Re: EDUCAUSE Statement on Server Breach

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 19 Feb 2013 19:34:32 +0000, Bob Bayn said:

> We, too, were scurrying around and called the Denver office for reassurance=
>  before that message arrived from Valerie.

You mean that mail *purporting* to be from Valerie.  Just some phishes
are more intricate and well-played than others. :)

I mean, look at these headers on the way to the listserv box:

Received: from [64.18.1.35] by LISTSERV.EDUCAUSE.EDU (SMTPL release 1.0w) with  TCP; Tue, 19 Feb 2013 12:16:50 -0700
Received: from mail.educause.edu ([208.42.249.152]) (using TLSv1) by  exprod6ob115.postini.com ([64.18.5.12]) with SMTP 
ID  DSNKUSPPog9AED1pIQwc6t0R2TWGyDwEE/iG () postini com; Tue, 19 Feb 2013 11:16:50  PST
Received: from MAIL.educause.edu ([::1]) by MAIL.educause.edu ([::1]) with  mapi id 14.01.0421.002; Tue, 19 Feb 2013 
12:16:05 -0700

Listserv got it from a Postini box 64.18.1.35.  Then there's a break, due to
either poor header forging or a Postini server failing to add a Received line.

And the Postini box says it got it from a machine claiming to be mail.educause.edu
in the EHLO.  But...

% host 208.42.249.152
152.249.42.208.in-addr.arpa domain name pointer 208-42-249-152.static.data393.net.

So that EHLO is just a tad suspect, because everybody knows that actual mail servers
should have DNS PTR that look like mailservers and not generic addresses. :)

Or am I just using waaay too much tinfoil lately? :)

(For that matter, what reason do you have to believe this e-mail is actually from
me?  Your only realistic options are to check and maybe trust the PGP signature, or
call our CISO, who'd tell you "Yeah, Val would totally write that mail" :)

Attachment: _bin
Description: