dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2019
share rss forum feed


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA

[Southeast] ATT Security Breach..

ATT Had a Major Security Breach in their system they stole you name it, am getting my sisters emails from her by the Minute from the Hacker she has Bellsouth which is now known as ATT...

I contacted ATT up he declined the issues technical support then admitted yes we did, am with COX.NET and dealing with their Customers spamming me because some so called IT person got his/her degree out of a cereal box..

SO FAR 60 CUSTOMERS,
--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
While it is possible that the problem was an AT&T breach, it was more likely a Yahoo! breach (Yahoo! handles AT&T customer email, not AT&T). Yahoo! security breaches have happened numerous times in the past, and will no doubt will continue to happen. Welcome to the Internet.

Only 60 customers? That sounds like a specific attack, not a general ISP or email host database breach. Perhaps your sister (or some other family member) pissed someone off?
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA
said by NetFixer:

While it is possible that the problem was an AT&T breach, it was more likely a Yahoo! breach (Yahoo! handles AT&T customer email, not AT&T). Yahoo! security breaches have happened numerous times in the past, and will no doubt will continue to happen. Welcome to the Internet.

Only 60 customers? That sounds like a specific attack, not a general ISP or email host database breach. Perhaps your sister (or some other family member) pissed someone off?

No one pissed anyone off 60 in 1 day i wont have this mess go on. Security your Network or get out of the Business ATT.
--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by 08034016:

No one pissed anyone off 60 in 1 day i wont have this mess go on. Security your Network or get out of the Business ATT.

Tell it to Yahoo!.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to 08034016
said by 08034016:

No one pissed anyone off 60 in 1 day

It's called collateral damage (if I am interpreting your misinterpretation correctly). And your sister could have also been just collateral damage (or a way to piss off someone else).

said by 08034016:

i wont have this mess go on. Security your Network or get out of the Business ATT.

You are going to need some very, very deep pockets if you plan to put AT&T out of business.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to NormanS
said by NormanS:

said by 08034016:

No one pissed anyone off 60 in 1 day i wont have this mess go on. Security your Network or get out of the Business ATT.

Tell it to Yahoo!.

Or perhaps tell the sister who fell for some phish and compromised her own ATT/Yahoo! account; and now her account is being used to "Joe job" everyone in her address book. For that matter, the sister could also be a Joe job victim herself.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
Could also be an easily guessed password. A relative's MSNIA account fell to that:
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MDtTQ0w9NA==
X-Message-Status: n
X-SID-PRA: Aunty <********@msn.com>
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Info: m2DhXBI/dWmnvCUeMwzdANPllG7jTe9yKB4KzzCCN0q8QK9IBfkcSo3Oi2Yc0VvPlRyYS+
  CwAaD1FBcEgEhKyKYu+k7DU7uSbUrvw8KXgtdWQS52pOulsg==
Received: from col0-omc4-s15.col0.hotmail.com ([65.55.34.217])
         by col0-hmmc2-f4.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
 Mon, 30 May 2011 03:26:19 -0700
Received: from COL109-W47 ([65.55.34.199])
         by col0-omc4-s15.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
 Mon, 30 May 2011 03:26:19 -0700
Message-ID: <col109-w47EEDF3751818B4D535ADDD27B0@phx.gbl>
Return-Path: ********@msn.com
Content-Type: multipart/alternative;
boundary="_e4f76282-094d-4c10-bb61-5dc852ee18dc_"
X-Originating-IP: [96.8.113.226]
From: Aunty <********@msn.com>
Subject: Pls kindly get back
Date: Mon, 30 May 2011 03:26:19 -0700
Importance: Normal
In-Reply-To: <20090909.232020.8885.0@webmail03.vgs.untd.com>
References: <20090909.232020.8885.0@webmail03.vgs.untd.com>
MIME-Version: 1.0
Bcc:
X-OriginalArrivalTime: 30 May 2011 10:26:19.0484 (UTC) FILETIME=[03DFB1C0:01CC1EB4]
 

The originating IP is near Chicago, but the MSNIA localization, on login, was some place in India. The Chicago IP address likely harbored a spam 'bot.

