Avoid getting your affiliate/member emails getting spammed. Promote programs using MPA3.
 

Many years ago we found that leaving emails in Affiliate Programs un-encrypted to be a real hazard. A program using MPA3 was hacked via another script placed on the MPA3 server of the client, and as a result their db got accessed.

The hackers wanted the email lists of both the affiliates as well as the members who had joined their paysites ? and the result was obvious.

To avoid such abuse, in case of a potential hacking incident, we have a firm belief that your email lists inside of the program/db MUST be encrypted. It is only in this way you can protect both your affiliates as well as your members from being exploited. As an affiliate you should check to see if the program you are promoting is using MPA3.
This is not always obvious, as MPA3 programs have the ability to look different from program to program, so be sure to ask the affiliate rep. if they are using MPA3. And if not ? tell them that they should do it to protect yourself and the members you send the programs way. Anyone/program owners that wants the strongest encryption possible can request private/public key encryption for the emails. We highly recommend it.

It is not just you, the affiliate, that is affected ? it is also the members you have worked so hard to get to sign up for the program you are promoting. If the hard earned members you get to sign up for a program is spammed after signing up ? rest assured that they will be even harder to get to sign up for another site again later.

So to summarize ? MPA3 has for many years encrypted the emails stored within an affiliate program to best protect the program owners from loss in the event of a security breach.

:2 cents: :thumbsup

lol, very timely!

Timely? I would say it has always been timely, and necessary. :)

I see what you did here :)

well wheres the list of programs?

I was just waiting for this.

x2 :winkwink:

x3
http://i173.photobucket.com/albums/w...-did-there.png

x3

.

If You are a program owner OR an affiliate - Email me to get first looks at the all new MPA3 V5 demo.

Demo will otherwise be publicly available shortly :-)

Very Nicely done.

Definitely an important feature.

Vultures. Fucking vultures, I tell you. :)

wow,justy wow! :)

striking while the iron is hot

everyone is now safe

OY is no fucking joke.

Is there a confirmed security issue inside NATS?

or is this the work of some rogue employee(s)?

i think nats4 encrypts emails, old nats i don't think does. the servers who's emails were compromised were probably hacked through 1 of 1000 different ways and there's many others that have probably been hacked and dont even know it and encrypting emails doesn't mean anything

Bingo. Best thing is to set up your firewall to only allow certain IP's access to the SQL file. Basic security fixes like that can go a long way.

My guess would be that WTF didn't hack anything. They probably just bought an email list. I get offers to buy different program's email list at least a couple of times a month.

EVERYTHING is for sale. :(

But anyway...a good hosting company would have already made sure your NATS database is secure. A few simple steps to lock it down against "average" hacking. (nothing will stop a good hacker of course...nothing)

firewall wont do anything in this case because they probably already get local access, but firewall in general is a good idea

you typically can't rely on hosts but some do a better job than others, but when there's a will there's a way

Oh yeah...if somebody good wants in...they can find a way for sure. But most GOOD hosting companies have guys who make sure your shit is as secure as possible (not talking about shit hosting).

Nobody wants a box hacked inside their network. It opens up the whole network to a possible problem.

Bottom line is it's up to you to get in touch with your hosting company and do everything you can to tighten up security and close any backdoors that might be open.

But again...most email lists are for sale by the program owners anyway. That used to be kinda valuable.
These days? Not so much. Everybody knows the handful of affiliates left with any traffic and ability to send sales. The tens of thousands of others are practically useless. lol

Hell, I used to be able to send a lot of traffic and sales. Spam me these days and get my info and I sign up...it ain't a big deal. :( You probably won't get shit for sales from me. And whatever company did it probably already has their content stolen and on every pirate site in the world for free anyway, making my job as an affiliate even harder. :( :(

Who really knows what the real story is. As I said, why go to the trouble of hacking when you can just buy the damn list for cheap. And even then, it isn't worth much.

Is Freeones an affiliate? Check.
Are you working social networks? Check.
Viral marketing. Check.

That pretty much covers it in 2012 unfortunately for paysite owners. :(

Security is really a specialized field and hosts can only do so much but if someone hacks a server they are also getting your members and other stuff. Emails are extra perk I think but all kinds of data is sold to all kinds of different people

The guys at Swiftwill are supposed to be pretty good.

I've had tons of discussions with Bill at Phantom Frog, my own guy who works for me, and the guys at Choopa (where I host). And we've implemented many, many security things that are helpful.

I've never been offered any other kind of data for sale other than emails. There isn't any credit card info that you can get (because it is never in your database to begin with).

