Mailing List Archive

Wikimedia Spam
Hey all,

There have recently been a high number of complaints to OTRS about emails
recieved, supposedly from Wikipedia. I believe these to be spam, but I just
wanted to double check on the very small chance it is something gone wrong
somewhere :) The emails relate to account details and appears to be phising
(I think).

Here's an example:

Wikipedia
Someone (probably you, from IP address <IP REMOVED>) requested a reminder
of your
account details for Wikipedia. The following user account is associated
with this e-mail
address: <Address Removed>
This reminder will expire in 7 days.
If you didn't initiate the request on Wikipedia, feel free to cancel this
message and
uncheck the "Reminder" checkbox in your account.
Thanks, and once again Welcome!

Can someone just confirm this isn't a problem our end.

Cheers,
Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
Can you include the header of email? That could be much more of use to
check if it was sent from a wikimedia server.

On Mon, Apr 23, 2012 at 2:12 PM, Thomas Morton
<morton.thomas@googlemail.com> wrote:
> Hey all,
>
> There have recently been a high number of complaints to OTRS about emails
> recieved, supposedly from Wikipedia. I believe these to be spam, but I just
> wanted to double check on the very small chance it is something gone wrong
> somewhere :) The emails relate to account details and appears to be phising
> (I think).
>
> Here's an example:
>
> Wikipedia
> Someone (probably you, from IP address <IP REMOVED>) requested a reminder
> of your
> account details for Wikipedia. The following user account is associated
> with this e-mail
> address: <Address Removed>
> This reminder will expire in 7 days.
> If you didn't initiate the request on Wikipedia, feel free to cancel this
> message and
> uncheck the "Reminder" checkbox in your account.
> Thanks, and once again Welcome!
>
> Can someone just confirm this isn't a problem our end.
>
> Cheers,
> Tom
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
That looks like the standard password reset request email.

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
Indeed, unless there are some spam links inside, for example if it was
html mail, the reset token could be in fact a spam link leading to
another site. (like <a href=http://somespam.com>http://en.wikiped...
reset token</a>)

On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey <p858snake@gmail.com> wrote:
> That looks like the standard password reset request email.
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
I've never seen a message that mentions a 'remind me checkbox' before on my account - looks more like spam to me.

Thehelpfulone

On 23 Apr 2012, at 13:23, Petr Bena <benapetr@gmail.com> wrote:

> Indeed, unless there are some spam links inside, for example if it was
> html mail, the reset token could be in fact a spam link leading to
> another site. (like <a href=http://somespam.com>http://en.wikiped...
> reset token</a>)
>
> On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey <p858snake@gmail.com> wrote:
>> That looks like the standard password reset request email.
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
On 23 April 2012 13:23, Petr Bena <benapetr@gmail.com> wrote:

> Indeed, unless there are some spam links inside, for example if it was
> html mail, the reset token could be in fact a spam link leading to
> another site. (like <a href=http://somespam.com>http://en.wikiped...
> reset token</a>)
>
> On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey <p858snake@gmail.com> wrote:
> > That looks like the standard password reset request email.
>

>

I may have gotten to the bottom of it - as a spam email...

The OTRS system renders emails wierdly so the actual links weren't showing.
Downloading the HMTL version shows the "cancel this message" text being a
link pointed at carewelhealth[dot]com - a site apparently running MediaWiki.

Is the mail system part of MediaWiki? That could be the origin; they're
misusing the system to spam people, in a very wierd way.

Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
Yes this is a template used by mediawiki from Special:PasswordReset,
and exactly this template, plain text is used on production of
wikimedia servers. Unless you can't retrieve the header of original
message, it's not possible to verify if it's scam or system message.
On other hand anyone who knows the email could trigger it. In case
that OTRS is using wikimedia SUL account with OTRS email account,
anyone filling it in PasswordReset could trigger system to send you
this message. There is no protection from this so far.

On Mon, Apr 23, 2012 at 2:30 PM, Thomas Morton
<morton.thomas@googlemail.com> wrote:
> On 23 April 2012 13:23, Petr Bena <benapetr@gmail.com> wrote:
>
>> Indeed, unless there are some spam links inside, for example if it was
>> html mail, the reset token could be in fact a spam link leading to
>> another site. (like <a href=http://somespam.com>http://en.wikiped...
>> reset token</a>)
>>
>> On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey <p858snake@gmail.com> wrote:
>> > That looks like the standard password reset request email.
>>
>
>>
>
> I may have gotten to the bottom of it - as a spam email...
>
> The OTRS system renders emails wierdly so the actual links weren't showing.
> Downloading the HMTL version shows the "cancel this message" text being a
> link pointed at carewelhealth[dot]com - a site apparently running MediaWiki.
>
> Is the mail system part of MediaWiki? That could be the origin; they're
> misusing the system to spam people, in a very wierd way.
>
> Tom
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
On 23 April 2012 13:34, Petr Bena <benapetr@gmail.com> wrote:

> Yes this is a template used by mediawiki from Special:PasswordReset,
> and exactly this template, plain text is used on production of
> wikimedia servers. Unless you can't retrieve the header of original
> message, it's not possible to verify if it's scam or system message.
> On other hand anyone who knows the email could trigger it. In case
> that OTRS is using wikimedia SUL account with OTRS email account,
> anyone filling it in PasswordReset could trigger system to send you
> this message. There is no protection from this so far.


Ah, sorry my message might not have been clear :)

There are several emails in OTRS from* other people* asking about these
emails, having received them themselves (some claiming never to have had an
account on WP).

After research, and comments here, I'm certain this is a spam issue
originating from somewhere else, rather than something associated with us.

Cheers all.
Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
Here you go dudes,

| Return-Path: <miss@inanir.com>
| X-Spam-Checker-Version: SpamAssassin 3.4.0-r1197259-1907 (2011-11-03) on
| ps11007.dreamhostps.com
| X-Spam-Flag: YES
| X-Spam-Level: ***********
| X-Spam-Report:
| * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
| * [URIs: carewelhealth.com]
| * 0.0 FSL_HELO_NON_FQDN_1 FSL_HELO_NON_FQDN_1
| * 3.6 HELO_LOCALHOST HELO_LOCALHOST
| * -10 J_MEDIAWIKI_MAILER J_MEDIAWIKI_MAILER
| * 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
| * [202.129.216.60 listed in psbl.surriel.com]
| * 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
| * https://senderscore.org/blacklistlookup/
| * [202.129.216.60 listed in bl.score.senderscore.com]
| * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
| * [202.129.216.60 listed in dnsbl.sorbs.net]
| * 0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
| * 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
| * domains are different
| * 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
| * [Blocked - see <http://www.spamcop.net/bl.shtml?202.129.216.60>]
| * 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
| * [202.129.216.60 listed in bb.barracudacentral.org]
| * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
| * [URIs: carewelhealth.com]
| * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
| * [URIs: carewelhealth.com]
| * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
| * [URIs: carewelhealth.com]
| * 0.0 HTML_MESSAGE BODY: HTML included in message
| * 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
| * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
| * [URIs: carewelhealth.com]
| * 0.0 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist
| * [URIs: carewelhealth.com]
| * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
| X-Spam-Status: Yes, score=11.2 required=1.9 tests=DATE_IN_FUTURE_06_12,
| FSL_HELO_NON_FQDN_1,HELO_LOCALHOST,HTML_MESSAGE,J_MEDIAWIKI_MAILER,
| MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,
| RCVD_IN_RP_RNBL,RCVD_IN_SORBS_WEB,RDNS_NONE,T_HEADER_FROM_DIFFERENT_DOMAINS,
| URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_SBL,URIBL_SBL_A,URIBL_WS_SURBL
| X-Spam-Languages: en
| X-Original-To: jidanni1@ps11007.dreamhostps.com
| Delivered-To: jidanni1@ps11007.dreamhostps.com
| Received: from homiemail-mx1.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177])
| by ps11007.dreamhostps.com (Postfix) with ESMTP id 2F6A49C6002F
| for <jidanni1@ps11007.dreamhostps.com>; Sun, 22 Apr 2012 16:44:42 -0700 (PDT)
| Received: from localhost (unknown [202.129.216.60])
| by homiemail-mx1.g.dreamhost.com (Postfix) with SMTP id A30E876827C
| for <jidanni@jidanni.org>; Sun, 22 Apr 2012 16:44:41 -0700 (PDT)
| To: jidanni@jidanni.org <jidanni@jidanni.org>
| Subject: Wikipedia e-mail address confirmation
| From: MediaWiki Mail <wiki@wikimedia.org>
| Date: Mon, 23 Apr 2012 07:58:52 +0000
| MIME-Version: 1.0
| Content-type: text/html; charset=UTF-8
| Content-transfer-encoding: 7bit
| Message-ID: <enwiki.86eed1069d1ba7.22719869@en.wikipedia.org>
| X-Mailer: MediaWiki mailer
|
| <html>
| <body >
|
| <table border="0" width="540" cellpadding="0" cellspacing="0" style="max-width:540px; border-top:1px solid #000; font: 12px arial, sans-serif; margin: 0 auto;"><tr><td>
| <h1 style="color: #000; font: bold 20px arial; margin:4px 0;" >Wikipedia</h1>
| <p>Someone (probably you, from IP address 221.233.139.102) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: jidanni@jidanni.org</p>
|
| <p>This reminder will expire in 7 days.<br>
| If you didn't initiate the request on Wikipedia, feel free to <strong><a href="http://carewelhealth.com/">cancel this message</a></strong> and uncheck the "Reminder" checkbox in your account.</p>
|
| <p>Thanks, and once again Welcome!<br>
| <a href="http://en.wikipedia.org">http://en.wikipedia.org</a></p>
|
| </body>
| </html>

