~~~ Please read before posting. ~~~

Important: We need your Club Number at a minimum, and as many details as possible.
For further info please read This page before posting.

FTH Hacked?

  • Norm Thib
  • Norm Thib's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 13
  • Thanks: 0

FTH email spam?

2 years 2 months ago - 2 years 2 months ago
#91281
Hello FTH support folks and FTH community.
Note that I have not included FTH websites because this is a broader issue.
We have an active email scam problem going on in District 53 right now.  It started with some district officers getting an email supposedly from our District Director requesting them to purchase some $100 gift cards for a "secret incentive program."  A couple of our district officers fell for it and purchased gift cards, but the DAM (me) and Trio figured out it was a scam and warned everyone about it. Now it seems to have leaked down to the club level with some club officers getting an identical email supposedly from their club president via their FTH forwarders.  We are still investigating, but so far it appears that only district and/or club officers are being impacted.  We are working to communicate an urgent warning to all our members and also to determine the extent of the breach.  We are seeking to inform the FTH support team and also wondering if any other districts are seeing any similar email scam activity.  We'll update this post once more is known. Samples of the scam email and other info can be provided to the FTH support folks if wanted.  It's important to note that, although many clubs in D53 use FTH, the district itself does not use it for our website.  Feedback can be added to this post or sent to me directly at NormThibD53@comcast.net.Thanks all.
Last edit: 2 years 2 months ago by Brian.
The topic has been locked.
  • Brian
  • Brian's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 10951
  • Thanks: 3643

Re: FTH Hacked?

2 years 2 months ago
#91284
We will need all the email addresses involved.

Full internet headers will help us identify the source servers.
Thank you,

Brian McDonald DTM
Silver and Wiser Online Toastmasters Club #777940

Technical Support Consultant for FreeToastHost
The topic has been locked.
  • Pam
  • Pam's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 3855
  • Thanks: 1056

Re: FTH Hacked?

2 years 2 months ago
#91293
The exact same thing is happening in D69 today.  It doesn't seem to originate with FTH here, but I have blacklisted the email address on FTH (livcg781@gmail.com).  

Here is the header: (I've replaced my username with xxx)
Return-Path: <livcg781@gmail.com>
Delivered-To: xxx@bigpond.com
Received: from exhprddir105 ([10.216.164.7])
    by claprdmst114 with LMTP
    id KJooOBZD+WRGJAAA7oXDsg:P1
    (envelope-from <livcg781@gmail.com>)
    for <xxx@bigpond.com>; Thu, 07 Sep 2023 13:27:18 +1000
Received: from exhprdmxe05 ([10.216.164.7])
    by exhprddir105 with LMTP
    id KJooOBZD+WRGJAAA7oXDsg
    (envelope-from <livcg781@gmail.com>)
    for <xxx@bigpond.com>; Thu, 07 Sep 2023 13:27:18 +1000
Received: from mail-lj1-f178.google.com ([209.85.208.178])
     by exhprdmxe05 with esmtp
    (envelope-from <livcg781@gmail.com>)
    id 1qe5fq-00073G-2Q
    for xxx@bigpond.com;
    Thu, 07 Sep 2023 13:27:18 +1000
Received: by mail-lj1-f178.google.com with SMTP id 38308e7fff4ca-2bd3f629c76so9127091fa.0
        for <xxx@bigpond.com>; Wed, 06 Sep 2023 20:27:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1694057235; x=1694662035; darn=bigpond.com;
        h=to:subject:message-id:date:from:references:in-reply-to:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=q2+CThIs7Hit5vyfmUeu/KsNzEH7X1+pbiE1BsflLC4=;
        b=bP+Jd4ceSL9w6yDK6AC5UmVPPn2zEK5sZmsvIGCFP0UowUWELRVl9GFRrukgsYSL6B
         P/1G2wuePBB1AMjDfm9SsF+QzxjajGnblMr4IziMf4Ee7vntewtd79koE3io0mW+MNVw
         egvAKhYMHJrlJeUaFDZBv3UrnPOaJ9IuOZgw/7j+OHOZni+CHIjYV/xwOU//g6/0Lm3S
         1UFmU7YTgdnbEgfZWXs9jG+yLrz69rgbkIHDyri2kEpLlxahvy8C7zVrfBx5uZoxTPU4
         JBru/8w70oTRAG61vTAmNHBwNaG18Yvo1pIE/cHz6z/VpBvSt7aNOPMHVPTkEISMxKSn
         2gvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1694057235; x=1694662035;
        h=to:subject:message-id:date:from:references:in-reply-to:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=q2+CThIs7Hit5vyfmUeu/KsNzEH7X1+pbiE1BsflLC4=;
        b=GehC+TemIXPdc3Sq6WW6tZaA+aGp8vyWzqdCj2SRqchfQhSfcoYXFGUABhsCjKkki4
         mmZYW1fAlJNT0Vfkszd9BxFxGnLcoUBHpKWb8PEcDZBZTs0GTuL7+Ye24j2j2P6ehO92
         9YgZ+IpyNLEfAXBU+TcbjWP+fgTLj93BpVL3Uw5382nPxdlDKYOyEJoJEyDzN+bkv/L9
         jvGgiivbFi5TxGKxDAHmODqiiO1X8mjWip6igd7017/2ZxFodW8k1XTdH0wVMf7FQe61
         eArh9xMsdYmfPH67r0NTMsQ6Wtjj/+1Vom/qQMiBHCytyG+sdA4o0if4T2Iz5r8GFsm5
         8f2w==
X-Gm-Message-State: AOJu0YwNZicAZ0/UaACvIRk1JC2Bgqa1lr7rXM/Og8l6n0ZJNhJ4WqoN
    xoaoU2ThbtV2om9Ml5nM+Gk0DaDhy+COfcp8CAHfgHsps6wJjQ==
X-Google-Smtp-Source: AGHT+IET/tsgsmcP1JjJcL8Fsv3TVyu7KZkW/S5caU4tMT3aQnzc6NSTJgvb/iimU5WvFM5QkieFuzjsVUO3RWi0Crc=
X-Received: by 2002:a2e:96d9:0:b0:2bc:c3c0:a997 with SMTP id
 d25-20020a2e96d9000000b002bcc3c0a997mr3702988ljj.38.1694057235347; Wed, 06
 Sep 2023 20:27:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:651c:1024:b0:2b9:bad6:66a with HTTP; Wed, 6 Sep 2023
 20:27:14 -0700 (PDT)
In-Reply-To: <004c01d9e124$583b16c0$08b14440$@bigpond.com>
References: <CAJ9bX9+L110cttGCZ6A4kTFBobE0r436Az+Eun9OLxHFZ-dPzQ@mail.gmail.com>
 <003601d9e11f$51652840$f42f78c0$@bigpond.com> <CAJ9bX9KRBNfYzzeWR5x0rsd6z5uBg4KwyRjDd0JbyeUmd6XhzA@mail.gmail.com>
 <004c01d9e124$583b16c0$08b14440$@bigpond.com>
From: Denise Buckby <livcg781@gmail.com>
