Fusion

I've noticed that I am receiving spam directed to an email address that I've only given to VMWare. There's been three so far, the first of which arrived this morning. It seems probable that someone has managed to obtain the list, I'm guessing the VMWare Fusion beta registration page is the source.

Anyone else notice this today?

Yes, same here. I've received three stock spams this morning. I reported it to security@vmware.com.

It's an address I've only ever used to sign up for the mac beta.

Are you sure it's not just a bot trying random usernames against known domains?

Personally, no I haven't noticed any increase in the amount of spam I'm receiving.

Depends on the username chosen, right? I'd assume that if cjcoleman and bill_mcgonigle were savvy enough to set up a one-time-use address, they would've picked a good one with a randomized/unguessable component.

Personally, I haven't noticed any increase, but then again I don't use a unique address for the forums and have spam filters on.

Are you sure it's not just a bot trying random

usernames against known domains?

I give a unique email address to every relationship, this one had a 16 letter username. It is exceedingly unlikely that the email address was arrived at randomly. If bots could send 1 billion emails per second, it would average about half of 1.3 million years arrive at this particular combination.

I give a unique email address to every relationship,

this one had a 16 letter username. It is exceedingly

unlikely that the email address was arrived at

randomly. If bots could send 1 billion emails per

second, it would average about half of 1.3 million

years arrive at this particular combination.

You haven't said how you derived the name - if it's a few words strung together, the entropy is a lot lower than if you randomly generated a 16-letter string. Spam bots probably tend to use dictionary attacks rather than randomly generating strings.

You haven't said how you derived the name - if it's a

few words strung together, the entropy is a lot lower

than if you randomly generated a 16-letter string.

True.

Spam bots probably tend to use dictionary attacks

rather than randomly generating strings.

I believe the majority of spam can be tracked to a point where an email address becomes public knowledge, and not to dictionary attacks.

I believe the majority of spam can be tracked to a

point where an email address becomes public

knowledge, and not to dictionary attacks.

It is quite common now. Botnets are using Dictionary attacks often.

It is prevalent enough to have made the CAN-SPAM act. Search within the page below for "dictionary".

http://uscode.house.gov/download/pls/15C103.txt

One good way of tracking this sort of thing is with 'plus' addressing. Many mail servers now support this.

For example, with plus addressing, you could give the email address of:

joe+vmwarelist@xyz.com

and all mail still gets delivered to joe@xyz.com as normal. BUT if you get a suspected SPAM, you can look at the to address and if you see the + then you can figure out where it has come from if you give each subscription a unique identifier after the +.

Just my 2 cents.

Bryan

The + technique is well enough known that if I were writing a spambot, I'd just ignore a + and anything after it in any email addresses I harvested.

Anyway, if you are receiving spam to addresses that you think are unlisted other than giving them to us, this is something we should take very seriously -- please forward any such complaints to security@vmware.com, including the spam email & headers if possible (so we can try to figure out who sent it and how they got the address).

The + technique is well enough known that if I were writing a spambot, I'd just ignore a + and anything after it in any email addresses I harvested.

yahoo AddressGuard is good enough in the sense that you need to pick a basename and that basename@yahoo.com is not valid email address. (is this avail to paid subsribers only?)

http://help.yahoo.com/l/us/yahoo/mail/original/mailplus/addressguard/index.html

i am not subjected to spams by this list, but maybe this is because my address receives enough spams that i don't tell when it's 10+ years old.

ss

FWIW, the address I got spammed to had the vmware domain in it, and the words mac and beta also in it (with separators), and I'm not being massively dictionary attacked otherwise.

It's possible somebody sniffed the SMTP traffic to harvest - the VMWare servers don't negotiate TLS even though I accept it, so the entire message goes clear-text.

If the sniffing were on my end I'd expect to see alot more than the vmware address being spammed. (Oh, I get plenty of spam, just not to vendor addresses on my whitelist). I'm also not getting the spams to my non-fusion vmware address.

Since others are seeing the same thing at exactly the same time and we have no other relation other than being on the mac beta, the odds point in that direction. Nobody is suggesting malice - for all we know there's a new harvester worm out there that somebody at VMWare got without even knowing it. They \_do_ have to support Windows too, after all.

FWIW, I never got a reply to the message I sent to security@ either. "You didn't get caught in the spam filter" would have been nice, esp. since I needed to forward in a spam's headers. Anyway, glad to hear they're on the case.

