Firewall Wizards mailing list archives
Re: appropriate response for mail break-in
From: "Ryan M. Ferris" <rferris () rmfdevelopment com>
Date: Sun, 27 Oct 2002 21:10:14 -0800
Sorry to have dashed out the message about my mail messages so quickly. Thanks for all the help. Comparing two headers (real) and (faked), it looks like the Message ID has been spoofed by IP address 172.195.75.206 using my mail server IP 161.58.164.17. I guess this counts as a trivial spoof best handled with the delete key. Ryan (Real) Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by 161.58.164.17 (8.11.6) id g9S12i251039; Sun, 27 Oct 2002 18:02:44 -0700 (MST) Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1]) by honor.trusecure.com (Postfix) with ESMTP id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST) Delivered-To: firewall-wizards () honor icsalabs com Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17]) by honor.trusecure.com (Postfix) with ESMTP id B229D733A for <firewall-wizards () honor icsalabs com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST) Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 -0700 (MST) Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop> From: "Ryan M. Ferris" <rferris () rmfdevelopment com> To: <firewall-wizards () honor icsalabs com> References: <Pine.LNX.4.33.0210270936360.5826-100000 () gargoyle users patriot net> (faked) Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 (8.11.6) id g9QNTlo89547; Sat, 26 Oct 2002 17:29:47 -0600 (MDT) Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT) Message-Id: <200210262329.g9QNTlo89547@161.58.164.17> From: rferris <rferris () rmfdevelopment com> To: rferris () rmfdevelopment com Subject: End ImageReady Slices 120 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=P76X3G980M54iLT488z3s X-UIDL: M@G!!395!!K=`!!-n`!! ----- Original Message ----- From: "Paul D. Robertson" <proberts () patriot net> To: "Ryan M. Ferris" <rferris () rmfdevelopment com> Cc: <firewall-wizards () honor icsalabs com> Sent: Sunday, October 27, 2002 5:06 PM Subject: Re: [fw-wiz] appropriate response for mail break-in
On Sun, 27 Oct 2002, Ryan M. Ferris wrote:This is off topic. Someone is using my account to send me mail with binary attachments. I have contacted my provider and asked to change my mail password. I have sent on the message header to them. What is the next best step? Do I file a report with CERT? Any thoughts?When you say "Using my account," are you saying "the mail looks like it comes from me," "the mail path is exactly the same and the message IDs look like mine," "same path, different message IDs," or "heck if I know what the deal is here?" If you post the full headers, we might have something to work with. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessmnet TruSecure Corporation
Current thread:
- IDS or Intrusion Prevention Systems Walter Ludwig (Oct 27)
- Re: IDS or Intrusion Prevention Systems Paul D. Robertson (Oct 27)
- appropriate response for mail break-in Ryan M. Ferris (Oct 27)
- Re: appropriate response for mail break-in Paul D. Robertson (Oct 27)
- Re: appropriate response for mail break-in Ryan M. Ferris (Oct 28)
- Re: appropriate response for mail break-in R. DuFresne (Oct 28)
- appropriate response for mail break-in Ryan M. Ferris (Oct 27)
- Re: IDS or Intrusion Prevention Systems Paul D. Robertson (Oct 27)