Mailinglist Archive: opensuse (2112 mails)
| < Previous | Next > |
Re: Email Security question: Hijacked email !!! was: [opensuse] Vista
- From: "Amedee Van Gasse" <amedee@xxxxxxxxx>
- Date: Fri, 8 Aug 2008 14:15:30 +0200 (CEST)
- Message-id: <11201.193.121.250.194.1218197730.squirrel@xxxxxxxxxxxxxxxx>
On Fri, August 8, 2008 13:40, Joe Morris wrote:
Your analysis is a bit off. The devil is in the details. ;-)
I looked up the mx for manx.net, because the mail servers seem to be
running on a different ip than the webserver:
amedee@intrepid { ~ }$ dig manx.net mx
; <<>> DiG 9.3.4-P1.1 <<>> manx.net mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36255
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;manx.net. IN MX
;; ANSWER SECTION:
manx.net. 300 IN MX 10 manxnetsf01.manx.net.
manx.net. 300 IN MX 15 manxnetsf02.manx.net.
;; AUTHORITY SECTION:
manx.net. 172800 IN NS ns1.manx.net.
manx.net. 172800 IN NS ns0.manx.net.
;; ADDITIONAL SECTION:
manxnetsf01.manx.net. 300 IN A 195.10.115.229
manxnetsf02.manx.net. 300 IN A 195.10.115.230
ns0.manx.net. 27801 IN A 195.10.102.4
ns1.manx.net. 27801 IN A 195.10.102.5
;; Query time: 166 msec
;; SERVER: 10.2.9.4#53(10.2.9.4)
;; WHEN: Fri Aug 8 14:02:11 2008
;; MSG SIZE rcvd: 182
I agree on the misconfiguration, manxnetsf01 seems OK but manxnetsf02,
their backup MX, isn't. All too often a backup MX is forgotten, and abused
by spammers.
amedee@intrepid { ~ }$ host 195.10.115.229
229.115.10.195.in-addr.arpa domain name pointer manxnetsf01.manx.net.
amedee@intrepid { ~ }$ host manxnetsf01.manx.net
manxnetsf01.manx.net has address 195.10.115.229
amedee@intrepid { ~ }$ host 195.10.115.230
Host 230.115.10.195.in-addr.arpa not found: 3(NXDOMAIN)
amedee@intrepid { ~ }$ host manxnetsf02.manx.net
manxnetsf02.manx.net has address 195.10.115.230
He already got an answer from abuse@, they told him to add
opensuse@xxxxxxxxxxxx to his spam list...
This n00bish answer only confirms the misconfiguration issue on their
backup MX.
Conclusion: if you live on the Isle of Man, you have a worthless ISP. One
can only hope that there is more than one ISP over there.
--
Amedee
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On 08/08/2008 07:16 PM, Ashish Yadav wrote:
I am not asking to discuss this matter in this forum, also worldA quick look at the OP has this as the origination in the header'
hasn't come to an end. I'll search for more info in appropriate
places, just want this matter not to be taken that lightly.
Received: from adsl87.254.75.83.manx.net (EHLO Siouxsie) ([87.254.75.83])
by manxnetsf02.manx.net (MOS 3.8.7a FastPath queued) with ESMTP id
CTZ40378; Fri, 08 Aug 2008 08:31:53 +0100 (BST)
So the originating IP is 87.254.75.83, which looks like a DSL account in
the manx.net network. The computer's name is Siouxsie.
But, dig says:
joe@jmorris:~> dig manx.net
; <<>> DiG 9.4.1-P1 <<>> manx.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5467
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;manx.net. IN A
;; ANSWER SECTION:
manx.net. 3600 IN A 195.10.113.51
;; AUTHORITY SECTION:
. 511878 IN NS J.ROOT-SERVERS.net.
. 511878 IN NS E.ROOT-SERVERS.net.
. 511878 IN NS M.ROOT-SERVERS.net.
