forums-admin@linode.com">forums-admin@linode.com</email>>
Received: from <url url="http://www.youdolinux.com">www.youdolinux.com</url> (linuxjutsu.com. [66.228.33.45])
by mx.google.com with ESMTP id z14si7692921vcv.205.2011.11.17.16.42.13;
Thu, 17 Nov 2011 16:42:13 -0800 (PST)
Received-SPF: neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of <email email="forums-admin@linode.com">forums-admin@linode.com</email>) client-ip=66.228.33.45;
Authentication-Results: mx.google.com; spf=neutral (google.com: 66.228.33.45 is neither permitted nor denied by best guess record for domain of <email email="forums-admin@linode.com">forums-admin@linode.com</email>) smtp.mail=<email email="forums-admin@linode.com">forums-admin@linode.com</email>
Received: from <url url="http://www.linode.com">www.linode.com</url> (mail.linode.com [67.18.92.99])
by <url url="http://www.youdolinux.com">www.youdolinux.com</url> (Postfix) with ESMTP id D71C540FE4
for <<email email="xyz@youdolinux.com">xyz@youdolinux.com</email>>; Sat, 12 Nov 2011 21:13:46 -0500 (EST)
Received: from mail.linode.com (li20-140.members.linode.com [67.18.187.140])
by <url url="http://www.linode.com">www.linode.com</url> (8.13.6/8.9.1) with SMTP id pAD2Dg3P012864;
Sat, 12 Nov 2011 21:13:42 -0500
Subject: New Topic Notification for forum "Linux Networking" - netstat output question
To: Undisclosed-recipients:;
Reply-to: <email email="forums-admin@linode.com">forums-admin@linode.com</email>
From: <email email="forums-admin@linode.com">forums-admin@linode.com</email>
Message-ID: <<email email="635db1ac5f395e9166c64fdefefe4fc2@forum.linode.com">635db1ac5f395e9166c64fdefefe4fc2@forum.linode.com</email>>
MIME-Version: 1.0
Content-type: text/plain;
charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Sat, 12 Nov 2011 21:13:42 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-UID: 591
X-Length: 2290
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
Hello kcarahan!
Ericson578 has posted a new topic called "netstat output question" in the "Linux Networking" forum at Linode Forum. You can use the following link to view the topic:
<url url="http://forum.linode.com/viewtopic.php?p=45784#45784">http://forum.linode.com/viewtopic.php?p=45784#45784</url>
You are receiving this email because you are watching the forum, "Linux Networking" at Linode Forum. If you no longer wish to watch this forum you can either click the "Stop watching this forum link" found at the bottom of the "Linux Networking" forum, or by clicking the following link:
<url url="http://forum.linode.com/viewforum.php?f=19&unwatch=forum"><link_text text="http://forum.linode.com/viewforum.php?f ... atch=forum">http://forum.linode.com/viewforum.php?f=19&unwatch=forum</link_text></url>
--
Thanks, The Linode.com Team
Just at a quick glance, it appears only the dates and message IDs changed.
@Piki:
I have a mail server for youdolinux.com hosted on my Linode, and I have it setup to forward to my Gmail. I think that should explain the references to Google/youdolinux, though I don't know why it's pulling in linuxjutsu because the only reference to it on my entire Linode is in nginx.
Reverse DNS.
[root@server:~] host youdolinux.com
youdolinux.com has address 66.228.33.45
[root@server:~] host 66.228.33.45
45.33.228.66.in-addr.arpa domain name pointer linuxjutsu.com.
Can't necessarily address the kcarahan bit, but I'd assume if anyone else was getting a lot of unsolicited notifications that they'd have posted by now. I hesitate to even wonder, since I presume you wouldn't have brought it up otherwise, but is there no chance you had "kcarahan" at any point involved with your forum registration, even if you later edited it out, say at some point after 11/12?
Otherwise, I'm probably out of ideas, but hopefully if anyone else encounters anything similar they'll post here.
– David
@sleddog:
@Piki:I have a mail server for youdolinux.com hosted on my Linode, and I have it setup to forward to my Gmail. I think that should explain the references to Google/youdolinux, though I don't know why it's pulling in linuxjutsu because the only reference to it on my entire Linode is in nginx.
Reverse DNS.
[root@server:~] host youdolinux.com
youdolinux.com has address 66.228.33.45
[root@server:~] host 66.228.33.45
45.33.228.66.in-addr.arpa domain name pointer linuxjutsu.com.
Ah, right… I changed it to linuxjutsu awhile back, completely forgot about that one.
@db3l:
Well, accidentally following a forum isn't that hard either (it's just a link near the bottom of the page when viewing the forum). Similar to the last, this message was stuck for a while on your system (even longer at almost 5 days this time), so again you could have a whole slew of pent up notifications that you didn't know about before you finally unsubscribed. My guess is something got fixed recently that ended up flushing out your outgoing queue.
