RMweb Premium martin_wynne Posted June 16, 2015 RMweb Premium Share Posted June 16, 2015 For those missing email notifications at present, you can find your followed topics using this link: http://www.rmweb.co.uk/community/index.php?app=core&module=search&do=followed Martin. Link to post Share on other sites More sharing options...
Kenton Posted June 16, 2015 Share Posted June 16, 2015 Martin, an incomplete list (might be just me) but doesn't show all topics that have changed according to the "view new topics") in fact it contains a list of quite old (topics) some of which I am the last to post on and others I have also posted on but haven't looked at for ages Top of my list is a topic I haven't looked at and isn't on the first 4 pages of "view new topics" but does have new posts on - I really out to read. Also none of the topics I have posted on today, recently are on that list! There are also locked topics on the first page of that list (locked more than 24hrs ago!) So that list is less useful (possibly broken/misleading) than just scanning the pages of "view new topics" ... anyway I'm also interested in the "new" cries for help or just interesting subjects. I do wonder how RMWeb ended up on that black list and if there was any real evidence to support the allegation - or if it was just a malicious attack? Being as paranoid as I evidently am, it is a potential worry about how many were infected by it before the mailserver was locked. Link to post Share on other sites More sharing options...
Andy Y Posted June 16, 2015 Share Posted June 16, 2015 We believe the issue has been isolated now but it may take a while before that filters through to such blocking services. It looks like a security loophole in the software allowed a file to be uploaded but it only appears to be emails spoofed to appear as though they're from RMweb and to sundry email addresses unrelated to forum membership and the volume appears to be very low. I believe any such attack is malicious irrespective of whether it's anyone with a grudge. Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted June 16, 2015 RMweb Premium Share Posted June 16, 2015 I do wonder how RMWeb ended up on that black list and if there was any real evidence to support the allegation - or if it was just a malicious attack? Being as paranoid as I evidently am, it is a potential worry about how many were infected by it before the mailserver was locked. Hi Kenton, It was most likely a security loophole in the CMS system which runs the portal page: http://www.rmweb.co.uk/community/index.php?/page/home.html rather than anything on the RMweb forum itself. A detailed look at the infection is here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf It's quite possible there never was any infection. Spam detection systems are notorious for false positives, but once an IP is black-listed it can take quite an effort to get it removed. Many of the blacklists are simply a compilation of other blacklists, and not always kept up to date. Most ISPs will block anything on a blacklist, regardless. I doubt you need worry about receiving dodgy emails -- the malicious code was using the RMweb server to relay spam to its own targets, rather than accessing the IPB email database. Martin. Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted June 16, 2015 RMweb Premium Share Posted June 16, 2015 Emails now working. Many thanks Andy. Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted June 16, 2015 RMweb Gold Share Posted June 16, 2015 Emails now working. Many thanks Andy. Seconded Link to post Share on other sites More sharing options...
bigherb Posted June 16, 2015 Share Posted June 16, 2015 Thirded Ta muchly top Bowana. Link to post Share on other sites More sharing options...
emt_911 Posted June 16, 2015 Share Posted June 16, 2015 Fourthed. Excellent work Boss Link to post Share on other sites More sharing options...
Kenton Posted June 17, 2015 Share Posted June 17, 2015 Help I'm drowning! Thanks, Andy. Next item on the list ... Link to post Share on other sites More sharing options...
emt_911 Posted July 23, 2015 Share Posted July 23, 2015 It's happened to me again tonight. I haven't received any since 20:20 Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted July 24, 2015 RMweb Gold Share Posted July 24, 2015 It's happened to me again tonight. I haven't received any since 20:20 Yep, agreed, last email notification I had was yesterday at 20:30 Link to post Share on other sites More sharing options...
emt_911 Posted July 24, 2015 Share Posted July 24, 2015 Yep, agreed, last email notification I had was yesterday at 20:30 I was starting to think that I was on my own with this problem Link to post Share on other sites More sharing options...
Andy Y Posted July 24, 2015 Share Posted July 24, 2015 The problem should resolve soon. Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted July 26, 2015 RMweb Premium Share Posted July 26, 2015 Any news? IP 109.104.118.213 is still showing blocked at: http://cbl.abuseat.org/lookup.cgi No emails since Thursday. Martin. Link to post Share on other sites More sharing options...
emt_911 Posted July 28, 2015 Share Posted July 28, 2015 I've still not received any emails since Thursday Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted July 28, 2015 RMweb Premium Share Posted July 28, 2015 Working fine again. Block lifted 2 hours 30 minutes ago. Many thanks. Link to post Share on other sites More sharing options...
emt_911 Posted July 28, 2015 Share Posted July 28, 2015 Now receiving them. Many thanks Andy Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted August 5, 2015 RMweb Premium Share Posted August 5, 2015 It's blocked again. No emails today See: http://cbl.abuseat.org/lookup.cgi Enter IP address: 109.104.118.213 Martin. Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted August 5, 2015 RMweb Premium Share Posted August 5, 2015 Block cleared 3 minutes ago: http://cbl.abuseat.org/lookup.cgi Thanks. Link to post Share on other sites More sharing options...
emt_911 Posted September 7, 2015 Share Posted September 7, 2015 Unfortunately I've not been receiving emails since 19:2- today It's blocked again. See: http://cbl.abuseat.org/lookup.cgi Enter IP address: 109.104.118.213 Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted September 8, 2015 RMweb Premium Share Posted September 8, 2015 It was unblocked last night but is blocked again today: http://cbl.abuseat.org/lookup.cgi?ip=109.104.118.213 From which: "It was last detected at 2015-09-08 05:00 GMT (+/- 30 minutes), approximately 5 hours ago. It has been relisted following a previous removal at 2015-09-07 21:37 GMT (11 hours, 56 minutes ago) Perhaps the person who previously removed it didn't actually fix the problem." If the IT folks at Warners/Dediserve are simply requesting unblocking each time without doing something to fix the problem, sooner or later CBL will refuse to unblock it. Martin. Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted September 8, 2015 RMweb Premium Share Posted September 8, 2015 Any news on this? No emails today. Martin. Link to post Share on other sites More sharing options...
RMweb Gold Alister_G Posted September 8, 2015 RMweb Gold Share Posted September 8, 2015 If the IT folks at Warners/Dediserve are simply requesting unblocking each time without doing something to fix the problem, sooner or later CBL will refuse to unblock it. Have to agree with Martin, the hosting company don't seem to be addressing the root of the problem. If (to be generous) it's the case that they are removing the malicious software, and it is immediately being re-installed, then there is obviously an attack vector which they haven't blocked - either another user on the same box, if it's a shared environment - or a vulnerability in some existing piece of software, the Invision forum software itself, or something else on the server. It might be something as daft as an anonymous FTP server running unnoticed. Whatever, it's about time they cleaned it up properly, or the forum email will be banned permanently, and you'll have to change IPs. Al. Link to post Share on other sites More sharing options...
Andy Y Posted September 8, 2015 Share Posted September 8, 2015 The recurrence of the issue tends toward a software loophole being exploited which is like herding cats trying to get answers. I am aware and looking for answers. Link to post Share on other sites More sharing options...
RMweb Premium martin_wynne Posted September 8, 2015 RMweb Premium Share Posted September 8, 2015 The recurrence of the issue tends toward a software loophole being exploited which is like herding cats trying to get answers. I am aware and looking for answers. Hi Andy, There is a lot of info and advice on this page (scroll down): http://cbl.abuseat.org/lookup.cgi?ip=109.104.118.213 (It is mainly for Dediserve to deal with.) regards, Martin. Link to post Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.