. 511878 IN NS A.ROOT-SERVERS.net.
. 511878 IN NS I.ROOT-SERVERS.net.
. 511878 IN NS K.ROOT-SERVERS.net.
. 511878 IN NS G.ROOT-SERVERS.net.
. 511878 IN NS B.ROOT-SERVERS.net.
. 511878 IN NS H.ROOT-SERVERS.net.
. 511878 IN NS L.ROOT-SERVERS.net.
. 511878 IN NS F.ROOT-SERVERS.net.
. 511878 IN NS D.ROOT-SERVERS.net.
. 511878 IN NS C.ROOT-SERVERS.net.
;; Query time: 360 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 8 19:28:33 2008
;; MSG SIZE rcvd: 250
joe@jmorris:~> host 195.10.113.51
Host 51.113.10.195.in-addr.arpa not found: 3(NXDOMAIN)
So it looks like it may also be spoofed or at least does not resolve.
Also,
joe@jmorris:~> host manxnetsf02.manx.net
manxnetsf02.manx.net has address 195.10.115.230
joe@jmorris:~> host 195.10.115.230
Host 230.115.10.195.in-addr.arpa not found: 3(NXDOMAIN)
Also of interest is the mail server appears to be +1:00 GMT, in the BST
time zone.
The supposed mail server it relayed through, manxnetdf02.manx.net also
does not have a reverse lookup, probably meaning it is either
misconfigured, or is not a legitimate internet SMTP server. Since
manx.net seems like a bogus network, there is probably little you could
do. You could try to email postmaster@xxxxxxxx and complain, or
abuse@xxxxxxxx, in hopes my analysis is way off. ;-)
Your analysis is a bit off. The devil is in the details. ;-)
I looked up the mx for manx.net, because the mail servers seem to be
running on a different ip than the webserver:
amedee@intrepid { ~ }$ dig manx.net mx
; <<>> DiG 9.3.4-P1.1 <<>> manx.net mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36255
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;manx.net. IN MX
;; ANSWER SECTION:
manx.net. 300 IN MX 10 manxnetsf01.manx.net.
manx.net. 300 IN MX 15 manxnetsf02.manx.net.
;; AUTHORITY SECTION:
manx.net. 172800 IN NS ns1.manx.net.
manx.net. 172800 IN NS ns0.manx.net.
;; ADDITIONAL SECTION:
manxnetsf01.manx.net. 300 IN A 195.10.115.229
manxnetsf02.manx.net. 300 IN A 195.10.115.230
ns0.manx.net. 27801 IN A 195.10.102.4
ns1.manx.net. 27801 IN A 195.10.102.5
;; Query time: 166 msec
;; SERVER: 10.2.9.4#53(10.2.9.4)
;; WHEN: Fri Aug 8 14:02:11 2008
;; MSG SIZE rcvd: 182
I agree on the misconfiguration, manxnetsf01 seems OK but manxnetsf02,
their backup MX, isn't. All too often a backup MX is forgotten, and abused
by spammers.
amedee@intrepid { ~ }$ host 195.10.115.229
229.115.10.195.in-addr.arpa domain name pointer manxnetsf01.manx.net.
amedee@intrepid { ~ }$ host manxnetsf01.manx.net
manxnetsf01.manx.net has address 195.10.115.229
amedee@intrepid { ~ }$ host 195.10.115.230
Host 230.115.10.195.in-addr.arpa not found: 3(NXDOMAIN)
amedee@intrepid { ~ }$ host manxnetsf02.manx.net
manxnetsf02.manx.net has address 195.10.115.230
He already got an answer from abuse@, they told him to add
opensuse@xxxxxxxxxxxx to his spam list...
This n00bish answer only confirms the misconfiguration issue on their
backup MX.
Conclusion: if you live on the Isle of Man, you have a worthless ISP. One
can only hope that there is more than one ISP over there.
--
Amedee
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |