Spam bot got into Chiff's accounts??

Today I received a SPAM to an email address I use only here at Chiff. Actually, I took the habit of using a specific address for all sites I use my address on, so that I can pinpoint the source of spam… I’m not sure if you can qualify this email of SPAM, because maybe it was sent manually to many Chiff members… it’s from Mysterious Records, pointing to url http://WWW.Ke-Ju.COM. It’s music related, so maybe someone actually went through all members to send the email… but as far as I know, there is no way for a bot to ‘fetch’ email addresses automatically from phpBB, so I hope someone didn’t hack the accounts!

PS: I call SPAM any unsolicited mail that is sent in an automatic, bulk manner. I don’t care what the subject is.
PS2: Annoyingly enough, there is no way to get ‘removed’ from the company’s mailing list

Just checked my email, and I have not received this spam. Dunno if that’s due to good filters, or what.

I got that spam mail too, but wouldn’t be able to pinpoint the origin as I use this address for almost everything.

I got the same one, and did assume it had come via here, or that that’s where the spammers had got my e-mail. But I didn’t much care - I just deleted it.

I think that has happened before and it’s hard to know why. Bots are not supposed to be able to grab user data from the forum. But, email addresses held by Epsilon weren’t supposed to be breached either, but it happened.

they wouldn’t have to grab user data from the forum in the sense of ‘from the database’…
because email addresses are in the html of the page - the button labeled email at the bottom of each post has an email for the poster in plain text - not all posts have this button showing so it is probably some user setting.

Bill

edit: note that those saying they received the email have the email button in their posts (at least for now - does this change for old posts if their settings are updated) and the couple that posted that they did not get the email (which includes me) do not have the email button turned on

Yep, what highwood said. A web scraper can suck e-mail addresses from the HTML page. Thankfully, this has not been a widespread problem here.

I’ve noticed that the default is to show the email address.
Someone might want to change that.

Most of the new members have email address shown.
It is somewhat like begging.

I think we want to leave e-mail displayed by default. Individuals are welcome to turn it off. But we must have a valid e-mail addy in our database. We can change the default and/or tighten up bot access if scraping becomes a problem.

It would still be in the database (as mine is) but it wouldn’t be automatically displayed with the little button (like mine is not to all non Admin).

Oh, sorry … Yes, that’s right. I meant the “valid e-mail addy” comment as a separate (but related) issue.

I don’t feel that many of them are tech savvy enough understand the implications of leaving it shown.

Let’s put it this way: It’s been that way for 10 years. We’re not inclined to change it for now.

Well, I am shocked! I just checked the source of the HTML and yes, the email is there in plain text! The reason I am shocked is that there are many efficient ways to ‘hide’ or ‘scramble’ an email address in the source html code using javascript (those are called email obfuscators). As a web programmer, I’ve been doing this for years and the bots are never able to harvest displayed emails. I would have thought phpBB would be using such email scrambler, but it seems they don’t!!

I just checked and it seems there’s no obfuscator module available for phpBB. I guess I’m going to disable the email feature then…