Re: Email Security question: Hijacked email !!! was: [opensuse] Vista
Happens all the time.
I agree. As we say in Dutch: "een storm in een glas water"
It's easy to say if it not your email id which has been spoofed/cracked. Also if you didn't happen to live in a city where just mere weeks back there had been 9 bomb blasts, 4 of which had been in your surrounding areas. Not mentioning another 16 blasts in another city of your country just next day, killing around 45 people about which a warning was sent by terrorists 5 minutes before the first blast by a "cracked email account". I am not asking to discuss this matter in this forum, also world hasn't come to an end. I'll search for more info in appropriate places, just want this matter not to be taken that lightly. -- Regards, Ashish "There are 10 types of people: those who understand binary, and those who don't" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Also if you didn't happen to live in a city where just mere weeks back there had been 9 bomb blasts, 4 of which had been in your surrounding areas.
Yes, and which city/country is it ? -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Yes, and which city/country is it ?
Bangalore, India Ahmedabad, India -- Regards, Ashish "There are 10 types of people: those who understand binary, and those who don't" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 13:32, Ashish Yadav wrote:
Yes, and which city/country is it ?
Bangalore, India Ahmedabad, India
IIRC it wasn't a cracked email account but a cracked wireless network. Or not cracked at all, just with a password known by the terrorists. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 08/08/2008 07:16 PM, Ashish Yadav wrote:
I am not asking to discuss this matter in this forum, also world hasn't come to an end. I'll search for more info in appropriate places, just want this matter not to be taken that lightly.
A quick look at the OP has this as the origination in the header' Received: from adsl87.254.75.83.manx.net (EHLO Siouxsie) ([87.254.75.83]) by manxnetsf02.manx.net (MOS 3.8.7a FastPath queued) with ESMTP id CTZ40378; Fri, 08 Aug 2008 08:31:53 +0100 (BST) So the originating IP is 87.254.75.83, which looks like a DSL account in the manx.net network. The computer's name is Siouxsie. But, dig says: joe@jmorris:~> dig manx.net ; <<>> DiG 9.4.1-P1 <<>> manx.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5467 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;manx.net. IN A ;; ANSWER SECTION: manx.net. 3600 IN A 195.10.113.51 ;; AUTHORITY SECTION: . 511878 IN NS J.ROOT-SERVERS.net. . 511878 IN NS E.ROOT-SERVERS.net. . 511878 IN NS M.ROOT-SERVERS.net. . 511878 IN NS A.ROOT-SERVERS.net. . 511878 IN NS I.ROOT-SERVERS.net. . 511878 IN NS K.ROOT-SERVERS.net. . 511878 IN NS G.ROOT-SERVERS.net. . 511878 IN NS B.ROOT-SERVERS.net. . 511878 IN NS H.ROOT-SERVERS.net. . 511878 IN NS L.ROOT-SERVERS.net. . 511878 IN NS F.ROOT-SERVERS.net. . 511878 IN NS D.ROOT-SERVERS.net. . 511878 IN NS C.ROOT-SERVERS.net. ;; Query time: 360 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Aug 8 19:28:33 2008 ;; MSG SIZE rcvd: 250 joe@jmorris:~> host 195.10.113.51 Host 51.113.10.195.in-addr.arpa not found: 3(NXDOMAIN) So it looks like it may also be spoofed or at least does not resolve. Also, joe@jmorris:~> host manxnetsf02.manx.net manxnetsf02.manx.net has address 195.10.115.230 joe@jmorris:~> host 195.10.115.230 Host 230.115.10.195.in-addr.arpa not found: 3(NXDOMAIN) Also of interest is the mail server appears to be +1:00 GMT, in the BST time zone. The supposed mail server it relayed through, manxnetdf02.manx.net also does not have a reverse lookup, probably meaning it is either misconfigured, or is not a legitimate internet SMTP server. Since manx.net seems like a bogus network, there is probably little you could do. You could try to email postmaster@manx.net and complain, or abuse@manx.net, in hopes my analysis is way off. ;-) -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 13:40, Joe Morris wrote:
On 08/08/2008 07:16 PM, Ashish Yadav wrote:
I am not asking to discuss this matter in this forum, also world hasn't come to an end. I'll search for more info in appropriate places, just want this matter not to be taken that lightly.
A quick look at the OP has this as the origination in the header'
Received: from adsl87.254.75.83.manx.net (EHLO Siouxsie) ([87.254.75.83]) by manxnetsf02.manx.net (MOS 3.8.7a FastPath queued) with ESMTP id CTZ40378; Fri, 08 Aug 2008 08:31:53 +0100 (BST)
So the originating IP is 87.254.75.83, which looks like a DSL account in the manx.net network. The computer's name is Siouxsie. But, dig says: joe@jmorris:~> dig manx.net
; <<>> DiG 9.4.1-P1 <<>> manx.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5467 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION: ;manx.net. IN A
;; ANSWER SECTION: manx.net. 3600 IN A 195.10.113.51
;; AUTHORITY SECTION: . 511878 IN NS J.ROOT-SERVERS.net. . 511878 IN NS E.ROOT-SERVERS.net. . 511878 IN NS M.ROOT-SERVERS.net. . 511878 IN NS A.ROOT-SERVERS.net. . 511878 IN NS I.ROOT-SERVERS.net. . 511878 IN NS K.ROOT-SERVERS.net. . 511878 IN NS G.ROOT-SERVERS.net. . 511878 IN NS B.ROOT-SERVERS.net. . 511878 IN NS H.ROOT-SERVERS.net. . 511878 IN NS L.ROOT-SERVERS.net. . 511878 IN NS F.ROOT-SERVERS.net. . 511878 IN NS D.ROOT-SERVERS.net. . 511878 IN NS C.ROOT-SERVERS.net.
;; Query time: 360 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Aug 8 19:28:33 2008 ;; MSG SIZE rcvd: 250
joe@jmorris:~> host 195.10.113.51 Host 51.113.10.195.in-addr.arpa not found: 3(NXDOMAIN)
So it looks like it may also be spoofed or at least does not resolve. Also, joe@jmorris:~> host manxnetsf02.manx.net manxnetsf02.manx.net has address 195.10.115.230 joe@jmorris:~> host 195.10.115.230 Host 230.115.10.195.in-addr.arpa not found: 3(NXDOMAIN)
Also of interest is the mail server appears to be +1:00 GMT, in the BST time zone. The supposed mail server it relayed through, manxnetdf02.manx.net also does not have a reverse lookup, probably meaning it is either misconfigured, or is not a legitimate internet SMTP server. Since manx.net seems like a bogus network, there is probably little you could do. You could try to email postmaster@manx.net and complain, or abuse@manx.net, in hopes my analysis is way off. ;-)
Your analysis is a bit off. The devil is in the details. ;-) I looked up the mx for manx.net, because the mail servers seem to be running on a different ip than the webserver: amedee@intrepid { ~ }$ dig manx.net mx ; <<>> DiG 9.3.4-P1.1 <<>> manx.net mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36255 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;manx.net. IN MX ;; ANSWER SECTION: manx.net. 300 IN MX 10 manxnetsf01.manx.net. manx.net. 300 IN MX 15 manxnetsf02.manx.net. ;; AUTHORITY SECTION: manx.net. 172800 IN NS ns1.manx.net. manx.net. 172800 IN NS ns0.manx.net. ;; ADDITIONAL SECTION: manxnetsf01.manx.net. 300 IN A 195.10.115.229 manxnetsf02.manx.net. 300 IN A 195.10.115.230 ns0.manx.net. 27801 IN A 195.10.102.4 ns1.manx.net. 27801 IN A 195.10.102.5 ;; Query time: 166 msec ;; SERVER: 10.2.9.4#53(10.2.9.4) ;; WHEN: Fri Aug 8 14:02:11 2008 ;; MSG SIZE rcvd: 182 I agree on the misconfiguration, manxnetsf01 seems OK but manxnetsf02, their backup MX, isn't. All too often a backup MX is forgotten, and abused by spammers. amedee@intrepid { ~ }$ host 195.10.115.229 229.115.10.195.in-addr.arpa domain name pointer manxnetsf01.manx.net. amedee@intrepid { ~ }$ host manxnetsf01.manx.net manxnetsf01.manx.net has address 195.10.115.229 amedee@intrepid { ~ }$ host 195.10.115.230 Host 230.115.10.195.in-addr.arpa not found: 3(NXDOMAIN) amedee@intrepid { ~ }$ host manxnetsf02.manx.net manxnetsf02.manx.net has address 195.10.115.230 He already got an answer from abuse@, they told him to add opensuse@opensuse.org to his spam list... This n00bish answer only confirms the misconfiguration issue on their backup MX. Conclusion: if you live on the Isle of Man, you have a worthless ISP. One can only hope that there is more than one ISP over there. -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Amedee Van Gasse wrote:
Conclusion: if you live on the Isle of Man, you have a worthless ISP. One can only hope that there is more than one ISP over there.
According to http://iom.localwebguide.co.uk/directory/disp_company.shtml?category=isp there are at least three to choose from :) I imagine that forging the from address constitutes invasion of privacy / identity theft / some violation of data protection or another offence. The IoM is a fairly small place and the ADSL address is still responding to pings so maybe plod could be persuaded to send a flatfoot and a dog for a walk ... generalenquiries.dha@gov.im :) Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 14:31, Dave Howorth wrote:
the ADSL address is still responding to pings
Still responding to pings? Lets see what metasploit tells us... >:-) Do you think someone would notice if we all nmapped him at the same time? DISCLAIMER: please don't! ;-) -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Alexey Eremenko -
Amedee Van Gasse -
Ashish Yadav -
Dave Howorth -
Joe Morris