Anyone else get this Failed Login Notification message from vcforum ?

[Ragooman]

Anyone else get this warning message from vcforum ?
Some kind of phishy business going on
The IP Addr belongs to this website---> Tor Project: Anonymity Online http://209.126.110.113/

Failed Login Notification

Someone has tried to log into your account on The Vintage Computer Forums with an incorrect password at least 5 times. 
This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 209.126.110.113

All the best,
The Vintage Computer Forums

 

[Agent Orange]

It's SPAM for a program called TOR - professes to give you anonymity while on-line. Could be legit, don't know. Google their address (209.126.110.113) and check-it out for yourself.

 

[Chuck(G)]

I wouldn't call Tor itself a spam program--but of course, with anything Internet, misapplication is another matter.

 

[Agent Orange]

I wouldn't call Tor itself a spam program--.

I didn't say TOR was SPAM. The way it was delivered was kind of unorthodox and smacks of SPAM.

 

[SomeGuy]

Do the headers actually indicate the e-mail did not originate from vintage-computer.com?

 

[Ragooman]

I sent a message directly to Erik Klein about this - waiting for his reply still
And you don't need to google that ip addr, it takes you straight to their website
Also, I wouldn't call it spam if Erik can confirm the login attempts

The email header sure does look like it originated from vcforum
this is an example of the email header from the reply to this thread

Delivered-To: ragooman@gmail.com
Received: by 10.96.189.72 with SMTP id gg8csp601227qdc;
        Sat, 11 Jul 2015 09:21:34 -0700 (PDT)
X-Received: by 10.60.178.33 with SMTP id cv1mr23369808oec.11.1436631694139;
        Sat, 11 Jul 2015 09:21:34 -0700 (PDT)
Return-Path: <webmaster@vintage-computer.com>
Received: from vintage-computer.com (static-162-208-84-225.d.awsrdns.net. [162.208.84.225])
        by mx.google.com with ESMTPS id u65si9289183oib.67.2015.07.11.09.21.33
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 11 Jul 2015 09:21:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of webmaster@vintage-computer.com designates 162.208.84.225 as permitted sender) client-ip=162.208.84.225;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of webmaster@vintage-computer.com designates 162.208.84.225 as permitted sender) smtp.mail=webmaster@vintage-computer.com;
       dkim=pass header.i=@vintage-computer.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=vintage-computer.com; s=default;
	h=Subject:Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:From:To:Date; bh=clgTfH9SZ32VwEFlPJzZ3s//TaJOtCsgfZ5Bjk/7ldE=;
	b=jnCvPcd+pni0HrQ/1HaXdx6JOzY2Fdzw6LQn1UL0yT3u9cl6jFbtxm/K0XuoIXeGCpIotbI6ULXKq/FEiQpIrbNwm698i5vjXD2B7sHr9HnKSm+ORDDEvcsHaKB2X94Okg1pibpClS/mItOVITRy5Jg5Xv6JTFn7X0EdqWccFbA=;
Received: from zeta.urljet.com ([162.208.84.200]:53917)
	by zeta.urljet.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.85)
	(envelope-from <webmaster@vintage-computer.com>)
	id 1ZDxWs-0001V7-9A
	for ragooman@gmail.com; Sat, 11 Jul 2015 11:21:30 -0500
Date: Sat, 11 Jul 2015 16:21:30 +0000
To: ragooman@gmail.com
From: "The Vintage Computer Forums" <webmaster@vintage-computer.com>
Auto-Submitted: auto-generated
Message-ID: <20150711161331.5bead4d98581@www.vintage-computer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Subject: Reply to thread 'Anyone else get this Failed Login Notification message from vcforum ?'
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - zeta.urljet.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - vintage-computer.com
X-Get-Message-Sender-Via: zeta.urljet.com: authenticated_id: vcforum@vintage-computer.com

