STDCarriers.com Mail Server Hacked by Spammers

If you received an email that said it was from "John Wagner" at STDCarriers.com it did not come from us. Spammers hacked the STDCarriers.com mail server and used it to send tens of thousands of emails with the subject line "Attention Funds Beneficiary" on September 18, 2019 and continued until the vulnerability was fixed on September 20, 2019. The attack immediately followed an announcement sent to registered members of the website on September 18th. 



The timing of this attack leads us to believe that a member of a hacking group that had jacked the server in 2011 has an account with us and was most likely doing this to stop us from letting our members know that the site is back online. To their credit it worked. The site found itself on several anti-spam blacklists and is still blacklisted by some of the major email hosting providers including Microsoft and Google, so our sever cannot send email to addresses ending with Outlook.com, Hotmail.com, or Gmail.com. This not only keeps those people from finding out about the website. It also keeps people from sending messages to those members through the system and it keeps those members from being able to receive password reset emails. Time should correct this problem.



This problem was made possible due to a vulnerability in hMailServer that permits spoofed messages to be relayed if a box in hMailServer Administrator is not checked. Our administrator had never created a mail server using hMailServer before and did not know that not checking the box left the server vulnerable to this kind of thing. We apologize for this inconvenience but at the same time stress that hMailServer should do more to tell users that this could happen if that box is not checked. 



For more information see this report.









The body of the messages read something like: