Re: [fw-wiz] appropriate response for mail break-in

From: R. DuFresne (dufresne@sysinfo.com)
Date: 10/28/02 

From: "R. DuFresne" <dufresne@sysinfo.com>
To: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
Date: Mon Oct 28 08:18:02 2002

Or, in this case, a trivial drop via procmail, afterall, I'm guessing you
seldom send yourself e-mails, though, you might now and then, but, you can
still apply some filtering via procmail to limit this.

Thanks,

Ron DuFresne

On Sun, 27 Oct 2002, Ryan M. Ferris wrote:

> Sorry to have dashed out the message about my mail messages so quickly. Thanks for all the help. Comparing two headers (real) and (faked), it looks like the Message ID has been spoofed by IP address 172.195.75.206 using my mail server IP 161.58.164.17.
>
> I guess this counts as a trivial spoof best handled with the delete key.
>
> Ryan
>
>
> (Real)
> Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by 161.58.164.17 (8.11.6) id g9S12i251039; Sun, 27 Oct 2002 18:02:44 -0700 (MST)
> Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1])
> by honor.trusecure.com (Postfix) with ESMTP
> id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST)
> Delivered-To: firewall-wizards@honor.icsalabs.com
> Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17])
> by honor.trusecure.com (Postfix) with ESMTP id B229D733A
> for <firewall-wizards@honor.icsalabs.com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST)
> Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 -0700 (MST)
> Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop>
> From: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
> To: <firewall-wizards@honor.icsalabs.com>
> References: <Pine.LNX.4.33.0210270936360.5826-100000@gargoyle.users.patriot.net>
>
> (faked)
> Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 (8.11.6) id g9QNTlo89547; Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
> Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
> Message-Id: <200210262329.g9QNTlo89547@161.58.164.17>
> From: rferris <rferris@rmfdevelopment.com>
> To: rferris@rmfdevelopment.com
> Subject: End ImageReady Slices 120
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=P76X3G980M54iLT488z3s
> X-UIDL: M@G!!395!!K=`!!-n`!!
>
>
>
>
>
> ----- Original Message -----
> From: "Paul D. Robertson" <proberts@patriot.net>
> To: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
> Cc: <firewall-wizards@honor.icsalabs.com>
> Sent: Sunday, October 27, 2002 5:06 PM
> Subject: Re: [fw-wiz] appropriate response for mail break-in
>
>
> > On Sun, 27 Oct 2002, Ryan M. Ferris wrote:
> >
> > > This is off topic. Someone is using my account to send me mail with binary
> > > attachments. I have contacted my provider and asked to change my mail
> > > password. I have sent on the message header to them. What is the next best
> > > step? Do I file a report with CERT? Any thoughts?
> >
> > When you say "Using my account," are you saying "the mail looks like it
> > comes from me," "the mail path is exactly the same and the message IDs
> > look like mine," "same path, different message IDs," or "heck if I know
> > what the deal is here?"
> >
> > If you post the full headers, we might have something to work with.
> >
> > Paul
> > -----------------------------------------------------------------------------
> > Paul D. Robertson "My statements in this message are personal opinions
> > proberts@patriot.net which may have no basis whatsoever in fact."
> > probertson@trusecure.com Director of Risk Assessmnet TruSecure Corporation
> >
> >
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!

Relevant Pages

  • Re: Is it just me that is being picked on?
    ... etc. except that normal email also go to /dev/null. ... Is procmail case insensitive, or am I doing something wrong? ... > them revealed they did not come from Microsoft at all. ... I never send the e-mails they allegedly bounced, ...
    (comp.os.linux.misc)
  • Re: the mail trail...sendmail
    ... >> Paul. ... Sendmail calls procmail to handle local delivery, ... If you are using evolution with a POP/IMAP server then the POP/IMAP ...
    (Fedora)
  • Re: Email-Auto-Responder+Web Gateway
    ... > This should be fairly easy to build yourself, using procmail as a base ... Ow Mun Heng replied: ... will do the job: send e-mails from someone@example.com with the subject webfetch and the line get: redhat.com and you'll get the web page by return of e-mail. ... can it pass e-mails to arbitrary scripts? ...
    (Fedora)
  • Re: the mail trail...sendmail
    ... >> hi Paul! ... > Sendmail calls procmail to handle local delivery, ... > eventually dumps the mail there. ... > under ~/.evolution on the machine on which you're running evolution. ...
    (Fedora)
  • Where does ~/mbox come from?
    ... procmail and pine on a Fedora Core 2 system. ... My procmail recipes contain some lines which direct certain e-mails to ...
    (linux.redhat.misc)