And as I was saying earlier...the emails just aren't valuable anymore (affiliate emails that is...member emails are still valuable of course). Hell, 99.9% of the people getting spammed on GFY can't send any sales or traffic anymore if they wanted to thanks to what piracy has done to the business of selling paysite memberships. :(

But buying and selling data has always been done anyway.

I remember about 10 years ago I had first bought my subscription to "Spam Arrest" because I was getting thousands of emails a day to sell me viagra and diamonds, etc.

I was at the Sands Expo Center for Internext that year and told a program owner that I had just gotten Spam Arrest and how good it worked. He laughed and told me that his company had been offered their mailing list and the ability to be put on a permanent "safe" list so that their spam mails would always go through to everybody irregardless of their Spam Arrest settings. lol

I had no idea that kind of thing happened. But it was educational to me for sure.

"Anyone/program owners that wants the strongest encryption possible can request private/public key encryption for the emails. We highly recommend it."

I'll just quote myself here...

I guess emails are really only valuable thing to webmasters, maybe competitor information also, depending on the business

Clearly the affiliate information about who the best/traffic-wise/conversion ratios/links/adwords etc. are very valuable as well. That is why we take so much pride in ensuring the security of our MPA3 installs. And working together with the hosts is of the uttermost importance. :2 cents:

xxxx100:error

Happy we changed over to MPA 4months ago :)

Nice to have you guys. Always good to have companies like yours who are are doing serious business.

I have to add my input being a security guy. Using a key on the same server which is hacked to encrypt anything still doesn't solve a thing. A knowledgeable attacker will still be able to get access. There is no such thing as full encryption using a single server. :2 cents:

People eat spam in Hawaii. I think it tastes good

+1

If a field needs to be de-encrypted for use "in the clear" on say a profile form or for mailing out a sales notification, there's going to be some code which does the decryption, along with a key, located on the server. May make it a little harder to retrieve the emails, but certainly not impossible.

That's very true.

Plus, as I said earlier...why bother hacking when most of that data is up for sale by a lot of program owners for the last 15 years or more?

The only problem is:

1) too few use MPA
2) the ones that do that I've tried convert for shit.

I'd trade spam for cash any day of the week. I blocked wtfbucks.com in SpamArrest and haven't seen an email since.

You are right, the key needs to reside on another server than the one the program is hosted on. Now you have weeded out most every hacker on the planet. No key at all, or un-encrypted information is destined to be a hackers target. I am sure we can agree to that.

Use a 2 razor on sides and back and a 4 on the top. I'll shave at home thank you.

NATS already released a security patch for Nats 3 today, and they told their clients to patch asap and to enable encryption

Epitome - Tons of programs use MPA3, but you might not even know about is as it does not contain a "mpa3" tag in the linking codes, and you can choose to use any type of linking code you prefer. Secondly, I have no idea who you are and what you do - but your arbitrarily misleading and without proof comment about ratios, is laughable at best. Please stick to facts and not to gossip.

Wrong.
Wrong.

Have met only 1 hosting where that was the case, all other dont care about anything other then you hosting with them, and start to supposedly care when shit hits the fan and becomes public (eventho they knew about it prior to shit hitting the fan). Hypocrisy at it's finest.

Good to hear that. Years too late, but good that it is happening now.

Question, is it an option in Nats4 or obligatory?

I have a question...a couple of years back we encrypted the emails on our SQL database.
We use PhantomFrog for password protection...it immediately could no longer work.

Since it authenticates against the data base and checks for username and email in order to work...it fucked everything up.

So we unencrypted it again (we only encrypted it at the urging of the NATS techs to begin with).

Here is my question: How do you get around something like that if you have the emails encrypted?
We do a lot of other things in our members area at Claudia Marie (member profiles, etc.) that also depend on username/email to authenticate (not to mention two different members areas, one for affiliate joins and one for type ins that also require that info).

If a persons setup NEEDED to have the emails unencrypted...does MPA3 give them that option?

I got that too. That leads be to believe WTF was able to hack NATS3 for the data. Or it is one hell of a coincidence.

If a client requests that the emails are not encrypted - no problem.
But there is no need for that. Our integration with PhantomFrog is set
so that they contact an MPA3 script to change the member's password, and
MPA3 sends an email to the members notifying them that their password has
changed, and providing them the new password.

If public/private keys encryption is used, MPA3 can send a request to a
server where the private key is, and this other server can send the
email.

Or we can queue the emails that need to be sent in the MPA3 db, and
the server that has the private key can connect to the MPA3 db,
decrypt the addresses, and send the queued emails.

I feel much better now ...

That's a very nice set up! Thanks for the info. :)

Thanks Robbie.

I will hit you up this week to show you the all new MPA3 V5 demo - I am sure you will like what you see. :thumbsup