Is Parallels spamming me???

FYI, I'm an admin on a vBulletin forum on a different website and we've been getting this exact same issue -- same IP even -- for a couple days now. I thought it was a very strange coincidence that I got this same email from Parallels when we are having the same issue.

Based on the IP the ISP appears to be ThePlanet.com:

OrgName:
ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110

City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange:
74.52.0.0 - 74.54.255.255
CIDR: 74.52.0.0/15, 74.54.0.0/16

I called them and emailed their abuse address with this info, but I haven't gotten much in the way of a response -- basically they'll look into it but cannot even guarantee a response or any action. Pretty lame -- not sure what else can be done. Maybe if someone from Parallels can also contact them they'll take a look.

 

barryw, The email is an automated response sent by the parallels server to the address that you provided, your email address is still private (until your password is hacked).

 

ariell - take a good look above at the source listing of the email and see what is mentioned about the domain name parallelZ.com - note the closeness of the spelling. This doesn't appear to be a software error. The second thing I did was to remove the capability of anyone but an admin to send me email. I had that turned on when I was trying to help someone privately quite a while back. I had not been on the forum since 5/31/2007 when I received the email this evening.

If people are still getting them, and they have the option checked to receive email from other members, I wonder if turning this off has an effect. It still would not explain the fact that some people are getting locked out. Unless the person doing this tries to log into an account, gets it locked, then sends the mail. Who the hell knows. I work in security all day, and get really tired of looking at email headers, attempts to gain access to networks, etc.

 

Read the facts. Also the post that was just made in reference to tracking this to theplanet.com - I got to the same information right off and sent that back to Parallels via email. I then found this thread and posted to it.

So - let's not make guesses at this. Let's get an answer with the facts.

 

Just wanted to chime in on this, i have gotten several.

Could be PHISHING
or
and attempt by an disgruntle customer trying to get people to inadvertently block parallels emails

if more of us chime in then hopefully this will get a faster response from support

 

I've received several of these emails, but my account was set up from the start to only receive emails from admins.

So to answer your question, apparently not.

 

Hello!

We are working hard on this problem.
Please, do not submit any information about Parallels e-mails, personnel names and ip's.
I have covered it with asterisks in the previous posts.
We will try to solve this problem ASAP.

Thanks.

 

Hey,

I just checked this out and it looks like a legit e-mail from parallels.com, saying someone is trying to hack our forum accounts. I got one too.

In the sent mail headers, mine says:

now, if i go to 66.197.12.178 (the sender IP address recorded by my mail server - this can't be spoofed easily), it gives me the parallels forum. If i ping forum.parallels.com, it says it is 66.197.12.178.

An extra problem here is that parallels have configured the software running their forum server to think it is called "forum.parallelz.com", so it is sending mail and claiming to be forum.parallelz.com, when it is in fact forum.parallels.com

The main problem is probably that some script-kiddie is/was trying to get our passwords.

Cheers,
Josh

 

I'm seeing the same from the same IP (74.53.243.34). It would seem that everyone else who has had an attempt at a brute-force attack has a user name which starts with an 'a' or a 'b', which would suggest a systematic dictionary attack on usernames followed by passwords.

 

Well, what is the problem?

Should it be of any real cause of concern.?

I don't like receiving Mails like this.

 

To me it looks like someone has just tried brute force on each user name they can find.

The forum software then kicked in to let the user know of the failed attempts and offered them the remember password link incase it was a genuine forgotten password.

This means that the email addresses are safe as it is the forum software which sent the emails and nothing to do with whoever was trying to get in.

I would think you would only have been at risk if you had used an insecure password which would have allowed them to log in as you and then get your email address from the account settings page.

Unfortunately this kind of thing goes on all the time with forums on the internet.

 

Everyone please check your profile. You have the option of not making your e-mail address visible to other users.

Go into Edit Profile / Edit Options. Uncheck the option to allow other users to send you e-mail.

 

Go one too.

 

Disabling this option didn't stop me from getting the notices, since the lock-out messages came from the admins and I've kept that option enabled.

 

Just got one of these, also from 74.53.243.34. Just for fun, I tried to Google the IP address, and look what I found. It seems that Parallels isn't the only forum being attacked.

Three things to be done here: first, complain to abuse@theplanet.com, being sure to specify the IP address of the attacker. Second, the forum can block this IP address. Third, make sure you have a password with at least letters and numbers that's not trivial to guess.

I doubt any email addresses were exposed; the email, after all, is just coming from the Parallels forum indicating someone is trying to hack your account, and that's a useful thing to know (thanks, Parallels!). Of course, if the attacker manages to guess your password, all bets are off...

If 74.53.243.34 isn't a compromised machine itself and this attack can actually be traced back to an individual, someone is going to have a very bad day.

 

I got one of these e-mails this morning also with the same IP address. I got the e-mail around 5 AM EST.

It looks like Parallels' member list is publicly accessable and not locked just to members. The user names and public profile information are shown; shouldn't Parallels lock this so only members can see these lists?

 

Good. I thought it was just me that was getting this. I also looked up the IP address and found the same source. Please make sure to write to abuse@theplanet.com noting these violations.

 

We have fixed this attack.
If you'll have strange mails from now - please contact me directly through PM.

 

Sorry, I thought I caught all of the 'sensitive' data. My mistake.

 

At first I thought the attacker was getting the names from messages that had been posted, but today I got a warning message also sent to a login name (and e-mail address) I have registered with but have not posted with.

Does this mean the member list is publicly viewable (I can't find it) or that the attacker somehow got access to it?

Also, I changed my password but don't see the options to allow admin e-mails, etc.

David