and this is the email header from that warning message

Delivered-To: ragooman@gmail.com
Received: by 10.96.189.72 with SMTP id gg8csp1045530qdc;
        Thu, 9 Jul 2015 19:53:08 -0700 (PDT)
X-Received: by 10.202.93.66 with SMTP id r63mr272972oib.5.1436496788113;
        Thu, 09 Jul 2015 19:53:08 -0700 (PDT)
Return-Path: <webmaster@vintage-computer.com>
Received: from vintage-computer.com (static-162-208-84-225.d.awsrdns.net. [162.208.84.225])
        by mx.google.com with ESMTPS id z9si5664375oey.5.2015.07.09.19.53.07
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 09 Jul 2015 19:53:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of webmaster@vintage-computer.com designates 162.208.84.225 as permitted sender) client-ip=162.208.84.225;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of webmaster@vintage-computer.com designates 162.208.84.225 as permitted sender) smtp.mail=webmaster@vintage-computer.com;
       dkim=fail header.i=@vintage-computer.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=vintage-computer.com; s=default;
	h=Subject:Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:From:To:Date; bh=hIQLnIgrvgO2xK+BE+cfTwAfEXJFswqjY4leQDt4z1Q=;
	b=THj1ZNTAD1js5C5SiUcrzqaYgkLUbOsYBcRX528fJYvoav/oxnCUTcvggM41LNrVc79sUp+uPn+y0ua713a62nezS2o+O72S9UEd2xryweEEIY3v8UWv5KPsAJx3VTWtYkD5DUH2WFkRguPjQl4umDq7MJufoX1Cf8tsLBzvmd0=;
Received: from zeta.urljet.com ([162.208.84.200]:52158)
	by zeta.urljet.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.85)
	(envelope-from <webmaster@vintage-computer.com>)
	id 1ZDOQx-0001nF-Jn
	for ragooman@gmail.com; Thu, 09 Jul 2015 21:53:03 -0500
Date: Fri, 10 Jul 2015 02:53:03 +0000
To: ragooman@gmail.com
From: "The Vintage Computer Forums" <webmaster@vintage-computer.com>
Auto-Submitted: auto-generated
Message-ID: <20150710025303.501e72408930@vintage-computer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Subject: Failed Login Notification on The Vintage Computer Forums
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - zeta.urljet.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - vintage-computer.com
X-Get-Message-Sender-Via: zeta.urljet.com: authenticated_id: vcforum@vintage-computer.com

 

[Ragooman]

I just did a google search using another angle
"209.126.110.113 fail login attempt"
And I see numerous reports of failed login attempts on various forums, servers, etc.

This post has some more insight about this
Apparently, that Tor server was used as a "gateway" to send the attacks - from where, who knows.
https://groups.google.com/forum/#!topic/comp.os.linux.advocacy/cTXTtY57SjM

Nothing new of course, just curious since it happened to me.
And this excludes the unknown amount of failed login attempts on our banks accts, insurance accts, etc

 

[griffk]

Apparently, that Tor server was used as a "gateway" to send the attacks - from where, who knows.

And that's the idea of Tor--who knows where this came from--Tor proxies through at least two other servers, sometimes in Europe, sometimes elsewhere. Tor is legit, but some nogoodnik is using a Tor relay to try to attack you!

I would just make sure all my passwords were changed to something REAL tight&random--something NOBODY can guess... And hope they finally go away!
gwk

 

[Ragooman]

And that's the idea of Tor--who knows where this came from--Tor proxies through at least two other servers, sometimes in Europe, sometimes elsewhere. Tor is legit, but some nogoodnik is using a Tor relay to try to attack you!

I would just make sure all my passwords were changed to something REAL tight&random--something NOBODY can guess... And hope they finally go away!
gwk

I suspected as much, just wasn't sure.
Heard back from Erik Klein, he confirmed this too

 

[dan951]

I just got this today.

Dear dan951,

Someone has tried to log into your account on The Vintage Computer Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 46.165.223.217

All the best,
The Vintage Computer Forums

 

[Stone]

I got one about an hour ago. Al least the board is doing a good job of keeping the bot(s) or spammers out. All they probably wanna do is post BS URLs. It's not like anybody does their banking here. I guess if they get into your PMs they might be able to harvest a few valid email addys.

 

[Jibbajaba]

Bumping this back up. I just got 2 e-mails saying that someone tried to log in to my account, and the IP address listed in each e-mail was very different from one another.

Took the opportunity to change my PW to something MUCH longer and harder to crack.