RP: SR Security Not Compromised

My best guess as to why a small group of people here are receiving the messages is this: Years ago, when HBO first started back on the old website, we used to allow commenters to include their email addresses with their comment signatures. This was entirely optional, and provided so that commenters could offer a way for other commenters to contact them if they wanted to. Several years ago, we removed that option, and entirely quit displaying commenters’ email address. We collected them for verification purposes, and so Dave would have a way to contact people, but we did not display email addresses anywhere. We didn’t want anyone to inadvertently give the wrong people — be it a spammer or anyone else — their personal email address/ Blogmeister Ryan . Full post below . Second thread here (including explanation of the attack on Hotmail by an inside techie).

@Cabbage Boy, etc. - There has been no security compromise here.

When Dave first described the problem to me yesterday, it was over the phone as I was driving into work. It sounded to me like he might have picked up a virus that was abusing his email address book, and resending itself to the people in it. Clearly that wasn’t the case, however, as *many* people that are in Dave’s email address book are not getting spammed, from HBO readers to his coworkers at the Spokesman-Review. So Dave’s email was not compromised.

My second concern was that the old blog database had been broken into. But we would have seen signs of that in our server logs, and again, MANY more readers here would be getting these emails. There are thousands of email addresses in that database table. A couple of my email addresses are in there, for example, and I haven’t gotten even one spam message.

My best guess as to why a small group of people here are receiving the messages is this: Years ago, when HBO first started back on the old website, we used to allow commenters to include their email addresses with their comment signatures. This was entirely optional, and provided so that commenters could offer a way for other commenters to contact them if they wanted to.

Several years ago, we removed that option, and entirely quit displaying commenters’ email address. We collected them for verification purposes, and so Dave would have a way to contact people, but we did not display email addresses anywhere. We didn’t want anyone to inadvertently give the wrong people — be it a spammer or anyone else — their personal email address.

When we made this switch, I changed all the blog templates so that even old pages, with comments entered under the previous system, would stop displaying email addresses. However, it is *possible* (and even probable) that somewhere in the backwaters of the internet, there’s a cached version of some of those old pages. Stored by Google or someone else, there’s a snapshot of an old page with those email addresses embedded in it.

I suspect that’s exactly what’s happened here - a spammer has harvested email addresses from an old, old, cached HBO page that’s not even on our server. That would explain why only a limited number of people here have been affected, and why it’s old email addresses being hit.

There’s not a security issue with Dave’s email, and our database wasn’t hacked. This is just spam. And yes, it sucks! But this isn’t targeting just HBO, it’s part of a widespread attack that involved multiple servers and IP addresses, affecting thousands and thousands of users whose email addresses were harvested from who knows where. I understand the people responsible were even bragging about it this morning on a hack site, and that the target was actually Hotmail, by routing such a flood of email through its servers at once.