Security Incidents mailing list archives
RE: Dubious e-mail: [Fwd: Dell.com (Password Request)]
From: "John McCracken" <john () mccrackenassociates com>
Date: Tue, 3 Jun 2003 17:19:37 -0500
No, nothing that I see would exclude that possibility, similar to what Bill Pennington pointed out; however, Jeff Neithercutt's scenario is also likely because you can't determine the root source from this email header, which is why I made the comment that I hope it was an isolated incident, meaning a scenario such as yours and/or Bill's, e.g., forgotten and/or miss typed password vs. a generator or farmed list. Unfortunately, I don't see how we can tell from the information at hand. I suspect if the root cause is/was illicit use and perpetrated in volume, we would see similar posts to either this or other lists, given Dell's industry market share (not a scientific conclusion I realize) and Dell would most likely have been alerted from either other users experiencing the same and/or an automated detection flagged by volume differentials, if such is in place, and would take appropriate mitigating action. However, this too could be an erroneous deduction since a perpetrator could slow their illicit activity below detection levels, which is not without merit and often the case in well organized attacks. I guess it all boils down to which assumption you most likely believe, since we lack the data to make an intelligent scientific conclusion. In any event, I believe it is more likely to be an isolated incident or illicit probe, as Jeff points out, than it is someone that obtained Dell's customer list. Thanks! John McCracken -----Original Message----- From: Kevin Holmquist [mailto:kevinh () netronin org] Sent: Monday, June 02, 2003 6:04 PM To: incidents () securityfocus com Subject: RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] I've been watching this thread with interest, but I have a question: My first thought was that maybe someone forgot their password for Dell's web site and fudged their email address on the 'retrieve your password' page. Is there something in the original email that excludes this possibility?
Jeff: You're right; I understand this is what you get when you forget your Dell "my account" password. Hopefully, it's an isolated incident and not illicit use of a generator or farmed list. Thanks! John McCracken -----Original Message----- From: neitherj () WellsFargo COM [mailto:neitherj () WellsFargo COM] Sent: Monday, June 02, 2003 1:51 PM To: john () mccrackenassociates com; houyachi () mindspring com Cc: incidents () securityfocus com Subject: RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] This actually looks like something different. It isn't actually a password request, it is a password response. You usually get an email like this from a company you have an account with if you click on the "forgot my password" link in their signon page. They could be sniffing passwords this way, however, as if they were successful in placing a sniffer in or near Dell, then ran a script that randomly generated user names, or farmed user names from another list somehow, they could generate a rash of emails, to legit Dell customers, with their unencrypted and legitimate dell.com passwords contained in the emails........Kind of scary actually..... Jeff Neithercutt GSEC GCIH Information Security Analyst 1836 Sierra Gardens Ste. 150 MAC A0783-011 Roseville, CA. 95611 (916) 787-3853 Fax (916) 772-5514 Security Operations Center Corporate Information Protection "Securing your network, one machine at a time!"This email message is for the sole use of the intended recipient[s] and maycontain privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply email and destroy all copies of the original message.-----Original Message----- From: John McCracken [mailto:john () mccrackenassociates com] Sent: Saturday, May 31, 2003 1:26 PM To: houyachi () mindspring com Cc: incidents () securityfocus com Subject: RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] Hamid: I doubt this is due to "someone who got hold of a DELL customer listing," although the routing is a bit odd, i.e., (ausoladperft05.development.online.dell.com [10.32.4.239]). I have found Dell's "Support Webmaster" at: http://support.dell.com/us/en/emaildell/webmaster.asp helpful and very responsive in the past. Nonetheless, I forwarded this some internal contacts at Dell and I'm sure someone will contact you regarding your concerns. Thanks! John McCracken -----Original Message----- From: houyachi () mindspring com [mailto:houyachi () mindspring com] Sent: Friday, May 30, 2003 11:46 AM To: incidents () securityfocus com Subject: Dubious e-mail: [Fwd: Dell.com (Password Request)] I received the inline e-mail from what claims to be DELL Online service. A Quick SAMSPADE search shows that smtp9.us.dell.com has an ip of 143.166.148.136 and is registered to DELL Computers. I have an uneasy feeling about this and my call to DELL went unanswered. I spoke to customer service asking to speak to someone who can look into this but I was sent back to the belly of the phone system and was given the runaround. This is could be somebody trolling for passwords by spamming anyone, or someone who got hold of a DELL customer listing and is fishing for passwords. Idid not want to check the link below from my workstation for that would amount to a partial verification of the e-mail address. By the time I got to check it via sampsade it gave a 404 error. Any thoughts of a recourse of action here if any at all. Thanks Hamid Ouyachi -------- Original Message -------- From: - Thu May 29 12:58:30 2003 X-UIDL: 19lede2U83Nl3rE0 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Status: U Return-Path: <listmaster () dell com> Received: from saltmine.radix.net ([207.192.128.40]) by bissell.mail.mindspring.net (Earthlink Mail Service) with ESMTP id 19lede2U83Nl3rE0 for <houyachi () mindspring com>; Wed, 28 May 2003 23:36:20 -0400 (EDT) Received: from mail1.radix.net (mail1.radix.net [207.192.128.31]) by saltmine.radix.net (8.12.2/8.12.2) with ESMTP id h4T3aI1o028383 for <houyachi () saltmail radix net>; Wed, 28 May 2003 23:36:19 -0400 (EDT) Received: from smtp9.us.dell.com (smtp9.us.dell.com [143.166.148.136]) by mail1.radix.net (8.12.2/8.12.2) with ESMTP id h4T3aHps024172 for <houyachi () radix net>; Wed, 28 May 2003 23:36:17 -0400 (EDT) Received: from AUSOLADPERFT05 (ausoladperft05.development.online.dell.com [10.32.4.239]) by smtp9.us.dell.com (8.12.9/8.12.7) with SMTP id h4T3WDq5006521 for <houyachi () radix net>; Wed, 28 May 2003 22:32:13 -0500 From: listmaster () dell com thread-index: AcMlk2Ne/6yJtEMaQGGgaVv1s0P3qg=Thread-Topic: Dell.com (Password Request) To: <houyachi () radix net> Subject: Dell.com (Password Request) Date: Wed, 28 May 2003 22:35:45 -0500 Message-ID: <096001c32593$635e98f0$ef04200a () development online dell com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0961_01C32569.7A8890F0" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-Scanned-By: MIMEDefang 2.31 We recently received a request to e-mail your password to you. Your Dell.com My Account password is 'password'. You may use the following URL http://membership.dell.com/dellportal/signin.aspx?c=us&l=en&s=gen <http://membership.dell.com/dellportal/signin.aspx?s=gen> to return to your account page. We look forward to providing continued world class support for your computing needs. Dell Online http://www.dell.com <Dell.Storm.UI.Atoms.SimpleLink>
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] Rob Shein (Jun 01)
- <Possible follow-ups>
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] John McCracken (Jun 01)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] Cushing, David (Jun 02)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] Jay Woody (Jun 02)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] neitherj (Jun 02)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] John McCracken (Jun 02)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] Kevin Holmquist (Jun 03)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] John McCracken (Jun 03)
- RE: Dubious e-mail: [Fwd: Dell.com (Password Request)] John McCracken (Jun 02)