So not just Yahoo! ...

Despite that the spammer did not include a "Return-Path:", my own 'msn.com' address was in the RCPT-TO: list; else I would not have received it.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA

3 edits
reply to NormanS
said by NormanS:

said by 08034016:

No one pissed anyone off 60 in 1 day i wont have this mess go on. Security your Network or get out of the Business ATT.

Tell it to Yahoo!.

To my Understanding on what ATT told me they use them, you would think a Multi-billion dollar company would know better and use their system,ATT told me they were hacked wonder why this wasn't put on this site or the news.......i talked with the person 1 hr about this he stated they had a MAJOR SECURITY BREACH..but yet nothing was said about this until i posted about it?

Norman
i know one of the scammers e-mail its out of New Orleans.

6 months later nothing changed on ATT'S SIDE...

»www.fbi.gov/newark/press-release···-servers
--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA
reply to NetFixer
said by NetFixer:

said by 08034016:

No one pissed anyone off 60 in 1 day

It's called collateral damage (if I am interpreting your misinterpretation correctly). And your sister could have also been just collateral damage (or a way to piss off someone else).

said by 08034016:

i wont have this mess go on. Security your Network or get out of the Business ATT.

You are going to need some very, very deep pockets if you plan to put AT&T out of business.

You need to read that again security their network or get out of this business because they sure aren't doing a dam thing about it.
--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to 08034016
said by 08034016:

i know one of the scammers e-mail its out of New Orleans.

6 months later nothing changed on ATT'S SIDE...

»www.fbi.gov/newark/press-release···-servers

Okay. A breach of the 3G network, and the compromised email addresses were likely not all '@att.net'.

For the record, we who read the AT&T DSL forum usually deal with the legacy ADSL service. I, at least, am totally clueless about 3G iPads, because I don't have, or use it. My expertise is limited to the legacy AT&T ADSL service, which is the focus of this forum.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to 08034016
said by 08034016:

i wont have this mess go on. Security your Network or get out of the Business ATT.

said by NetFixer:

You are going to need some very, very deep pockets if you plan to put AT&T out of business.

You need to read that again security their network or get out of this business because they sure aren't doing a dam thing about it.

No matter how many times I read that quote (or anything else you have posted in this thread), it tells me nothing. How about posting some evidence? Post the full headers from some of these emails you are talking about that you are getting from your sister's (and other's) account(s). Mask the personal information part of the email addresses, but post the full headers other than that privacy edit. That will either prove that the accounts have been hacked, or show if you are simply seeing Joe job emails.

If this were a "major" security breach as you imply, others would be seeing an increase in AT&T/Yahoo! spam, and would probably be posting about it here (and/or in this forum's Security Forum). A small number of individuals who may have been taken in by a phishing scam and had their email accounts compromised does not constitute an ISP or email provider security breach; and that scenario is what you could easily be describing.

I have not seen any such increase. There is a phrase often used in Amerika: "Put your money where your mouth is".
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
08034016 See Profile has linked an AT&T 3G iPad database breach. As I read the linked news, the hacked email accounts need not be AT&T Yahoo! accounts; presumably even '@cox.net' accounts can be used to sign up 3G iPad services.

This legacy AT&T Yahoo! HSI (AT&T DSL) forum would have squat to do with the 3G user data base.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to NormanS
said by NormanS:

said by 08034016:

i know one of the scammers e-mail its out of New Orleans.

6 months later nothing changed on ATT'S SIDE...

»www.fbi.gov/newark/press-release···-servers

Okay. A breach of the 3G network, and the compromised email addresses were likely not all '@att.net'.

