Email Security question: Hijacked email !!! was: [opensuse] Vista
Hi All,
openSUSErs !
Help us - someone is hijacking email account, and we have no idea
how-to protect ourselves !
Someone is sending spam emails using account of the members of this
mailing list. (namely someone hijacked Ashish's email account).
How to deal with this and how this can happen ?
Ashish:
It seems strange, but I believe you.
Simple reason: You have a gmail account, and *every* GMail user sees
your name and email, like "from Ashish Yadav
On Fri, August 8, 2008 10:58, Alexey Eremenko wrote:
Hi All,
openSUSErs ! Help us - someone is hijacking email account, and we have no idea how-to protect ourselves !
Someone is sending spam emails using account of the members of this mailing list. (namely someone hijacked Ashish's email account).
How to deal with this and how this can happen ?
Not hacked, spoofed. A trivial abuse of the SMTP protocol, commonly used by spammers. -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Now: question to the our dear Open-Source community - How is this possible ? 1. How is this possible for hijackers to hijack the mail source address? *OK, you say SMTP spoof, but with GMail web interface, it is impossible to access email RAW code, to see exactly what was changed. 2. How is it possible for GMail to distinguish between a real and a hijacked email ? At which fields GMail is looking ? -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Alexey Eremenko wrote:
Now: question to the our dear Open-Source community - How is this possible ? 1. How is this possible for hijackers to hijack the mail source address?
*OK, you say SMTP spoof, but with GMail web interface, it is impossible to access email RAW code, to see exactly what was changed.
2. How is it possible for GMail to distinguish between a real and a hijacked email ?
At which fields GMail is looking ?
Gmail and Yahoo pop/smtp mail have very nice headers.
Regards
Dave P
From - Fri Aug 8 11:09:51 2008
X-Account-Key: account2
X-UIDL: ABy9ktkAABHMSJwNEgbj+g9R6a0
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: dave.plater@yahoo.co.uk via 217.146.189.28; Fri, 08 Aug 2008 09:08:34 +0000
X-Originating-IP: [195.135.221.135]
Authentication-Results: mta145.mail.ukl.yahoo.com from=gmail.com; domainkeys=fail (bad sig)
Received: from 195.135.221.135 (EHLO lists4.suse.de) (195.135.221.135)
by mta145.mail.ukl.yahoo.com with SMTP; Fri, 08 Aug 2008 09:08:32 +0000
Received: from lists4.suse.de (localhost [127.0.0.1])
by lists4.suse.de (Postfix) with SMTP id CE4D55A2A19;
Fri, 8 Aug 2008 09:05:56 +0000 (GMT)
X-Original-To: opensuse@lists4.opensuse.org
Delivered-To: opensuse@lists4.opensuse.org
Received: from Relay2.suse.de (relay2.suse.de [149.44.160.89])
by lists4.suse.de (Postfix) with ESMTP id D1E835A2A13
for
Alexey Eremenko wrote:
Now: question to the our dear Open-Source community - How is this possible ? 1. How is this possible for hijackers to hijack the mail source address?
*OK, you say SMTP spoof, but with GMail web interface, it is impossible to access email RAW code, to see exactly what was changed.
2. How is it possible for GMail to distinguish between a real and a hijacked email ?
At which fields GMail is looking ?
Sheesh, why do you assume, that the mail was sent via Gmail at all? Just look at the Received lines in the header and you will see that the mail was NOT sent via Google. That is exactly the crux of the problem. No account was hacked, just a mail address being used for a joe job. Happens all the time. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 11:16, Sandy Drobic wrote:
Alexey Eremenko wrote:
Now: question to the our dear Open-Source community - How is this possible ? 1. How is this possible for hijackers to hijack the mail source address?
*OK, you say SMTP spoof, but with GMail web interface, it is impossible to access email RAW code, to see exactly what was changed.
2. How is it possible for GMail to distinguish between a real and a hijacked email ?
At which fields GMail is looking ?
Sheesh, why do you assume, that the mail was sent via Gmail at all?
He's not assuming the email was sent via Gmail. He just wrote that the FROM-address was hijacked.
That is exactly the crux of the problem. No account was hacked, just a mail address being used for a joe job.
He's not claiming that a GMail account was hacked (I prefer "cracked").
Happens all the time.
I agree. As we say in Dutch: "een storm in een glas water" -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Amedee Van Gasse wrote:
I agree. As we say in Dutch: "een storm in een glas water" The English is more colourful: "a storm in a teacup" :)
Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
"a storm in a teacup" You mean that I make too much noise out of nothing? he-he. right.
Maybe we can Firewall openSUSE mailing lists - check all incoming emails somehow ? Al least emails from GMail have some validation codes on them, unlike the spoofed emails. -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Alexey Eremenko wrote:
"a storm in a teacup" You mean that I make too much noise out of nothing? he-he. right.
Maybe we can Firewall openSUSE mailing lists - check all incoming emails somehow ?
That is a problem that persists to frustrate a lot of postmasters. Basically you can sign all mails leaving a server and verify the signature on the receiving server. Unfortunately only very few servers have already implemented such a system like DKIM or even the older domain keys. Also questions like what should happen with forwarded emails are still not entirely solved. In short words: unless signing all mails becomes mandantory nothing will be done. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 8/8/08, Sandy Drobic
Alexey Eremenko wrote:
"a storm in a teacup" You mean that I make too much noise out of nothing? he-he. right.
Maybe we can Firewall openSUSE mailing lists - check all incoming emails somehow ?
That is a problem that persists to frustrate a lot of postmasters. Basically you can sign all mails leaving a server and verify the signature on the receiving server. Unfortunately only very few servers have already implemented such a system like DKIM or even the older domain keys. Also questions like what should happen with forwarded emails are still not entirely solved.
In short words: unless signing all mails becomes mandantory nothing will be done.
-- Sandy
All, I have not followed the details on this particular email, but ... Google supports SPF and at least makes an attempt to ensure all sent email from their systems has an authorized from addresses. The problem here is that the recipient (ie. the opensuse mailing list) is apparently not supporting SPF. If the mailing list supported SPF, it would have gotten the list of authorized SMTP originators for gmail.com from the dns server, then it would have seen that the spoofed email originated elsewhere and simply trashed it. SPF is not perfect, but it s a big step up and if we all used it then spoofing email would be much harder. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 11:08, Alexey Eremenko wrote:
Now: question to the our dear Open-Source community - How is this possible ? 1. How is this possible for hijackers to hijack the mail source address?
*OK, you say SMTP spoof, but with GMail web interface, it is impossible to access email RAW code, to see exactly what was changed.
It is possible. I just checked. I use the Dutch interface of GMail so excuse me if I don't get all of the words right. Open the email. Next to the reply link is a drop-down menu. The second from the bottom is "Origineel weergeven" (display source?) This pops open a new window with the RAW email message.
2. How is it possible for GMail to distinguish between a real and a hijacked email ?
At which fields GMail is looking ?
My guess, based on the email headers from previous mails: SPF records. http://en.wikipedia.org/wiki/Sender_Policy_Framework -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Open the email. Next to the reply link is a drop-down menu. The second from the bottom is "Origineel weergeven" (display source?) This pops open a new window with the RAW email message.
You are correct, GMail allow that. It is called "Show original". -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Alexey Eremenko -
Amedee Van Gasse -
Dave Howorth -
Dave Plater -
greg.freemyer@gmail.com -
Sandy Drobic