Firewall Wizards mailing list archives

Re: appropriate response for mail break-in


From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 28 Oct 2002 08:24:51 -0500 (EST)


Or, in this case, a trivial drop via procmail, afterall, I'm guessing you
seldom send yourself e-mails, though, you might now and then, but, you can
still apply some filtering via procmail to limit this.

Thanks,

Ron DuFresne


On Sun, 27 Oct 2002, Ryan M. Ferris wrote:

Sorry to have dashed out the message about my mail messages so quickly. Thanks for all the help. Comparing two 
headers (real) and (faked), it looks like the Message ID has been spoofed by IP address 172.195.75.206  using my mail 
server IP 161.58.164.17.

I guess this counts as a trivial spoof best handled with the delete key.

Ryan


(Real)
Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by 161.58.164.17 (8.11.6) id g9S12i251039; 
Sun, 27 Oct 2002 18:02:44 -0700 (MST)
Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1])
 by honor.trusecure.com (Postfix) with ESMTP
 id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST)
Delivered-To: firewall-wizards () honor icsalabs com
Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17])
 by honor.trusecure.com (Postfix) with ESMTP id B229D733A
 for <firewall-wizards () honor icsalabs com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST)
Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 
-0700 (MST)
Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop>
From: "Ryan M. Ferris" <rferris () rmfdevelopment com>
To: <firewall-wizards () honor icsalabs com>
References: <Pine.LNX.4.33.0210270936360.5826-100000 () gargoyle users patriot net>

(faked)
Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 (8.11.6) id g9QNTlo89547; Sat, 26 Oct 
2002 17:29:47 -0600 (MDT)
Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
Message-Id: <200210262329.g9QNTlo89547@161.58.164.17>
From: rferris <rferris () rmfdevelopment com>
To: rferris () rmfdevelopment com
Subject: End ImageReady Slices 120 
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=P76X3G980M54iLT488z3s
X-UIDL: M@G!!395!!K=`!!-n`!!





----- Original Message ----- 
From: "Paul D. Robertson" <proberts () patriot net>
To: "Ryan M. Ferris" <rferris () rmfdevelopment com>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Sunday, October 27, 2002 5:06 PM
Subject: Re: [fw-wiz] appropriate response for mail break-in


On Sun, 27 Oct 2002, Ryan M. Ferris wrote:

This is off topic. Someone is using my account to send me mail with binary
attachments.  I have contacted my provider and  asked to change my mail
password. I have sent on the message header to them. What is the next best
step?  Do I file a report with CERT? Any thoughts?

When you say "Using my account," are you saying "the mail looks like it 
comes from me," "the mail path is exactly the same and the message IDs 
look like mine,"  "same path, different message IDs," or "heck if I know 
what the deal is here?"

If you post the full headers, we might have something to work with.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessmnet TruSecure Corporation




-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Current thread: