System Sending Fake PMs

My users are receiving fake PM notifications. i'm trying to determine if this is someone fishing for the admin password or if the PMS has gone insane.

i had to turn off email notification of receiving PMs because so many of my users were complaining about receiving these fake notifications. When i turned off email notification... the fake messages stopped.

i'm calling them fake because:
- They don't refer to messages actually sent. For instance Alan receiving a notification of a message from Bob when Alan didn't send that message.
- REAL PMs bear a link to the home page and contain the entire message.

Is UddeIM creating these messages? Is this a hacker trying to trick someone into entering an admin password?

Please help!

Fake Messages look something like this:

Return-path: <fora@0-o.me>
Received: from gotrus1 by cl157.justhost.com

with local (Exim 4.69)
(envelope-from <fora@0-o.me>)
id 1RxPCR-0004ji-Tz
for gotrus1@gotr.us; Tue, 14 Feb 2012 14:42:07 -0600
To: gotrus1@gotr.us
Subject: A new private message has arrived from Ghosts of the Revolution
Date: Tue, 14 Feb 2012 14:42:07 -0600
From: Nihil <fora@0-o.me>
Reply-to: Nihil <fora@0-o.me>
Message-ID: <253609e75c6f3d38845051fd03be3233@gotr.us>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net

)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"

Please log in to gotr.us/administrator/index.php?option=com_messages&view=message&message_id=426

to read your message.

Real messages look like this:

Hi Nihil,

shinything has sent you the following private message at Ghosts of the Revolution. Please log in to reply!

gotr.us


__________________
** contents of the PM **

Maybe your users get "forget me not" messages?

These are sent when unread messages are present in the inbox for a certain period of time.

slabbi wrote: Maybe your users get "forget me not" messages.

These are sent when unread messages are present in the inbox for a certain period of time.

Does the Forget Me Not notice link to the admin part of the site? Is that the text of a FMN notice? If so, i'd like to change it.

It seems unlikely, because the messages are coming "from" someone who never sent a PM to the receiver. i have FMN set for 14 days. i'll set it for 7 days and see what happens when i resume sending notifications. i can test this by sending a PM to a test account.

Sounds like you've never heard of hackers spoofing PMs to get admin passwords. So that's encouraging.

Thank you!

My users are getting these notices again. i'm pretty sure these are not "Forget Me Not" notifications. If they were, there would be a corresponding PM in the inbox.

It's looking more like phishing or the PM system has gone insane.

The install is up to date.

What should i do next?

The "from" address shouldn't be the email account of a user. i've changed the domain to "something". The user in question sent me a PM the day before, but i receive the usual notification and read the message before this email was generated. She didn't send me a PM after that.

Delivered-To: fora@0-o.me
Received: by 10.229.190.141 with SMTP id di13csp143997qcb;
Mon, 20 Feb 2012 20:06:49 -0800 (PST)
Received: by 10.50.34.202 with SMTP id b10mr13797232igj.2.1329797208633;
Mon, 20 Feb 2012 20:06:48 -0800 (PST)
Return-Path: <joant@something.org>
Received: from cl157.justhost.com (cl157.justhost.com. [173.236.37.218])
by mx.google.com with ESMTPS id ug6si244711icb.126.2012.02.20.20.06.48
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 20 Feb 2012 20:06:48 -0800 (PST)
Received-SPF: neutral (google.com: 173.236.37.218 is neither permitted nor denied by domain of joant@something.org) client-ip=173.236.37.218;
Authentication-Results: mx.google.com; spf=neutral (google.com: 173.236.37.218 is neither permitted nor denied by domain of joant@something.org) smtp.mail=joant@something.org
Received: from gotrus1 by cl157.justhost.com with local (Exim 4.69)
(envelope-from <joant@something.org>)
id 1Rzh04-0003Oy-7y
for fora@0-o.me; Mon, 20 Feb 2012 22:06:48 -0600
To: fora@0-o.me
Subject: A new private message has arrived from Ghosts of the Revolution
Date: Mon, 20 Feb 2012 22:06:48 -0600
From: Shiny Thing <joant@something.org>
Reply-to: Shiny Thing <joant@something.org>
Message-ID: <9fec185dc93d8cd86c8fdba69d2f7bac@gotr.us>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cl157.justhost.com
X-AntiAbuse: Original Domain - 0-o.me
X-AntiAbuse: Originator/Caller UID/GID - [763 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - something.org
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/gotrus1/public_html/index.php
X-Source-Dir: gotr.us:/public_html

Please log in to gotr.us/administrator/index.php?option=com_messages&view=message&message_id=486 to read your message.

After I checked your message again I saw that there is a PHPmailer and X-Priority line.

UddeIM does not add these header lines but
"Organization: "
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070728 Thunderbird/2.0.0.6"

So it seems that really someone is sending fake messages. But it does not make sense to add "Please log in to gotr.us/administrator/index.php?option=c...e&message_id=426" since even when the user uses this link to log on he reaches the correct system (gotr.us) and not a fake page that tries to gather user credentials. And uddeIM does not use an Link to the administration page in its links.

Do you use a 3rd party component that also uses uddeIM to send messages? There are several (CB, Autowelcome, Kunena Forum, Autouserpoints and so on). Maybe this component is not configured correctly?

It is the first time I hear about this. Please keep me informed.

Yeah, it's pretty strange. i'd rather not switch PM systems or deactivate notifications.