Date: Wed, 6 Sep 2023 20:27:14 -0700
Message-ID: <CAJ9bX9JkFOQaPTKheO2OH8G7tH981pmDwkE2WkfC8Jd==0-KWw@mail.gmail.com>
Subject: Toastmasters D69
To: xxxxxx <xxx@bigpond.com>
Content-Type: multipart/alternative; boundary="000000000000bdfd3f0604bc6fbe"
X-tce-ares-id: i{a4d8dfd1-3630-43df-971b-9f5427960556}1
X-tce-spam-action: no action
X-tce-spam-score: 0.0
X-tce-spam-report: Action: no action
X-Cm-Analysis: v=2.4 cv=aKs265xm c=1 sm=1 tr=0 ts=64f94316 cx=a_idp_nop a=4Z7bLzRdO3NTdMHb7ZukIA==:117 a=zNV7Rl7Rt7sA:10 a=x7bEGLp0ZPQA:10 a=ixW7G_Bc7fEA:10 a=ljGsvmn9pW5otRe-nwUA:9 a=QEXdDO2ut3YA:10 a=zgiPjhLxNE0A:10 a=2p8w7ogSsuD7ky5XoeQA:9 a=wwAePvBONnjDQaqHVNx2:22 a=xktG2lVQBmeq-0Z_gg-f:22 a=OpbFwHzBB_NAIXhOV6bD:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
X-Cm-Envelope: MS4xfK2xztNLj6TulLQHSg97M0cdup1JoBhjiDHPK0oA3wupsQO6EELqF7OLlVnOZXXXKnQXDcr5IZpaT0/RvFzb4OtJIcY6zWP9ZmXPjtpZ413SEl9O7ZVc P47tTyTwu2spD5E0XRESH3YYLhfgA5cJiq1MlhZYMGz8mmEfq16QA8LOr4mG9YR1zed8MKjqAPA3Dg==
X-tce-route: accept
FreeToastHost Ambassador
VPE HOT Toastmasters 2025-2026 hot.toastmastersclubs.org/
Webmaster Redlands Toastmasters 2025-2026 redlands.toastmastersclubs.org/
The topic has been locked.
  • Norm Thib
  • Norm Thib's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 13
  • Thanks: 0

Re: FTH Hacked?

2 years 2 months ago
#91296
Hi Brian. When you say, "We will need all the email addresses involved.", do you mean all the email addresses the messages went to, where they came from, or both? We are compiling that info, but it's still evolving. If you can tell he how to pull a full interned header from an email in Outlook, I can do that and post it here.
The topic has been locked.
  • SteveTheTechie
  • SteveTheTechie's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 11526
  • Thanks: 3050

Re: FTH Hacked?

2 years 2 months ago
#91297
The topic has been locked.
  • Norm Thib
  • Norm Thib's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 13
  • Thanks: 0

Re: FTH Hacked?

2 years 2 months ago
#91298
Here's the email header for the copy of this scam email that I received..

Received: from resimta-c1p-044827.sys.comcast.net ([96.102.18.162])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    by dovpxy-asa-07o.email.comcast.net with LMTPS
    id 2NnYEFZt72RuZQAA7yuOaA:T33
    (envelope-from <livcg781@gmail.com>)
    for <normthibd53@comcast.net>; Wed, 30 Aug 2023 16:26:16 +0000
Received: from dovpxy-asa-07o.email.comcast.net ([96.102.18.162])
    by dovdir1-asb-06o.email.comcast.net with LMTP
    id 2NnYEFZt72RuZQAA7yuOaA:T33:P1
    (envelope-from <livcg781@gmail.com>)
    for <normthibd53@comcast.net>; Wed, 30 Aug 2023 16:26:16 +0000
Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-573921661a6so1893172eaf.1
        for <NormThibD53@comcast.net>; Wed, 30 Aug 2023 09:26:16 -0700 (PDT)