For the record, we who read the AT&T DSL forum usually deal with the legacy ADSL service. I, at least, am totally clueless about 3G iPads, because I don't have, or use it. My expertise is limited to the legacy AT&T ADSL service, which is the focus of this forum.

I have several legacy AT&T DSL email accounts, and I can use an AT&T cell phone to access that email. However, AT&T has not directly provided an email service for their cell phone customers since the new at&t assimilated Cingular (and those old Cingular email accounts were totally closed at that time). You can certainly use their cell phones to access your email, but if that email is an AT&T email account, it is just a coincidence that you have an AT&T email account to access.

The scam that the OP provided a link to had nothing to do with AT&T email other than that AT&T used an email address (which was not necessarily an AT&T email address) as an account name.

EDIT: Oops, slow stiff old fingers. I see that you just posted almost the same thing to me while I was typing.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA

3 edits
reply to NormanS
said by NormanS:

said by 08034016:

i know one of the scammers e-mail its out of New Orleans.

6 months later nothing changed on ATT'S SIDE...

»www.fbi.gov/newark/press-release···-servers

Okay. A breach of the 3G network, and the compromised email addresses were likely not all '@att.net'.

First this security Breach that happen when i posted this was about their DSL service not 3G, i just put that in here to show that ATT doesn't know how to secure their system Period .

Google ATT HACKED all last year and this year....

Return-Path: ******@bellsouth.net>
Received: from fed1rmimpi312 ([68.230.241.31]) by fed1rmfepi106.cox.net
          (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP
          id <20130512231646.NDJR23600.fed1rmfepi106.cox.net@fed1rmimpi312>
          for ******cox.net>; Sun, 12 May 2013 19:16:46 -0400
Received: from nm25-vm5.bullet.mail.ird.yahoo.com ([212.82.109.206])
by fed1rmimpi312 with cox
id bCGj1l0074TDflQ01CGkMq; Sun, 12 May 2013 19:16:45 -0500
X-CT-Class: Clean
X-CT-Score: 0.00
X-CT-RefID: str=0001.0A020204.519022DE.0065,ss=1,re=0.000,fgs=0
X-CT-Spam: 0
X-Authority-Analysis: v=2.0 cv=ae6/a2Ut c=1 sm=1 a=DvSzqBOGy98A:10
 a=pedpZTtsAAAA:8 a=CjxXgO3LAAAA:8 a=AAM1xwptAAAA:8 a=Xd0hfm-_JGTuFHbRoFQA:9
 a=4MuJgtpZMHIA:10 a=olONZrSvYMfqxlEMkTnPuA==:117
X-CM-Score: 0.00
Received: from [77.238.189.233] by nm25.bullet.mail.ird.yahoo.com with NNFMP; 12 May 2013 23:16:44 -0000
Received: from [217.146.189.68] by tm14.bullet.mail.ird.yahoo.com with NNFMP; 12 May 2013 23:16:44 -0000
Received: from [127.0.0.1] by smtp148.mail.ird.yahoo.com with NNFMP; 12 May 2013 23:16:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024; t=1368400604; bh=jIHcJqCcv7nyvDH/8xkK/n5Q3NLszLe7yOJBgibmOpY=; h=X-Yahoo-Newman-Id:Message-ID:Date:X-Rocket-Received:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:From:To:Subject; b=lNST70Z7m2EIGySbQAIlOOo9o8OSCU0Fj2aSQ2yUCi4Z5uZdjkq9ONL7SaLhb3y3SJwxdWxEgkd1yj3s RSgpZsqyJnjqA+jYgU084bl6GGpTXglKXc2GiMn1u7HY/+nTdc7qf83hYkG4HJlYm/T4+W6ryzF6DhTkzLQdVUB34ZA=
X-Yahoo-Newman-Id: 74972.91002.bm@smtp148.mail.ird.yahoo.com
Message-ID: <74972.91002.bm@smtp148.mail.ird.yahoo.com>
Date: Sun, 12 May 2013 16:16:44 -0700 (PDT)
X-Rocket-Received: from potemynu ( with plain)
        by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43 -0700 PDT
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: IomzeVUVM1lZckcFMNk4pjEHpQSoRJ2AWvC12yB.uOS1Oh_
 Yo0KXmSyrSq1zvIKrf3HNN8HhoscpKQ6Cy6l3hqoI2eRm2FZDu7PlcY6lk57
 kEOIW9SjcC3a4aHPpqTBZew705unj.uUXMPOwsqySuqC.RNL6oqObBQ1Ek0r
 F1XV_WrXjryJy0gG6gXsRtiMq4ihiYSwy2cdteao0UplBw5J4f8MqceUVrZp
 fbqRXACM9jZ7RBObKnOI8xaCcfPIMZUuj8hId0PRgYER1HUFQrwobsZGeKfY
 G9uoNR2NN6oFm.5HGCMb16xfDMcEwZ99LpaAnJoz1l6cu_e6yccpVDLbx3jB
 pPEmmSnsqWIXS6GoC8IRW2SOIuxRWxJrl6saJ2zR2Yd48lrFpwina3J16CTm
 xbXRa4OH_166dZUGRpB1yvVQ9oeZHE2nWuDvi4VBZJ6KmIbP.PbueCv034Mn
 ZETdOT.em6cLKTWza1XhQ5RaiiWcgZl4wrb0olTd6UXzBOXoZ_Aww3REt2EA
 ed9_jK5oI3ZUVJvh9a1ww0y77nnl46S3JIxjnpZzLtWSYndbTRajX1.NqRNy
 i6U3XwlPdRUp8LJr0h6JiPdy9z9IAAM.Ev988sP6Ofvkt_He_
X-Yahoo-SMTP: tUchoqqswBDoirhKNxGjAwVByD_9vekBb5gtzw8hj.s****.net
To: <*****cox.net>, <customerservice@gtxpress.com>, <sarah.lee@davita.com>, <l@bellsouth.net>, <fcheney@bellsouth.net>, <lisa_ales@baxter.com>, <alan.little@genzyme.com>, <fdcheney@dhr.state.ga.us>
Subject: Fw: 
 

