Firewall Wizards mailing list archives
Re: appropriate response for mail break-in
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 28 Oct 2002 08:24:51 -0500 (EST)
Or, in this case, a trivial drop via procmail, afterall, I'm guessing you seldom send yourself e-mails, though, you might now and then, but, you can still apply some filtering via procmail to limit this. Thanks, Ron DuFresne On Sun, 27 Oct 2002, Ryan M. Ferris wrote:
Sorry to have dashed out the message about my mail messages so quickly. Thanks for all the help. Comparing two headers (real) and (faked), it looks like the Message ID has been spoofed by IP address 172.195.75.206 using my mail server IP 161.58.164.17. I guess this counts as a trivial spoof best handled with the delete key. Ryan (Real) Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by 161.58.164.17 (8.11.6) id g9S12i251039; Sun, 27 Oct 2002 18:02:44 -0700 (MST) Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1]) by honor.trusecure.com (Postfix) with ESMTP id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST) Delivered-To: firewall-wizards () honor icsalabs com Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17]) by honor.trusecure.com (Postfix) with ESMTP id B229D733A for <firewall-wizards () honor icsalabs com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST) Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 -0700 (MST) Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop> From: "Ryan M. Ferris" <rferris () rmfdevelopment com> To: <firewall-wizards () honor icsalabs com> References: <Pine.LNX.4.33.0210270936360.5826-100000 () gargoyle users patriot net> (faked) Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 (8.11.6) id g9QNTlo89547; Sat, 26 Oct 2002 17:29:47 -0600 (MDT) Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT) Message-Id: <200210262329.g9QNTlo89547@161.58.164.17> From: rferris <rferris () rmfdevelopment com> To: rferris () rmfdevelopment com Subject: End ImageReady Slices 120 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=P76X3G980M54iLT488z3s X-UIDL: M@G!!395!!K=`!!-n`!! ----- Original Message ----- From: "Paul D. Robertson" <proberts () patriot net> To: "Ryan M. Ferris" <rferris () rmfdevelopment com> Cc: <firewall-wizards () honor icsalabs com> Sent: Sunday, October 27, 2002 5:06 PM Subject: Re: [fw-wiz] appropriate response for mail break-inOn Sun, 27 Oct 2002, Ryan M. Ferris wrote:This is off topic. Someone is using my account to send me mail with binary attachments. I have contacted my provider and asked to change my mail password. I have sent on the message header to them. What is the next best step? Do I file a report with CERT? Any thoughts?When you say "Using my account," are you saying "the mail looks like it comes from me," "the mail path is exactly the same and the message IDs look like mine," "same path, different message IDs," or "heck if I know what the deal is here?" If you post the full headers, we might have something to work with. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessmnet TruSecure Corporation
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IDS or Intrusion Prevention Systems Walter Ludwig (Oct 27)
- Re: IDS or Intrusion Prevention Systems Paul D. Robertson (Oct 27)
- appropriate response for mail break-in Ryan M. Ferris (Oct 27)
- Re: appropriate response for mail break-in Paul D. Robertson (Oct 27)
- Re: appropriate response for mail break-in Ryan M. Ferris (Oct 28)
- Re: appropriate response for mail break-in R. DuFresne (Oct 28)
- appropriate response for mail break-in Ryan M. Ferris (Oct 27)
- Re: IDS or Intrusion Prevention Systems Paul D. Robertson (Oct 27)