Could this be spear phishing for passwords, the login was a little rough through the link. I am resetting my password, and suggest everyone look for any non-authorized usage of their Qualys scanning accounts, this may be the objective, to gain access to other accounts through a spear phishing campaign looking for common passwords using a cross site script or a fake login.
Thank you for reporting this. I (the Qualys Community administrator) also received this spam this morning, and I immediately deleted the account that sent it (which also deleted the message).
Bob, you got the error because I deleted the user and the spam message. So if you (or anyone else) click the notification, you will get this error message because the spam message is no longer in the system.
Arnold, I do not believe this is a spearphishing attack. Here's what I believe happened. An actual person (not an automated system) created a Qualys Community account in the exact same way as every Qualys Community member has done. This person then sent a private message to a large number of other accounts on the system, again using the same mechanism a legitimate member would use. Well, I supposed if someone did reply to the message and sent their real email address, that could put them at risk, but presumably anyone but the most naive user would not reply to the email.
The best solution I can think of is to limit the number of addresses in a private message to some low number, say 5, and then it become more difficult for spammers to send this type of spam. I have requested this feature (unfortunately it is currently possible to limit the number of recipients).
Again, thank you for reporting this. And I apologize for any disruption or inconvenience this has caused.
Director of Community, Qualys
I'm considering the following changes: limit the number of recipients on the distribution list to something low like 5, and limit the number of private messages that can be sent from new accounts (less than 1 week old, for example).
The private message spam I have seen always comes from new accounts, and legitimate use of PMs generally doesn't include large distribution lists. So these two restrictions should impact the ability of spammers to send PM spam without inconveniencing community members.
Other options considered included a captcha, but this inconveniences all community members and would not prevent spam sent by an actual person. A 'mark as spam' button won't prevent spam, and community members will still get the email notification, even if the link to the spam is disabled.
Please feel free to comment here on this topic. In the meantime, we're starting work on the two above limits, and I hope to have them deployed by the end of June.