There has been a spam wave today to the BAC members. This is not from compromised emails or sites, but somebody got a hold of the throwaway alias we use to send group emails for things like BACFire.
Short Version
The short explanation is these people do not have your individual email, only the BAC alias, and that has been fixed, no more spam coming.
For more details, this changes once a month normally and was only used for the Survey and BACFire in the last week. Most of them reference majordomo.
I don’t need to see them, you can just delete them. The problem has been fixed and after this email is processed we’ll close the group aliases completely for now. Sorry for the wave of spam, but it should be resolved.
If you replied or clicked links – no worries, unlike most spam the links and reply address are valid and do in fact point to the California ARB server.
You can still do the survey, the link is still valid.
For now all group aliases other than the admin/help aliases have been disabled until further notice.
Long Version
This was not a typical spam attack. The spams came from a real, legitimate mail list server at the California Air Resources Board. These were “real” emails confirming subscription and then un-subscription to one of their email lists. They host almost 200 mail lists total.
Their server is poorly configured in that it allows anyone to put in any email. The email that was used was the current temporary email alias that was used to send this months BACFire and the Survey Monkey invite. This email list is changed monthly and disabled most of the time but was active to send the Survey Monkey invite and a planned follow up for today.
Each mail list has a unique code – but the site allows you to subscribe to everything in a single form submission. What is odd is there is no value for a traditional spam – they can’t send or get responses. This was pure digital vandalism. Whether it was focused at the club or general “drive by” type is hard to say. The email in question was not distributed widely and not known to the general membership. However, it would have been easy enough to guess for someone with access to current or former members emails as variations of the email were disclosed in some previous emails. A quick recheck (we check periodically) shows that these emails are not listed in the site anywhere, they only exist in the email server configuration (which is not even reachable by the web server). So somebody either had a very lucky guess or had access at random or intercepted one of the 2-3 emails to members over the last couple of years that was sent incorrectly with the email visible and using the similar format made a successful guess.
That being said I’ve had some contact with the ARB as their server was used to spam about 50000 emails to our members (we did stop maybe a 1/3 still queued on the site) and they are deciding whether to investigate further on their end.
For now all group aliases other than the admin/help aliases have been disabled until further notice.