--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by 08034016:

First this security Breach that happen when i posted this was about their DSL service not 3G ...

Irrelevant. Different systems.

Google ATT HACKED all last year and this year....

All that I can find for this year are references to your irrelevant iPad hack; nothing DSL related. In fact, AT&T changed their login to separate the "network login" from the "e-mail login". The DSL login can, and should be different from the e-mail login.

I did find these for 2012:

»nakedsecurity.sophos.com/2012/07···-hacked/
»news.yahoo.com/yahoo-voice-hacke···215.html
»dazzlepod.com/yahoo/

This breach affected a large number of customers; and not just AT&T.

Allow me to focus on the most critical line of your headers:

X-Rocket-Received: from potemynu ( with plain)
by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43 -0700 PDT
[/code]

Totally devoid of any useful information. Compare:
[code]
X-Rocket-Received: from %Local_Machine_IP_Address% (%ATT_User%@173.228.7.217 with plain)
by smtp103.sbc.mail.gq1.yahoo.com with SMTP; 13 May 2013 23:55:44 -0700 PDT
[/code]
The items between the % signs aren't important; but the missing IP address is an important clue.

But the Received line IP addresses above suggest a European origin, which is a long way from Louisiana.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

TBBroadband

join:2012-10-26
Fremont, OH
reply to 08034016
These are NOT hacks. These are addresses that are being "spoofed" It's common and happens all the time. Maybe your sister should move away from the ISP email if she has concerns about it.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
This line from his headers:
X-Rocket-Received: from potemynu (with plain)
        by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43 -0700 PDT
 

Could be evidence of a hack, if the information were not redacted.

