Hey all,
There have recently been a high number of complaints to OTRS about emails recieved, supposedly from Wikipedia. I believe these to be spam, but I just wanted to double check on the very small chance it is something gone wrong somewhere :) The emails relate to account details and appears to be phising (I think).
Here's an example:
Wikipedia Someone (probably you, from IP address <IP REMOVED>) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: <Address Removed> This reminder will expire in 7 days. If you didn't initiate the request on Wikipedia, feel free to cancel this message and uncheck the "Reminder" checkbox in your account. Thanks, and once again Welcome!
Can someone just confirm this isn't a problem our end.
Cheers, Tom
Can you include the header of email? That could be much more of use to check if it was sent from a wikimedia server.
On Mon, Apr 23, 2012 at 2:12 PM, Thomas Morton morton.thomas@googlemail.com wrote:
Hey all,
There have recently been a high number of complaints to OTRS about emails recieved, supposedly from Wikipedia. I believe these to be spam, but I just wanted to double check on the very small chance it is something gone wrong somewhere :) The emails relate to account details and appears to be phising (I think).
Here's an example:
Wikipedia Someone (probably you, from IP address <IP REMOVED>) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: <Address Removed> This reminder will expire in 7 days. If you didn't initiate the request on Wikipedia, feel free to cancel this message and uncheck the "Reminder" checkbox in your account. Thanks, and once again Welcome!
Can someone just confirm this isn't a problem our end.
Cheers, Tom _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Indeed, unless there are some spam links inside, for example if it was html mail, the reset token could be in fact a spam link leading to another site. (like <a href=http://somespam.com>http://en.wikiped... reset token</a>)
On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey p858snake@gmail.com wrote:
That looks like the standard password reset request email.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I've never seen a message that mentions a 'remind me checkbox' before on my account - looks more like spam to me.
Thehelpfulone
On 23 Apr 2012, at 13:23, Petr Bena benapetr@gmail.com wrote:
Indeed, unless there are some spam links inside, for example if it was html mail, the reset token could be in fact a spam link leading to another site. (like <a href=http://somespam.com>http://en.wikiped... reset token</a>)
On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey p858snake@gmail.com wrote:
That looks like the standard password reset request email.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 23 April 2012 13:23, Petr Bena benapetr@gmail.com wrote:
Indeed, unless there are some spam links inside, for example if it was html mail, the reset token could be in fact a spam link leading to another site. (like <a href=http://somespam.com>http://en.wikiped... reset token</a>)
On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey p858snake@gmail.com wrote:
That looks like the standard password reset request email.
I may have gotten to the bottom of it - as a spam email...
The OTRS system renders emails wierdly so the actual links weren't showing. Downloading the HMTL version shows the "cancel this message" text being a link pointed at carewelhealth[dot]com - a site apparently running MediaWiki.
Is the mail system part of MediaWiki? That could be the origin; they're misusing the system to spam people, in a very wierd way.
Tom
Yes this is a template used by mediawiki from Special:PasswordReset, and exactly this template, plain text is used on production of wikimedia servers. Unless you can't retrieve the header of original message, it's not possible to verify if it's scam or system message. On other hand anyone who knows the email could trigger it. In case that OTRS is using wikimedia SUL account with OTRS email account, anyone filling it in PasswordReset could trigger system to send you this message. There is no protection from this so far.
On Mon, Apr 23, 2012 at 2:30 PM, Thomas Morton morton.thomas@googlemail.com wrote:
On 23 April 2012 13:23, Petr Bena benapetr@gmail.com wrote:
Indeed, unless there are some spam links inside, for example if it was html mail, the reset token could be in fact a spam link leading to another site. (like <a href=http://somespam.com>http://en.wikiped... reset token</a>)
On Mon, Apr 23, 2012 at 2:21 PM, K. Peachey p858snake@gmail.com wrote:
That looks like the standard password reset request email.
I may have gotten to the bottom of it - as a spam email...
The OTRS system renders emails wierdly so the actual links weren't showing. Downloading the HMTL version shows the "cancel this message" text being a link pointed at carewelhealth[dot]com - a site apparently running MediaWiki.
Is the mail system part of MediaWiki? That could be the origin; they're misusing the system to spam people, in a very wierd way.
