Is Parallels spamming me???

Discussion in 'Parallels Website and Forum' started by ATXP, Aug 8, 2007.

  1. bmoeskau

    bmoeskau

    Messages:
    18
    FYI, I'm an admin on a vBulletin forum on a different website and we've been getting this exact same issue -- same IP even -- for a couple days now. I thought it was a very strange coincidence that I got this same email from Parallels when we are having the same issue.

    Based on the IP the ISP appears to be ThePlanet.com:

    OrgName:
    ThePlanet.com Internet Services, Inc.
    OrgID: TPCM
    Address: 1333 North Stemmons Freeway
    Address: Suite 110

    City: Dallas
    StateProv: TX
    PostalCode: 75207
    Country: US

    ReferralServer: rwhois://rwhois.theplanet.com:4321

    NetRange:
    74.52.0.0 - 74.54.255.255
    CIDR: 74.52.0.0/15, 74.54.0.0/16

    I called them and emailed their abuse address with this info, but I haven't gotten much in the way of a response -- basically they'll look into it but cannot even guarantee a response or any action. Pretty lame -- not sure what else can be done. Maybe if someone from Parallels can also contact them they'll take a look.
     
  2. bayz

    bayz

    Messages:
    14
    barryw, The email is an automated response sent by the parallels server to the address that you provided, your email address is still private (until your password is hacked).
     
  3. barryw

    barryw

    Messages:
    27
    ariell - take a good look above at the source listing of the email and see what is mentioned about the domain name parallelZ.com - note the closeness of the spelling. This doesn't appear to be a software error. The second thing I did was to remove the capability of anyone but an admin to send me email. I had that turned on when I was trying to help someone privately quite a while back. I had not been on the forum since 5/31/2007 when I received the email this evening.

    If people are still getting them, and they have the option checked to receive email from other members, I wonder if turning this off has an effect. It still would not explain the fact that some people are getting locked out. Unless the person doing this tries to log into an account, gets it locked, then sends the mail. Who the hell knows. I work in security all day, and get really tired of looking at email headers, attempts to gain access to networks, etc.
     
    Last edited: Aug 8, 2007
  4. barryw

    barryw

    Messages:
    27
    Read the facts. Also the post that was just made in reference to tracking this to theplanet.com - I got to the same information right off and sent that back to Parallels via email. I then found this thread and posted to it.

    So - let's not make guesses at this. Let's get an answer with the facts.
     
  5. BenInBlack

    BenInBlack

    Messages:
    372
    Just wanted to chime in on this, i have gotten several.

    Could be PHISHING
    or
    and attempt by an disgruntle customer trying to get people to inadvertently block parallels emails

    if more of us chime in then hopefully this will get a faster response from support
     
  6. am3n3

    am3n3

    Messages:
    4
    I've received several of these emails, but my account was set up from the start to only receive emails from admins.

    So to answer your question, apparently not.
     
  7. ialubimii

    ialubimii

    Messages:
    7
    Hello!

    We are working hard on this problem.
    Please, do not submit any information about Parallels e-mails, personnel names and ip's.
    I have covered it with asterisks in the previous posts.
    We will try to solve this problem ASAP.

    Thanks.
     
  8. bob_nugget

    bob_nugget

    Messages:
    15

    Hey,

    I just checked this out and it looks like a legit e-mail from parallels.com, saying someone is trying to hack our forum accounts. I got one too.

    In the sent mail headers, mine says:

    now, if i go to 66.197.12.178 (the sender IP address recorded by my mail server - this can't be spoofed easily), it gives me the parallels forum. If i ping forum.parallels.com, it says it is 66.197.12.178.

    An extra problem here is that parallels have configured the software running their forum server to think it is called "forum.parallelz.com", so it is sending mail and claiming to be forum.parallelz.com, when it is in fact forum.parallels.com

    The main problem is probably that some script-kiddie is/was trying to get our passwords.

    Cheers,
    Josh
     
  9. andyeb

    andyeb

    Messages:
    8
    I'm seeing the same from the same IP (74.53.243.34). It would seem that everyone else who has had an attempt at a brute-force attack has a user name which starts with an 'a' or a 'b', which would suggest a systematic dictionary attack on usernames followed by passwords.
     
  10. chrisj303

    chrisj303

    Messages:
    73
    Well, what is the problem?

    Should it be of any real cause of concern.?

    I don't like receiving Mails like this.
     
  11. BeyondCloister

    BeyondCloister

    Messages:
    15
    To me it looks like someone has just tried brute force on each user name they can find.

    The forum software then kicked in to let the user know of the failed attempts and offered them the remember password link incase it was a genuine forgotten password.

    This means that the email addresses are safe as it is the forum software which sent the emails and nothing to do with whoever was trying to get in.

    I would think you would only have been at risk if you had used an insecure password which would have allowed them to log in as you and then get your email address from the account settings page.

    Unfortunately this kind of thing goes on all the time with forums on the internet.
     
  12. Purplish

    Purplish Kilo Poster

    Messages:
    539
    Everyone please check your profile. You have the option of not making your e-mail address visible to other users.

    Go into Edit Profile / Edit Options. Uncheck the option to allow other users to send you e-mail.
     
  13. cometmac

    cometmac

    Messages:
    3
    Go one too.
     
  14. am3n3

    am3n3

    Messages:
    4
    Disabling this option didn't stop me from getting the notices, since the lock-out messages came from the admins and I've kept that option enabled.
     
  15. Dave Ruske

    Dave Ruske

    Messages:
    10
    Just got one of these, also from 74.53.243.34. Just for fun, I tried to Google the IP address, and look what I found. It seems that Parallels isn't the only forum being attacked.

    Three things to be done here: first, complain to abuse@theplanet.com, being sure to specify the IP address of the attacker. Second, the forum can block this IP address. Third, make sure you have a password with at least letters and numbers that's not trivial to guess.

    I doubt any email addresses were exposed; the email, after all, is just coming from the Parallels forum indicating someone is trying to hack your account, and that's a useful thing to know (thanks, Parallels!). Of course, if the attacker manages to guess your password, all bets are off...

    If 74.53.243.34 isn't a compromised machine itself and this attack can actually be traced back to an individual, someone is going to have a very bad day.
     
  16. czenzel

    czenzel

    Messages:
    14
    I got one of these e-mails this morning also with the same IP address. I got the e-mail around 5 AM EST.

    It looks like Parallels' member list is publicly accessable and not locked just to members. The user names and public profile information are shown; shouldn't Parallels lock this so only members can see these lists?
     
  17. Ambival

    Ambival

    Messages:
    3
    Good. I thought it was just me that was getting this. I also looked up the IP address and found the same source. Please make sure to write to abuse@theplanet.com noting these violations.
     
  18. ialubimii

    ialubimii

    Messages:
    7
    We have fixed this attack.
    If you'll have strange mails from now - please contact me directly through PM.
     
  19. aldango

    aldango

    Messages:
    3
    Sorry, I thought I caught all of the 'sensitive' data. My mistake.
     
  20. David5000

    David5000

    Messages:
    327
    At first I thought the attacker was getting the names from messages that had been posted, but today I got a warning message also sent to a login name (and e-mail address) I have registered with but have not posted with.

    Does this mean the member list is publicly viewable (I can't find it) or that the attacker somehow got access to it?

    Also, I changed my password but don't see the options to allow admin e-mails, etc.

    David
     

Share This Page