If the missing information were thus:
X-Rocket-Received: from potemynu (%Bellsouth_User_name%@%RIPE_IP_Address%  with plain)
        by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43 -0700 PDT
 

... how could that not be a hack? Since the OP conveniently redacted that data, we can't know.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

medbuyer

join:2003-11-20
kudos:4
reply to 08034016
that's what you and your sister get when you FWD all those junk emails...


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
Let's play a game! Tell me what these headers tell you?
Return-Path: <********@pacbell.net>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on b.spam.sonic.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.2
Received: from h.mx.sonic.net (h.mx.sonic.net [69.12.208.76])
by a.spam.sonic.net (8.14.4/8.14.4) with ESMTP id r4G22ZgL009889
for <********@lds.sonic.net>; Wed, 15 May 2013 19:02:35 -0700
Received: from nm8-vm0.access.bullet.mail.sp2.yahoo.com (nm8-vm0.access.bullet.mail.sp2.yahoo.com [98.139.44.118])
by h.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id r4G22Vwg000902
for <********@sonic.net>; Wed, 15 May 2013 19:02:35 -0700
Received: from [98.139.44.105] by nm8.access.bullet.mail.sp2.yahoo.com with NNFMP; 16 May 2013 02:02:31 -0000
Received: from [67.195.15.61] by tm10.access.bullet.mail.sp2.yahoo.com with NNFMP; 16 May 2013 02:02:31 -0000
Received: from [127.0.0.1] by smtp102.sbc.mail.gq1.yahoo.com with NNFMP; 16 May 2013 02:02:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pacbell.net; s=s1024; t=1368669751; bh=knDQSrdfwaO+6dBTdEmIgRDZ7r7eegF3SoICUVUav0M=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Content-Type:Date:To:Subject:MIME-Version:Content-Transfer-Encoding:From:Organization:Message-ID:User-Agent; b=3tcsO5W8QmhIkmrn9F/ROoDip7Ug6+23sZvlOTgIhqEpHXrbTKImCGlaN5COEhPjNAdvG7mQObA3zcYGiBNgCKPUb13xOjjA2QVpSHrB5pug8N9d d9CZ89s8n+ac93FuetDTwugUtt4kDoRMMG3C4E72WTnFa1uiR6poaBfBxDc=
X-Yahoo-Newman-Id: 40225.3363.bm@smtp102.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: MNnM_YcVM1mEj.hgye.JH4NgRTWP91yM8hw5bqfuHEyL7QR
 3rSjaSjGBW3ZCf5K_dTzAqcTKJ_SjN_U1cP3aWo5uBi84.6Xlb.c0a.PseR0
 hwlR8L.DkmiVgrTJt7eXxUZYje6GVc6gQ5yzfVsYpdi58N.71CJCcF3fcMdQ
 xnaZSgT5G.a8kVJrPGJqoRqHeYIdxTRbSujZpRhjfBaVv1GFngSXjUcxJTqg
 I10fKxhkXH1YnPUxnQFLTJ5aYlS2LEiWZgv7KjV_92xlUuBjxZGJd2gK1iT5
 y8wkKLleopZ1AiArBHoeNzUOFrAKL19OsEmmUiGtzv1.WgEeN8ddGbdOdZSf
 nwtaB0L5MmPyJC.ai5RtL4RVKKOLTc1oLoSkuZPohG9EJAtqtzTJ3kjgTpEb
 wNXe0gi6tscEqsS4A_2lZEASE7lTOV5wAJf6pneJdgQg9vHnMkipSFgfdE8h
 HU3owaMvuuyr64wcY_yfkEfr6juScu4b3iBKBUfl7kpP9QXJsDbcYyWV0g8P
 vH6QgqJ5ab.vE3Lm8WklzlhMPIVui
X-Yahoo-SMTP: uXAXO6.swBA87Q6YS6Xron6jHSJejW560YSfkpG5jA--
X-Rocket-Received: from akari.aosake.net (********@173.228.7.217 with login)
        by smtp102.sbc.mail.gq1.yahoo.com with SMTP; 15 May 2013 19:02:30 -0700 PDT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
Date: Wed, 15 May 2013 19:02:28 -0700
To: ********@sonic.net
Subject: [POC] Using official AT&T servers?
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "NormanS" <********@pacbell.net>
Organization: PDR
Message-ID: <op.ww5mmef0ipr21d@akari.aosake.net>
User-Agent: Opera Mail/12.15 (Win64)
X-Sonic-SB-IP-RBLs: IP RBLs sorbs-spam.
 