Tom _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 23 April 2012 13:34, Petr Bena benapetr@gmail.com wrote:
Yes this is a template used by mediawiki from Special:PasswordReset, and exactly this template, plain text is used on production of wikimedia servers. Unless you can't retrieve the header of original message, it's not possible to verify if it's scam or system message. On other hand anyone who knows the email could trigger it. In case that OTRS is using wikimedia SUL account with OTRS email account, anyone filling it in PasswordReset could trigger system to send you this message. There is no protection from this so far.
Ah, sorry my message might not have been clear :)
There are several emails in OTRS from* other people* asking about these emails, having received them themselves (some claiming never to have had an account on WP).
After research, and comments here, I'm certain this is a spam issue originating from somewhere else, rather than something associated with us.
Cheers all. Tom
Here you go dudes,
| Return-Path: miss@inanir.com | X-Spam-Checker-Version: SpamAssassin 3.4.0-r1197259-1907 (2011-11-03) on | ps11007.dreamhostps.com | X-Spam-Flag: YES | X-Spam-Level: *********** | X-Spam-Report: | * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist | * [URIs: carewelhealth.com] | * 0.0 FSL_HELO_NON_FQDN_1 FSL_HELO_NON_FQDN_1 | * 3.6 HELO_LOCALHOST HELO_LOCALHOST | * -10 J_MEDIAWIKI_MAILER J_MEDIAWIKI_MAILER | * 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL | * [202.129.216.60 listed in psbl.surriel.com] | * 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, | * https://senderscore.org/blacklistlookup/ | * [202.129.216.60 listed in bl.score.senderscore.com] | * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server | * [202.129.216.60 listed in dnsbl.sorbs.net] | * 0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date | * 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail | * domains are different | * 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net | * [Blocked - see http://www.spamcop.net/bl.shtml?202.129.216.60] | * 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT | * [202.129.216.60 listed in bb.barracudacentral.org] | * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist | * [URIs: carewelhealth.com] | * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist | * [URIs: carewelhealth.com] | * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist | * [URIs: carewelhealth.com] | * 0.0 HTML_MESSAGE BODY: HTML included in message | * 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist | * [URIs: carewelhealth.com] | * 0.0 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist | * [URIs: carewelhealth.com] | * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS | X-Spam-Status: Yes, score=11.2 required=1.9 tests=DATE_IN_FUTURE_06_12, | FSL_HELO_NON_FQDN_1,HELO_LOCALHOST,HTML_MESSAGE,J_MEDIAWIKI_MAILER, | MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL, | RCVD_IN_RP_RNBL,RCVD_IN_SORBS_WEB,RDNS_NONE,T_HEADER_FROM_DIFFERENT_DOMAINS, | URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_SBL,URIBL_SBL_A,URIBL_WS_SURBL | X-Spam-Languages: en | X-Original-To: jidanni1@ps11007.dreamhostps.com | Delivered-To: jidanni1@ps11007.dreamhostps.com | Received: from homiemail-mx1.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) | by ps11007.dreamhostps.com (Postfix) with ESMTP id 2F6A49C6002F | for jidanni1@ps11007.dreamhostps.com; Sun, 22 Apr 2012 16:44:42 -0700 (PDT) | Received: from localhost (unknown [202.129.216.60]) | by homiemail-mx1.g.dreamhost.com (Postfix) with SMTP id A30E876827C | for jidanni@jidanni.org; Sun, 22 Apr 2012 16:44:41 -0700 (PDT) | To: jidanni@jidanni.org jidanni@jidanni.org | Subject: Wikipedia e-mail address confirmation | From: MediaWiki Mail wiki@wikimedia.org | Date: Mon, 23 Apr 2012 07:58:52 +0000 | MIME-Version: 1.0 | Content-type: text/html; charset=UTF-8 | Content-transfer-encoding: 7bit | Message-ID: enwiki.86eed1069d1ba7.22719869@en.wikipedia.org | X-Mailer: MediaWiki mailer | | <html> | <body > | | <table border="0" width="540" cellpadding="0" cellspacing="0" style="max-width:540px; border-top:1px solid #000; font: 12px arial, sans-serif; margin: 0 auto;"><tr><td> | <h1 style="color: #000; font: bold 20px arial; margin:4px 0;" >Wikipedia</h1> | <p>Someone (probably you, from IP address 221.233.139.102) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: jidanni@jidanni.org</p> | | <p>This reminder will expire in 7 days.<br> | If you didn't initiate the request on Wikipedia, feel free to <strong><a href="http://carewelhealth.com/">cancel this message</a></strong> and uncheck the "Reminder" checkbox in your account.</p> | | <p>Thanks, and once again Welcome!<br> | <a href="http://en.wikipedia.org">http://en.wikipedia.org</a></p> | | </body> | </html>