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: Wikimedia Spam [ In reply to ]
Yes it is not sent by any of wm servers probably some phishing or that
On Apr 24, 2012 5:15 AM, <jidanni@jidanni.org> wrote:

> Here you go dudes,
>
> | Return-Path: <miss@inanir.com>
> | X-Spam-Checker-Version: SpamAssassin 3.4.0-r1197259-1907 (2011-11-03) on
> | ps11007.dreamhostps.com
> | X-Spam-Flag: YES
> | X-Spam-Level: ***********
> | X-Spam-Report:
> | * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> | * [URIs: carewelhealth.com]
> | * 0.0 FSL_HELO_NON_FQDN_1 FSL_HELO_NON_FQDN_1
> | * 3.6 HELO_LOCALHOST HELO_LOCALHOST
> | * -10 J_MEDIAWIKI_MAILER J_MEDIAWIKI_MAILER
> | * 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
> | * [202.129.216.60 listed in psbl.surriel.com]
> | * 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
> | * https://senderscore.org/blacklistlookup/
> | * [202.129.216.60 listed in bl.score.senderscore.com]
> | * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web
> server
> | * [202.129.216.60 listed in dnsbl.sorbs.net]
> | * 0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received:
> date
> | * 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd
> level mail
> | * domains are different
> | * 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> bl.spamcop.net
> | * [Blocked - see <
> http://www.spamcop.net/bl.shtml?202.129.216.60>]
> | * 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> | * [202.129.216.60 listed in bb.barracudacentral.org]
> | * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
> | * [URIs: carewelhealth.com]
> | * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
> blocklist
> | * [URIs: carewelhealth.com]
> | * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
> | * [URIs: carewelhealth.com]
> | * 0.0 HTML_MESSAGE BODY: HTML included in message
> | * 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> | * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
> | * [URIs: carewelhealth.com]
> | * 0.0 URIBL_SBL_A Contains URL's A record listed in the SBL
> blocklist
> | * [URIs: carewelhealth.com]
> | * 1.3 RDNS_NONE Delivered to internal network by a host with no
> rDNS
> | X-Spam-Status: Yes, score=11.2 required=1.9 tests=DATE_IN_FUTURE_06_12,
> | FSL_HELO_NON_FQDN_1,HELO_LOCALHOST,HTML_MESSAGE,J_MEDIAWIKI_MAILER,
> |
> MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,
> |
> RCVD_IN_RP_RNBL,RCVD_IN_SORBS_WEB,RDNS_NONE,T_HEADER_FROM_DIFFERENT_DOMAINS,
> |
> URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_SBL,URIBL_SBL_A,URIBL_WS_SURBL
> | X-Spam-Languages: en
> | X-Original-To: jidanni1@ps11007.dreamhostps.com
> | Delivered-To: jidanni1@ps11007.dreamhostps.com
> | Received: from homiemail-mx1.g.dreamhost.com (caiajhbdcbhh.dreamhost.com[208.97.132.177])
> | by ps11007.dreamhostps.com (Postfix) with ESMTP id 2F6A49C6002F
> | for <jidanni1@ps11007.dreamhostps.com>; Sun, 22 Apr 2012 16:44:42
> -0700 (PDT)
> | Received: from localhost (unknown [202.129.216.60])
> | by homiemail-mx1.g.dreamhost.com (Postfix) with SMTP id
> A30E876827C
> | for <jidanni@jidanni.org>; Sun, 22 Apr 2012 16:44:41 -0700 (PDT)
> | To: jidanni@jidanni.org <jidanni@jidanni.org>
> | Subject: Wikipedia e-mail address confirmation
> | From: MediaWiki Mail <wiki@wikimedia.org>
> | Date: Mon, 23 Apr 2012 07:58:52 +0000
> | MIME-Version: 1.0
> | Content-type: text/html; charset=UTF-8
> | Content-transfer-encoding: 7bit
> | Message-ID: <enwiki.86eed1069d1ba7.22719869@en.wikipedia.org>
> | X-Mailer: MediaWiki mailer
> |
> | <html>
> | <body >
> |
> | <table border="0" width="540" cellpadding="0" cellspacing="0"
> style="max-width:540px; border-top:1px solid #000; font: 12px arial,
> sans-serif; margin: 0 auto;"><tr><td>
> | <h1 style="color: #000; font: bold 20px arial; margin:4px 0;"
> >Wikipedia</h1>
> | <p>Someone (probably you, from IP address 221.233.139.102) requested a
> reminder of your account details for Wikipedia. The following user account
> is associated with this e-mail address: jidanni@jidanni.org</p>
> |
> | <p>This reminder will expire in 7 days.<br>
> | If you didn't initiate the request on Wikipedia, feel free to <strong><a
> href="http://carewelhealth.com/">cancel this message</a></strong> and
> uncheck the "Reminder" checkbox in your account.</p>
> |
> | <p>Thanks, and once again Welcome!<br>
> | <a href="http://en.wikipedia.org">http://en.wikipedia.org</a></p>
> |
> | </body>
> | </html>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l