I didn't even notice the link at the bottom.
No reboots recently or dist-upgrades at least since I was here last (unless my Linode crashed recently and got rebooted by the Lassie thing).
@db3l:
Can't necessarily address the kcarahan bit, but I'd assume if anyone else was getting a lot of unsolicited notifications that they'd have posted by now. I hesitate to even wonder, since I presume you wouldn't have brought it up otherwise, but is there no chance you had "kcarahan" at any point involved with your forum registration, even if you later edited it out, say at some point after 11/12?
Otherwise, I'm probably out of ideas, but hopefully if anyone else encounters anything similar they'll post here.
"kcarahan" doesn't look remotely familiar. Plus, I didn't have my youdolinux.com email until after I was already registered, I setup postfix after and then changed my email address on the forum.
Both notices seem to have been generated when Ericson578
It could also be a bug in phpBB. Ever tried clicking "Memberlist" in this forum and attempt to sort by any column? The code that deals with the user database is completely bonkers. I wouldn't be surprised if this made notifications to go to the wrong user. Apparently, there have been instances
@hybinet:
Both notices seem to have been generated when
posted in the Networking forum. Did other emails also mention the same username? If so, that could be one clue in this detective game… Ericson578
Some of them were from him, not all of them.
> It could also be a bug in phpBB. Ever tried clicking "Memberlist" in this forum and attempt to sort by any column? The code that deals with the user database is completely bonkers. I wouldn't be surprised if this made notifications to go to the wrong user. Apparently, there have been instances in another site where PMs went to the wrong user.
Possible. It's very likely that phpBB was modified by Linode. I used to run phpBB2 on a forum awhile back, before phpBB3 was released, never had the memberlist bug.
@Piki:
Yeah, those are my posts, I thought those were a couple weeks ago. Been under a lot of stress lately, so I guess my judgement of time is getting jumbled.
@Piki:
Ah, right… I changed it to linuxjutsu awhile back, completely forgot about that one.
Dude, you ok? I'm half-joking, half-serious, but did you hit your head or something and just…. forgot stuff? Checked your Id or driver's license? Maybe YOU are the kcarahan?
@Azathoth:
@Piki:Yeah, those are my posts, I thought those were a couple weeks ago. Been under a lot of stress lately, so I guess my judgement of time is getting jumbled.
@Piki:Ah, right… I changed it to linuxjutsu awhile back, completely forgot about that one.
Dude, you ok? I'm half-joking, half-serious, but did you hit your head or something and just…. forgot stuff? Checked your Id or driver's license? Maybe YOU are the kcarahan?
:mrgreen:
I know for fact I have nothing to do with kcarahan. If I was having that much trouble registering kcarahan, I'd have probably emailed Linode about it, and I would have registered another email address since I had already expected an activation email (remember, my youdolinux mail server didn't exist until after I had registered).
I have a habit of forgetting the smaller stuff, even in the best of times. Hence it would be easy for me to forget doing the rDNS if I did it in a hurry at some point.
When I'm highly stressed, my memory gets much worse. Right now, I am highly stressed; sometimes I'm in a big hurry, other times I'm sitting around for several with hardly anything to do. Combine that with my increasing real life worries and trouble sleeping, and you've got yourself a great recipe for high stress levels.
I'm certainly not asking for any sympathy. I just came on to post in case there was some sort of security exploitation. Getting all those emails at once was completely unexpected, and with them coming through over a period of roughly 20 minutes, it was rather annoying. With all the security hackings that have been happing with my friends, and the ones that happened to me several months before I discovered Linode, I'm a bit paranoid about my digital security.
@Piki:
I'm certainly not asking for any sympathy. I just came on to post in case there was some sort of security exploitation. Getting all those emails at once was completely unexpected, and with them coming through over a period of roughly 20 minutes, it was rather annoying. With all the security hackings that have been happing with my friends, and the ones that happened to me several months before I discovered Linode, I'm a bit paranoid about my digital security.
Completely understood. You can't be too paranoid about security8)
But I'm still suspecting that it was just another bug with the already bug-riddled member database code, rather than the result of malicious activity. Bugs like this can stay hidden for years, suddenly show up when there's a rare coincidence of user IDs, thread IDs, and the current phase of the moon, and then disappear again until the next time. Even as we speak, somebody somewhere might be wondering why he's not getting notification e-mails for threads he subscribed to. But that's a lot less noticeable than getting spammed, hence it doesn't get reported.
Since you posted the full headers including Message IDs, Linode staff may be able to track them down – or at least change their settings so that any future incidence of this bug goes on the record. While they're doing so, just change your passwords and relax. If you get any more e-mails, please post those Message IDs, too.
Take it easy, life's too short to get all stressed up.
And yes, all my passwords are changed. I also changed the email address I have on my forum profile.