Yes it is not sent by any of wm servers probably some phishing or that On Apr 24, 2012 5:15 AM, jidanni@jidanni.org wrote:
Here you go dudes,
| Return-Path: miss@inanir.com | X-Spam-Checker-Version: SpamAssassin 3.4.0-r1197259-1907 (2011-11-03) on | ps11007.dreamhostps.com | X-Spam-Flag: YES | X-Spam-Level: *********** | X-Spam-Report: | * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist | * [URIs: carewelhealth.com] | * 0.0 FSL_HELO_NON_FQDN_1 FSL_HELO_NON_FQDN_1 | * 3.6 HELO_LOCALHOST HELO_LOCALHOST | * -10 J_MEDIAWIKI_MAILER J_MEDIAWIKI_MAILER | * 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL | * [202.129.216.60 listed in psbl.surriel.com] | * 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, | * https://senderscore.org/blacklistlookup/ | * [202.129.216.60 listed in bl.score.senderscore.com] | * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server | * [202.129.216.60 listed in dnsbl.sorbs.net] | * 0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date | * 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail | * domains are different | * 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net | * [Blocked - see < http://www.spamcop.net/bl.shtml?202.129.216.60%3E] | * 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT | * [202.129.216.60 listed in bb.barracudacentral.org] | * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist | * [URIs: carewelhealth.com] | * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist | * [URIs: carewelhealth.com] | * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist | * [URIs: carewelhealth.com] | * 0.0 HTML_MESSAGE BODY: HTML included in message | * 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist | * [URIs: carewelhealth.com] | * 0.0 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist | * [URIs: carewelhealth.com] | * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS | X-Spam-Status: Yes, score=11.2 required=1.9 tests=DATE_IN_FUTURE_06_12, | FSL_HELO_NON_FQDN_1,HELO_LOCALHOST,HTML_MESSAGE,J_MEDIAWIKI_MAILER, | MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL, | RCVD_IN_RP_RNBL,RCVD_IN_SORBS_WEB,RDNS_NONE,T_HEADER_FROM_DIFFERENT_DOMAINS, | URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_SBL,URIBL_SBL_A,URIBL_WS_SURBL | X-Spam-Languages: en | X-Original-To: jidanni1@ps11007.dreamhostps.com | Delivered-To: jidanni1@ps11007.dreamhostps.com | Received: from homiemail-mx1.g.dreamhost.com (caiajhbdcbhh.dreamhost.com[208.97.132.177]) | by ps11007.dreamhostps.com (Postfix) with ESMTP id 2F6A49C6002F | for jidanni1@ps11007.dreamhostps.com; Sun, 22 Apr 2012 16:44:42 -0700 (PDT) | Received: from localhost (unknown [202.129.216.60]) | by homiemail-mx1.g.dreamhost.com (Postfix) with SMTP id A30E876827C | for jidanni@jidanni.org; Sun, 22 Apr 2012 16:44:41 -0700 (PDT) | To: jidanni@jidanni.org jidanni@jidanni.org | Subject: Wikipedia e-mail address confirmation | From: MediaWiki Mail wiki@wikimedia.org | Date: Mon, 23 Apr 2012 07:58:52 +0000 | MIME-Version: 1.0 | Content-type: text/html; charset=UTF-8 | Content-transfer-encoding: 7bit | Message-ID: enwiki.86eed1069d1ba7.22719869@en.wikipedia.org | X-Mailer: MediaWiki mailer | | <html> | <body > | | <table border="0" width="540" cellpadding="0" cellspacing="0" style="max-width:540px; border-top:1px solid #000; font: 12px arial, sans-serif; margin: 0 auto;"><tr><td> | <h1 style="color: #000; font: bold 20px arial; margin:4px 0;"
Wikipedia</h1>
| <p>Someone (probably you, from IP address 221.233.139.102) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: jidanni@jidanni.org</p> | | <p>This reminder will expire in 7 days.<br> | If you didn't initiate the request on Wikipedia, feel free to <strong><a href="http://carewelhealth.com/">cancel this message</a></strong> and uncheck the "Reminder" checkbox in your account.</p> | | <p>Thanks, and once again Welcome!<br> | <a href="http://en.wikipedia.org">http://en.wikipedia.org</a></p> | | </body> | </html>
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org