I also received, yesterday and today, a couple more similar spams - an address a gutter company I used had, etc. Fun new harvester worms, it seems like.

Was it plsdontsendmespam@..... ?

Oh wait, that's 17 characters. :-D

I got some spam that got past my filter on Friday for some stock.

Almost seems too bad that I didn't buy it too since today it increase 24%. Even if someone wanted to dump their stock (Friday increased over Thursday about 24% as well) I could have made a profit.

I don't think this email was related to this thread though since it was Friday. It is too bad I had a rule that permanently removes 99% of my spam.

Just chiming in, got some spam to an alias only used for vmware altough it was vmware@X so off course it could be a dictionary attack thing. Reported to several @vmware.com addresses including security. No response this far. How suprising.

That is surprising. We should be responding to security@ at least.

I can say for certain that this thread (and the several related postings we've received at security@vmware.com) have the attention of our security team.

I recently started receiving stock spam at an address that had never

been spammed before. Then I got some fake greeting card spam,

obviously a malware attempt. That address had nothing to do with

VMware.

My suspicion is that some spammers are upping there efforts, and

that any spam your VMware specific address is getting is just a

part of that.

How do you figure they got our vmware-specific addresses, nospamboz?

I have also received several spam emails to a VMware.com-only account.

I'm forwarding the emails to VMWare's security team, but just for comparison with other users, these are the spam campaigns I received:

\* July 16, 2007: stock spam, with text:

OTC-Advisors.com and bullishalrets.com Issue Watch Alert On SZSN

Shandong Zhouyuan Seed and Nursery Co., Ltd (SZSN)

\* July 16, 2007: stock spam, with an image, again referencing ticker SZSN.

\* July 18, 2007: Greeting card spam

purporting to be from riversong.com

with a link to 70.244.238.38 which downloads an "ecard.exe" application.

\* July 18, 2007: Stock spam with text:

Company: Latitude Industries Inc.

Symbol: LTDI

\* July 20, 2007: Greeting card spam

purporting to be from egreetings.com

with a link to 69.249.178.254

\* July 22, 2007: Greeting card spam

purporting to be from BlueMountain.com

with a link to 74.102.178.124, which again downloaded an executable.

\* July 22, 2007: Stock spam with a PDF attachment

with text for "Bell Buckle Holdings, Inc" (BLLB.PK)

\* July 22, 2007: Stock spam with a PDF attachment

with text for "Maximum Awards, Inc" (MXRW)

\* July 23, 2007: Greeting card spam

purporting to be from mypostcards.com

with a link to 74.130.228.92, which again downloaded "ecard.exe"

Any of these campaigns overlap with those received to VMWare-only addresses by other people?

Hi Folks,

Thanks for bringing this to our attention. The fact that you are getting spam to email address that you've only shared with us is deeply concerning to us. We are investigating this on our end to figure out what happened and how we can prevent such incidents in the future. Rest assured we are taking this very seriously.

I will update you as we figure this out. Our sincere apologizes for this incident.

Regards,

Srinivas

Just curious if there was a follow-up on this.

I continue to receive them, recent subjects include:

oh, man you gotta see this video

ERMX announces Dividend Plans

The News Finally Hits!

User Verification

Oh, man this girl is a freak, lol. She was so wild. Check out the pics we took.

I realize the cat is out of the bag; it would be interesting to know if others are seeing the same or different ones to know if we've been sold yet. If VMWare is investigating and wants headers or spam URL's let me know, I'll hold onto them for a bit, before I delete them and blacklist the address.

Heh, 3 years later VMWare sends me a newsletter with a link to this thread.  I check it for grins and am reminded that there was never any follow-up.  I'm spoiled by working with open source projects that take data breaches seriously.

I received the SZSN stock spam.

Also 7/17 I received spam purporting to be from Hallmark.Com linking to an ecard.exe virus at 196.206.74.170

Also 7/19 I received spam purporting to be from 2000Greetings.Com linking to an ecard.exe virus at 69.251.213.39

Any others were likely caught by my spam filter but these were caught by my McAfee.

I too have received those spams, however I use this address for most correspondence. so there is no uniqueness for me.

I just (STOOPIDLY) opened a riversong download with an exe extension. i have a mac. how do i know if i have a virus or not???

You don't. Mac's don't run exes.