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA

4 edits
reply to NormanS
said by NormanS:

But the Received line IP addresses above suggest a European origin, which is a long way from Louisiana.

The Person who is from New Orleans is fed1rmfepi106.cox.net, i gave this email to Cox.net it doesnt exist ,that persons email is also eastrmfepo202.cox.net, hes listed as a scammer...

Tbusiness please go back and read where i stated ATT told me they were Hacked. when my sister has the time she will e-mail a copy of the hack notification.

Norman there was nothing redacted, the only thing was my e-mail and hers. that's it. No other thing was like ,,,,///%
What you see it pure besides the email.

Norman look at the last e-mail see it

<customerservice@gtxpress.com>, <sarah.lee@davita.com>, @bellsouth.net>, <fcheney@bellsouth.net>, <lisa_ales@baxter.com>, <alan.little@genzyme.com>, <fdcheney@dhr.state.ga.us>
Subject: Fw: 
 

The last email went to to state of Georgia state.ga.us

that e-mail went to the GEORGIA DEPARTMENT OF HUMAN RESOURCES.

--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by 08034016:

Norman there was nothing redacted, the only thing was my e-mail and hers. that's it. No other thing was like ,,,,///%
What you see it pure besides the email.

I believe programmers use %Named_Variable% to indicate a place where variable data will actually be used in the execution of the code; I was just trying to set off what will be variable data in the line in question. So allow me to show yours and mine side-by-side:
X-Rocket-Received: from akari (********@173.228.7.217 with login)                    | X-Rocket-Received: from potemynu [] ([] with plain)
        by smtp102.sbc.mail.gq1.yahoo.com with SMTP; 15 May 2013 19:02:30 -0700 PDT  |         by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43 -0700 PDT
 

Can you see what is missing from your posted headers which is present in mine? I put square brackets in yours, where there is missing data.

This single line explicitly displays the account user name, and the IP address of the connection where the Message Submission occurred. If those voids in your post truly exist, then either that line is forged, or this email was created by a Yahoo! employee with access to core systems!

Neither of which is a, "hack" of the username+password data base.

Norman look at the last e-mail see it

<customerservice@gtxpress.com>, <sarah.lee@davita.com>, @bellsouth.net>, <fcheney@bellsouth.net>, <lisa_ales@baxter.com>, <alan.little@genzyme.com>, <fdcheney@dhr.state.ga.us>
Subject: Fw: 
 

The last email went to to state of Georgia state.ga.us

that e-mail went to the GEORGIA DEPARTMENT OF HUMAN RESOURCES.

That line indicates a Cc: list of recipients; it went to seven disparate persons, only one of whom was a State of Georgia employee.

Please, if you intend to use e-mail trace headers for forensic evidence, learn which lines are of significance to the investigation, and which are irrelevant.

For grins and giggles, I took a screen shot of our respective headers. I removed some ISP-specific lines, pertaining to spam checking (Cox and Sonic.net, LLC have different header tags), and rearranged others to align together.

Side by side header comparison.

The red box at the top shows the active AT&T email domains in play. The red box above the "To:" lines shows the account authentication data that the Yahoo! servers stamp in their headers. The blue boxes in your headers mark the voids which would contain the evidence needed to prove either a hack (your sister's Bellsouth user name), or a forgery (some random Yahoo! user name).

