RE: [fw-wiz] appropriate response for mail break-in

From: Bill Royds (broyds@rogers.com)
Date: 10/27/02 

From: "Bill Royds" <broyds@rogers.com>
To: <rferris@rmfdevelopment.com>, <firewall-wizards@honor.icsalabs.com>
Date: Sun Oct 27 21:52:01 2002

On Sept. 25 and 26th a spammer forged my email address as from address for a "joejob" spam run. I have received over 8000 bounce messages since them (and I am still receiving them as of a minute ago).

There is only one unforgeable thing in an email header, the immediate preceding IP number that connected to your SMTP server to deliver the mail (the first received line found in headers).

What a firewall can do is ensure that the SMTP connection is correct and that the sender is on the outside of firewall and comes from the sending MTA (sender domain has that MTA as MX or host is in same domain) and the receiver is on the inside or vice versa. This is actually a stricter policy than most users want, but it can cut down on spam and spoofing.
-----Original Message-----

From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Behm,
Jeffrey L.
Sent: Sun October 27 2002 20:43
To: 'firewall-wizards@honor.icsalabs.com '
Subject: RE: [fw-wiz] appropriate response for mail break-in

Are they actually using your account, or just spoofing the MAIL-FROM entry
in the header (Trivial to do).

I guess the question is, What leads you to believe they have "hacked" your
email account?

If it is of the trivial email header spoof, then reporting it to CERT would
not be fruitful, nor would changing your email password.

I personally have received email addressed to me, from me (with the header
spoofed). The delete function is typically how I deal with that.

-----Original Message-----
From: Ryan M. Ferris
To: firewall-wizards@honor.icsalabs.com

This is off topic. Someone is using my account to send me mail with
binary
attachments. I have contacted my provider and asked to change my mail
password. I have sent on the message header to them. What is the next
best
step? Do I file a report with CERT? Any thoughts?

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Objection rec.knives PLEASE IGNORE if you dont want to see an off topic post
    ... I ignore bragging, and I expect that if you post on a newsgroup about knives you post about knives, at least initially. ... It's at the point that if Robert posts a legitimate request, ... I definitely don't think you'd lose your account at all. ... Nah it's okay I don't feel the sarcasm at all, the header information wasn't meant for you. ...
    (rec.knives)
  • Re: Can one determine from this Header .....
    ... So do YOU even have a PayPal account? ... That Received header was prepended by your e-mail provider. ... You could complain to them about the phish mail. ... HostMonster.com who has elected to hide the actual registrant. ...
    (alt.computer.security)
  • RE: Save user entered value in hidden lookup table.
    ... The macro would unprotect the sheet, ... that function works to display the table value in the header section. ... Account Expense ... In the header and main area, the account code is selected from a named list ...
    (microsoft.public.excel.programming)
  • Re: Can one determine from this Header .....
    ... So do YOU even have a PayPal account? ... That Received header was prepended by your e-mail provider. ... You could complain to them about the phish mail. ... HostMonster.com who has elected to hide the actual registrant. ...
    (alt.computer.security)
  • RE: [fw-wiz] appropriate response for mail break-in
    ... Are they actually using your account, or just spoofing the MAIL-FROM entry ... If it is of the trivial email header spoof, then reporting it to CERT would ... nor would changing your email password. ... Do I file a report with CERT? ...
    (Firewall-Wizards)
Quantcast