Educause Security Discussion mailing list archives
Re: EDUCAUSE Statement on Server Breach
From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Wed, 20 Feb 2013 21:00:24 +0000
I actually just ignored all reset links in the email and went directly to the Educause site. Only to then still be prompted via email to follow a link to reset my password since you could not use your old password or get a verification code via phone. *grumble* -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Tuesday, February 19, 2013 7:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] EDUCAUSE Statement on Server Breach On Tue, 19 Feb 2013 19:34:32 +0000, Bob Bayn said:
We, too, were scurrying around and called the Denver office for reassurance= before that message arrived from Valerie.
You mean that mail *purporting* to be from Valerie. Just some phishes are more intricate and well-played than others. :) I mean, look at these headers on the way to the listserv box: Received: from [64.18.1.35] by LISTSERV.EDUCAUSE.EDU (SMTPL release 1.0w) with TCP; Tue, 19 Feb 2013 12:16:50 -0700 Received: from mail.educause.edu ([208.42.249.152]) (using TLSv1) by exprod6ob115.postini.com ([64.18.5.12]) with SMTP ID DSNKUSPPog9AED1pIQwc6t0R2TWGyDwEE/iG () postini com; Tue, 19 Feb 2013 11:16:50 PST Received: from MAIL.educause.edu ([::1]) by MAIL.educause.edu ([::1]) with mapi id 14.01.0421.002; Tue, 19 Feb 2013 12:16:05 -0700 Listserv got it from a Postini box 64.18.1.35. Then there's a break, due to either poor header forging or a Postini server failing to add a Received line. And the Postini box says it got it from a machine claiming to be mail.educause.edu in the EHLO. But... % host 208.42.249.152 152.249.42.208.in-addr.arpa domain name pointer 208-42-249-152.static.data393.net. So that EHLO is just a tad suspect, because everybody knows that actual mail servers should have DNS PTR that look like mailservers and not generic addresses. :) Or am I just using waaay too much tinfoil lately? :) (For that matter, what reason do you have to believe this e-mail is actually from me? Your only realistic options are to check and maybe trust the PGP signature, or call our CISO, who'd tell you "Yeah, Val would totally write that mail" :)
Current thread:
- EDUCAUSE Statement on Server Breach Valerie Vogel (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Malyn, Justin D. (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Bob Bayn (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Maloney, Michael (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Valdis Kletnieks (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Lorenz, Eva (Feb 20)
- Re: EDUCAUSE Statement on Server Breach Mark Boolootian (Feb 20)
- Re: EDUCAUSE Statement on Server Breach Bob Bayn (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Kevin Halgren (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Valerie Vogel (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Kevin Halgren (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Michael Sinatra (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Mike Porter (Feb 20)
- Message not available
- Re: EDUCAUSE Statement on Server Breach Benjamin Parker (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Malyn, Justin D. (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Scherck, Daniel (Feb 19)