If you can't show the missing data (it would be fair to substitute, "Sister'sBSName" in place of her actual user name; and merely state that the IP address was her Bellsouth issue public IP address, if that was the case), then stop trying to prove your claim that AT&T was "hacked". I already know, since last year, that Yahoo! Voices was hacked, revealing between 430,000 and 450,000 user names and associated passwords. I have seen plenty of news articles about how a AT&T 3G iPad user data base was hacked. But you need to show what happened to your sister. I have already detailed how you can prove a hack; but until you are forthcoming with the voided data in the "X-Rocket-Received:" header line, you can't prove squat.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to 08034016
said by 08034016:

The Person who is from New Orleans is fed1rmfepi106.cox.net, i gave this email to Cox.net it doesnt exist ,that persons email is also eastrmfepo202.cox.net, hes listed as a scammer...

????

Did you really think 'fed1rmfepi106.cox.net' is an email address?

C:\util\dig>nslookup fed1rmfepi106.cox.net
Server:  ordns.he.net
Address:  2001:470:20::2
 
Non-authoritative answer:
Name:    fed1rmfepi106.cox.net
Address:  68.230.241.137
 

This 'fed1rmfepi106.cox.net' is a Cox Mail Server!!!!!!!

Look, I am biting my tongue until it bleeds to avoid an offensive .gif smiley; but you seriously need to learn how to read email trace headers.

This line was stamped by your Cox mail server:
Received: from fed1rmimpi312 ([68.230.241.31]) by fed1rmfepi106.cox.net
          (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP
          id <20130512231646.NDJR23600.fed1rmfepi106.cox.net@fed1rmimpi312>
          for ******cox.net>; Sun, 12 May 2013 19:16:46 -0400
 
Here is what is happening:

Cox mail server, 'fed1rmimpi312 ([68.230.241.31])', is forwarding email to Cox MDA, 'fed1rmfepi106.cox.net', (Mail Delivery Agent) so some Cox user (<*****cox.net>) can pick it up with his favorite email client. This is an Internal handoff.

This line was also stamped by your Cox mail server:
Received: from nm25-vm5.bullet.mail.ird.yahoo.com ([212.82.109.206])
          by fed1rmimpi312 with cox id bCGj1l0074TDflQ01CGkMq;
          Sun, 12 May 2013 19:16:45 -0500
 

Yahoo! MTA (Mail Transfer Agent), 'nm25-vm5.bullet.mail.ird.yahoo.com ([212.82.109.206])', connected with Cox MX (Mail eXchanger), 'fed1rmimpi312', to deliver email from a Yahoo! user; which would include any user of at least a half dozen ISPs (including AT&T) which outsource user email to Yahoo!.

Now the Cox mail servers could damned well be in Louisiana, but they are not Cox user IDs.

OTOH, the Yahoo! MTA IP address is from a block of IP addresses assigned to Yahoo! Europe by RIPE, one of five RIRs (Regional Internet Registry) which assign IP addresses.

For the record, they are:

• AfriNIC (Africa.)
• APNIC (Asia-Pacific.)
• ARIN (North America.)
• LACNIC (Latin America.)
• RIPE (Europe and the Middle East.)

Now, please! Pay attention. As FBI agents Scully and Mulder know, "The Truth is out there." But you need to know where to look!

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


08034016
Hallo lisa Aus Amerika
Premium
join:2001-08-31
Byron, GA

4 edits
reply to 08034016
Norman thanks i will Check that blue area you highlighted and will edit in this post if anything thing is different.

NO i dont think ( fed1rmimpi312) is a real Cox email address. :D but if you Google its listed as a scammer... I know some about headers
This is the Email that was sent to her am Redacting her email only..

quote:
From: AT&T Internet Security Services Center
To: *********@bellsouth.net
Sent: Monday, May 13, 2013 3:44 AM
Subject: WARNING NOTICE from the AT&T Internet Services Security Center

This email is to advise you that your account may have been compromised. We recommend changing the passwords on your account(s). In case of active misuse the account will have the password invalidated. Be sure to select a password not used previously.

