dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
44
share rss forum feed


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to mmainprize

Re: DynDNS Hacked?

said by mmainprize:

Well i have seen where i get an e-mail but i can not find my mailbox address in the header anywhere, but i still get the message. The name it was sent to, always starts with the same letter as my e-maill address but it is not my e-mail address.

SMTP doesn't require the "Receipt-To:" email address to be stamped in the headers. Most email services do not, but some do. Yahoo! Mail is one which does. From a test:
X-Apparently-To: x*@yahoo.com via 98.138.212.28; Sun, 28 Oct 2012 11:32:21 -0700
To: <x*@sonic.net>
 
In full:
X-Apparently-To: x*@yahoo.com via 98.138.212.28; Sun, 28 Oct 2012 11:32:21 -0700
Return-Path: <x*@hotmail.com>
Received-SPF: pass (domain of hotmail.com designates 65.55.34.210 as permitted sender)
X-YMailISG: dRLZA0AWLDtGl.zHU8fx.YXp6S5XAEiuxH8UhT81DE.nTgSR
 5lQhzj12MbRYLrzmnqDEEWXk6HD6Tx82YH_U3P6Xif1lMWv3Vd87JE21LCEy
 mMz6ysfIU6SNmFwO29FNb45lqIjCPU42ipSJoaZn.x9WAc0nHaC_Z6pC7ki4
 THVYLMhluIJSFVzDpKdN2iWoXg5_HkpuguR8lFLNi7X4rQxCvoWPwtLjQ0ou
 lmleTSZ_PRSuDdrjjzlcIzHUB.ZwumT529FPYhZ7Y.SHYjTQS2m1mYsj87Uq
 aKB9ZYtZrK4EXsk_9.MAv.NPwW.1tWk34_xjNwLleqmqHhZwC.esY_.Vg7uR
 fYD_M8q_sKv5GHcm.akkFAW_r8Yeua_sy98TC1bHkpvwNIDtnZw7fPAJ_j3D
 zvbW3p4Uoem_Ys2h4e2ztFvxqSnElsBsfr0jjgp2jAsD4GejSbAp4g0BI.y9
 6JtLAhIBOXfp0gw0wUKX47QGYUavO2fldhmDZuJpymLthoW2OVh3avzQJ5vn
 h1yH1VRu.OWGbrT3WEltwDFbsWK5ckXgBwdEpOuFLrvxt6Qa2d1_OathiEyw
 HiRPeR5KFnA0XLrEgVCErJU7ivqhh4u6gmX31E.D_.Kf453qW0fPG_J1Hy20
 RTHdEONm4pCrcPvYcLZv6mFdAxJFBE2.6RJeuf4kj_HOgugZdVaSzBdEPIDF
 1emULzDWfmXrwdkDc7h_BO7tXAgBxxq10tU1j1l1Y9lA7mjWt7vziNcHAKAK
 JhRCTtDAN32VkDmPO0vYF6sUqCv.m8zotJ__Q9GEXOsujE81Lrddow.hcjL7
 dhSjmAOwn3rJBGe3DzZ6itSD.9XZug0Oo6INC8FoZ2zb0SW2IIANtCs2PrZh
 Igc8oncNAt8ygTQHkeLenZEIu0U4sUKLJ5KYrOrw.Z4rggncE22rQXLOxwiA
 kFSHG3ClU_vBcR53gcMdk3iJbBfX.nNn1.8.B0vSq4iywg_CNdHqdjw0Qsl2
 .ndvUIcyKsG0t5TsjhwkhCEs8WzNxYWAWOf9LPs6WvKPIzIOTBwC59P5qLR5
 LJGB3_BzLyNkUBoI06KHdP2enkWwT9wSer_y2g--
X-Originating-IP: [65.55.34.210]
Authentication-Results: mta1130.mail.mud.yahoo.com  from=hotmail.com; domainkeys=neutral (no sig);  from=hotmail.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO col0-omc4-s8.col0.hotmail.com) (65.55.34.210)
  by mta1130.mail.mud.yahoo.com with SMTP; Sun, 28 Oct 2012 11:32:21 -0700
Received: from COL103-DS13 ([65.55.34.200]) by col0-omc4-s8.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
 Sun, 28 Oct 2012 11:32:02 -0700
X-Originating-IP: [173.22x.xxx.xxx]
X-EIP: [28GTtiZXl1wq2gQE9eoAgJl+wwAiwTKG]
X-Originating-Email: [x*@hotmail.com]
Message-ID: <COL103-DS1314D5780149C4D08D6733E77C0@phx.gbl>
Return-Path: x*@hotmail.com
From: S* L* <x*@hotmail.com>
To: <x*@sonic.net>
Subject: [TEST] Will this work?
Date: Sun, 28 Oct 2012 11:32:00 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0010_01CDB4FF.D887C8D0"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
X-OriginalArrivalTime: 28 Oct 2012 18:32:02.0709 (UTC) FILETIME=[8627AC50:01CDB53A]
Content-Length: 628
 
Once the email has been placed in the mailbox, the "Receipt-To" data is no longer needed, so it is normally discarded.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter

NormanS See Profile
SMTP doesn't require the "Receipt-To:" email address to be stamped in the headers. Most email services do not, but some do. Yahoo! Mail is one which does. From a test:

Once the email has been placed in the mailbox, the "Receipt-To" data is no longer needed, so it is normally discarded.

That interesting, The only e-mails like those i get are in my Hotmail inbox (I get those in outlook, i don't use the web interface).
So did that e-mail you sent with a wild-card in the address work or was it rejected as invalid address.

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by mmainprize:

That interesting, The only e-mails like those i get are in my Hotmail inbox (I get those in outlook, i don't use the web interface).
So did that e-mail you sent with a wild-card in the address work or was it rejected as invalid address.

I did not use a 'wildcard' in the send. TTBMK, the '*' is not a valid symbol for an SMTP transaction. Perhaps I sould just have used a line of dots? I just wanted to redact the complete user name to avoid some spammer scraping the email addresses. The two user names in the example share a common initial letter, but are otherwise different; as, 'xact', and, 'xtra'.

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.

Indeed, it is. The spammer has suppressed the list of recipients. Yahoo! Mail, and I believe the German service GMX Mail include the actual RCPT email addresses; most others do not.

But SMTP is very "literal"; if an email is delivered to your mailbox, the SMTP "RCPT TO:" command included that mailbox email address.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Archi

@superkabel.de
+1 on that. I am getting spam on my dyndns@mailhell.[...].[...] Mail Alias. The domain has a catch-all defined, but I only get spam on aliases I used online, so we can be close to 100% sure there was a breach of some kind. I noticed this just today as the USPS Spam made it pass SpamAssassin into my Inbox, but there might be more spam in my Junkbox since a week (e.g. since the first report here).

On a second thought maybe an attacker used an exploit on home routers and got our dyndns passwords from there. Those could be used to get the emailaddress.
But I think that's rather improbable - there are more lucrative things one can do when messing arround with routers than selling the emailaddresses for a few cents.

Sebastian


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit
reply to mmainprize
said by mmainprize:

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.

It is too late to edit my post, but add Google Mail to the list of very few providers including the "SMTP Envelope Recipient (RCPT TO:) email address in the headers.

Yahoo Mail:
X-Apparently-To: %me%@yahoo.com via 98.138.213.251; Thu, 01 Nov 2012 10:39:36 -0700
 

Google Mail:
Delivered-To: %me%@gmail.com
 

GMX Mail (.com is English, .net ist Deutsch; both have the same header stamp):
Delivered-To: GMX delivery to %me%@gmx.com
...
Delivered-To: GMX delivery to %me%@gmx.net
 

None of my other ESPs do this. If your ESP doesn't so stamp their email headers, you might request it. However, given the nature of SMTP, if it is in your mailbox, there was an SMTP "RCPT TO: <%your_email_address%>" command. SMTP servers don't "guess", they are as literal as any computer.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum