Firewall Wizards mailing list archives

Re: appropriate response for mail break-in

From: "Ryan M. Ferris" <rferris () rmfdevelopment com>
Date: Sun, 27 Oct 2002 21:10:14 -0800

Sorry to have dashed out the message about my mail messages so quickly. Thanks for all the help. Comparing two headers 
(real) and (faked), it looks like the Message ID has been spoofed by IP address 172.195.75.206  using my mail server IP 
161.58.164.17.

I guess this counts as a trivial spoof best handled with the delete key.

Ryan


(Real)
Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by 161.58.164.17 (8.11.6) id g9S12i251039; 
Sun, 27 Oct 2002 18:02:44 -0700 (MST)
Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1])
 by honor.trusecure.com (Postfix) with ESMTP
 id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST)
Delivered-To: firewall-wizards () honor icsalabs com
Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17])
 by honor.trusecure.com (Postfix) with ESMTP id B229D733A
 for <firewall-wizards () honor icsalabs com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST)
Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 -0700 
(MST)
Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop>
From: "Ryan M. Ferris" <rferris () rmfdevelopment com>
To: <firewall-wizards () honor icsalabs com>
References: <Pine.LNX.4.33.0210270936360.5826-100000 () gargoyle users patriot net>

(faked)
Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 (8.11.6) id g9QNTlo89547; Sat, 26 Oct 2002 
17:29:47 -0600 (MDT)
Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
Message-Id: <200210262329.g9QNTlo89547@161.58.164.17>
From: rferris <rferris () rmfdevelopment com>
To: rferris () rmfdevelopment com
Subject: End ImageReady Slices 120 
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=P76X3G980M54iLT488z3s
X-UIDL: M@G!!395!!K=`!!-n`!!





----- Original Message ----- 
From: "Paul D. Robertson" <proberts () patriot net>
To: "Ryan M. Ferris" <rferris () rmfdevelopment com>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Sunday, October 27, 2002 5:06 PM
Subject: Re: [fw-wiz] appropriate response for mail break-in

On Sun, 27 Oct 2002, Ryan M. Ferris wrote:

This is off topic. Someone is using my account to send me mail with binary
attachments.  I have contacted my provider and  asked to change my mail
password. I have sent on the message header to them. What is the next best
step?  Do I file a report with CERT? Any thoughts?


When you say "Using my account," are you saying "the mail looks like it 
comes from me," "the mail path is exactly the same and the message IDs 
look like mine,"  "same path, different message IDs," or "heck if I know 
what the deal is here?"

If you post the full headers, we might have something to work with.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessmnet TruSecure Corporation

Current thread:

IDS or Intrusion Prevention Systems Walter Ludwig (Oct 27)
- Re: IDS or Intrusion Prevention Systems Paul D. Robertson (Oct 27)
  - appropriate response for mail break-in Ryan M. Ferris (Oct 27)
    - Re: appropriate response for mail break-in Paul D. Robertson (Oct 27)
    - Re: appropriate response for mail break-in Ryan M. Ferris (Oct 28)
    - Re: appropriate response for mail break-in R. DuFresne (Oct 28)