Please review the help information posted online for additional information and steps to take. »www.att.com/HackedID

If you are unable to regain access to your account with the online support you may contact customer service at 800 ATT-2020 (800 288-2020) and speak with Technical Support.

Regards,
AT&T Internet Services Security Center
abuse@att.net
EDIT Redacted her name..
X-Rocket-Received: from potemynu (*******@109.165.194.75 with plain)
        by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43
 

The ip comes from
 IP Lookup Result for 109.165.194.75
IP Address:109.165.194.75
Host of this IP:adsl-165-194-75.teol.net
Organization:Telekom Srpske
ISP:Telekom Srpske
City:Srpska
Country:Bosnia and Herzegovina
State:Republika Srpska
Timezone:Europe/Sarajevo
 

Thanks Norman you were alot of help...
--
Holocaust survivors and their family's fill this out.
»online.ushmm.org/registry/update···form.php


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by 08034016:

Norman thanks i will Check that blue area you highlighted and will edit in this post if anything thing is different.

NO i dont think ( fed1rmimpi312) is a real Cox email address. :D but if you Google its listed as a scammer... I know some about headers

Fair enough; but in the context of your headers it is just part an FQDN (Fully Qualified Domain Name); a host name used by Cox on one of their servers. If, instead of Google, you use 'nslookup' from a command line, you will find an IP address. If you run WHOIS on the IP address (I use a Windows port of a Linux tool), you will find that both the domain part of the FQDN ('cox.net') and the IP address belong to Cox.

This is the Email that was sent to her am Redacting her email only ...

While the link looks legitimate, the "Cc:" list including non-AT&T domains is suspicious.

EDIT Redacted her name..

X-Rocket-Received: from potemynu (*******@109.165.194.75 with plain)
        by smtp148.mail.ird.yahoo.com with SMTP; 12 May 2013 16:16:43
 

The ip comes from
 IP Lookup Result for 109.165.194.75
IP Address:109.165.194.75
Host of this IP:adsl-165-194-75.teol.net
Organization:Telekom Srpske
ISP:Telekom Srpske
City:Srpska
Country:Bosnia and Herzegovina
State:Republika Srpska
Timezone:Europe/Sarajevo
 

I have never received an email from AT&T regarding a security issue. The most recent AT&T communication that I have received does not include this line, which stamped by the Yahoo! message submission server. It also does not have a "Cc:" list of recipients; AT&T users, or otherwise.

I presume the string of asterisk's is your sister's Bellsouth email account user name. That would pretty much clinch a hack.

Was there an attachment? Was the link embedded in the email encoded? Either would be further suspicious sign

Thanks Norman you were alot of help...

You're welcome. Until I had seen the Yahoo! Voices breach, I was doubtful about how a Yahoo! account could be hacked; other than by responding to a "phish". But whatever other posters might say, unless they can tear my proposition apart in a logical manner, your sister's account was, indeed, hacked.

WRT to the poster claiming forgery, I know it is more common. But Knowing what to look for in the headers will sort that out.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


hotlynx2

join:2001-01-25
Beaumont, TX
My ATT/ Yahoo account was hacked last year (10/2012) (never had Yahoo Voices).I had a simple password but I think they got into Yahoo's database.Never replied to any Phishing email.Caught it quick and went to ATT web site and changed to a complex password and got it stopped. they were sending spam to all my contacts.
--
Motorola 3360,Trendnet TEW-432BRP ROUTER, GA-P43T-ES3G E8400,4GB ram,HD4650 VID,PowerEdge SC430,ECS N2U400-A,AMD XP3200+,1GB ddr memory, Radeon 9800XT AGP