11 Replies Latest reply on Jun 22, 2011 12:22 PM by Robert Dell'Immagine

    Qualys Community Spam?

    Chirag Desai Level 2

      Er...Irony at its best? Spam within the Qualys Community.

      Screen shot 2011-06-12 at 2.02.27 PM.png

        • Qualys Community Spam?
          randamw Level 1

          I received one of those too. From the same address.

          • Qualys Community Spam?
            qualyschris Level 3

            Hey guys,

             

            I got one too; we're looking into it.

             

            Thanks,

            :Chris

            • Qualys Community Spam?
              Arnold Murphy Lurker

              Could this be spear phishing for passwords, the login was a little rough through the link. I am resetting my password, and suggest everyone look for any non-authorized usage of their Qualys scanning accounts, this may be the objective, to gain access to other accounts through a spear phishing campaign looking for common passwords using a cross site script or a fake login.

              • Qualys Community Spam?
                Robert Dell'Immagine Level 5

                Thank you for reporting this.  I (the Qualys Community administrator) also received this spam this morning, and I immediately deleted the account that sent it (which also deleted the message).

                 

                Bob, you got the error because I deleted the user and the spam message. So if you (or anyone else) click the notification, you will get this error message because the spam message is no longer in the system.

                 

                Arnold, I do not believe this is a spearphishing attack. Here's what I believe happened.  An actual person (not an automated system) created a Qualys Community account in the exact same way as every Qualys Community member has done. This person then sent a private message to a large number of other accounts on the system, again using the same mechanism a legitimate member would use.  Well, I supposed if someone did reply to the message and sent their real email address, that could put them at risk, but presumably anyone but the most naive user would not reply to the email.

                 

                The best solution I can think of is to limit the number of addresses in a private message to some low number, say 5, and then it become more difficult for spammers to send this type of spam.  I have requested this feature (unfortunately it is currently possible to limit the number of recipients).

                 

                Again, thank you for reporting this.  And I apologize for any disruption or inconvenience this has caused.

                 

                Regards, Robert

                 

                Robert Dell'Immagine

                Director of Community, Qualys

                • Qualys Community Spam?
                  Robert Dell'Immagine Level 5

                  Hello All,

                   

                  I'm considering the following changes: limit the number of recipients on the distribution list to something low like 5, and limit the number of private messages that can be sent from new accounts (less than 1 week old, for example).

                   

                  The private message spam I have seen always comes from new accounts, and legitimate use of PMs generally doesn't include large distribution lists. So these two restrictions should impact the ability of spammers to send PM spam without inconveniencing community members.

                   

                  Other options considered included a captcha, but this inconveniences all community members and would not prevent spam sent by an actual person. A 'mark as spam' button won't prevent spam, and community members will still get the email notification, even if the link to the spam is disabled.

                   

                  Please feel free to comment here on this topic. In the meantime, we're starting work on the two above limits, and I hope to have them deployed by the end of June.

                   

                  Thanks, Robert