Received: from mail-oo1-xc36.google.com ([IPv6:2607:f8b0:4864:20::c36])
    by resimta-c1p-044827.sys.comcast.net with ESMTP
    id bO0NqVY6JL2aUbO1IqoFI1; Wed, 30 Aug 2023 16:26:16 +0000
Received: from dovdir1-asb-06o.email.comcast.net ([96.102.18.162])
    by dovback1-asb-23o.email.comcast.net with LMTP
    id 2NnYEFZt72RuZQAA7yuOaA:T33:P1:P1
    (envelope-from <livcg781@gmail.com>)
    for <normthibd53@comcast.net>; Wed, 30 Aug 2023 16:26:16 +0000
From: "Patti Walter" <livcg781@gmail.com>
To: <NormThibD53@comcast.net>
References: <CAJ9bX9KC0WBEGi6925JKLQWTaCuAvMsYXM8xRGf9NAzXpQEkmA@mail.gmail.com> <6fe601d9db5d$f2775a90$d7660fb0$@comcast.net> <702b01d9db5e$8a959d50$9fc0d7f0$@comcast.net>
In-Reply-To: <702b01d9db5e$8a959d50$9fc0d7f0$@comcast.net>
Subject: Re: Toastmasters D53
Date: Wed, 30 Aug 2023 12:26:01 -0400
Message-ID: <CAJ9bX9KT1gseQtT5Gr31uBj2Q1-Od=4Wh9cOLP8LA7bW+=v_4A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_8F95_01D9DCAF.F43BAF40"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJQ4Lfx0tYLzCou/xBN8WUwqpCUTgJIo0KkAexSiTYCnVA+UAJWoYoV
X-CAA-SPAM: N00000
X-Xfinity-Message-Heuristics: IPv6:Y;TLS=1;SPF=1;DMARC=P
X-Comcast-SMTP-Spoor: gmail.com mail-oo1-xc36.google.com
Authentication-Results: resimta-c1p-044827.sys.comcast.net;
    dkim=pass header.d=gmail.com header.b=Ii7GrGt3
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1693412774; x=1694017574;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=odMdQQUMg0dDK94H8XQSY7PAjUlTEyb4N09xkF3H0KI=;
        b=RS0CVH7IRXx9kZs/D1ge8zJCcLgetyNYY5d7ghnu4XVJdeVA7XCctUrC9MCCEKctv/
         4gH6r63zzCMFLABIzeKoPPkJt/8n7jGAOBuna3bo76ZRYS090UQhpL9+sqQME5iVeVaV
         PuzDwlM0pbeAndYOOl1rl+BVKLjcgmtNXdN9sTSFzpzwDr55Ej/WF+GLE+xpWkFyglY4
         k//jj3Q8sXs98Bj24EZKz2RNn9nmeI0rtd9x+Ah6hzhz1pz0wmnES69tKPakIwJf812w
         B1lrcmrosp132nAnHp3GpU50xw++z4OcPgM0vYEBDzEju0AuxTxUTt3AENh+UWBrE5d0
         j08A==
X-Gm-Message-State: AOJu0YzjaaTSKWWwg9Z9mSkTtRpsQhYhkCvEbxMsL8l0A3DOwtLo3zcb
    6cdyuuW10CjaPL/4NuUP9InTFrba7PUwtF/k/y1kYIk72UmjWHDe
X-Google-Smtp-Source: AGHT+IGt7U7yd7iRUZyI0Ys1paFVGwaXZLmuMKo12iQx6KAq7qUskPKU1TqEixrJUc45rRSBUJpWUI1jEWgyVJfDZQY=
X-Received: by 2002:a4a:3906:0:b0:573:2312:b3 with SMTP id m6-20020a4a3906000000b00573231200b3mr2490756ooa.4.1693412774509;
 Wed, 30 Aug 2023 09:26:14 -0700 (PDT)
X-Authority-Analysis: v=2.4 cv=aaFyIDkt c=1 sm=1 tr=0 ts=64ef6da8
 cx=a_idp_d:c_cmc a=apO4Jz+JpkGLDAx5XOUz4Q==:617 a=xqWC_Br6kY4A:10
 a=UttIx32zK-AA:10 a=x7bEGLp0ZPQA:10 a=ixW7G_Bc7fEA:10
 a=fkM0ParRM7wskk_-ks0A:9 a=QEXdDO2ut3YA:10 a=zgiPjhLxNE0A:10
 a=rOybSG12uDXcgM4SwsQA:9 a=wwAePvBONnjDQaqHVNx2:22 a=7PlhcU7xGnINJ2miruxK:22
 
The topic has been locked.
Moderators: BrianPamrhtaylor3marc33NotLiableNSBjgavinHeniLcala305peterb323DebbieT
Time to create page: 0.801 seconds