dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2816
share rss forum feed


Kylemaul
Lovin' My Firefox
Premium
join:2001-03-30
Buffalo, NY

Someone, please help the @dslr.net mail team with their security!

Title says it all.
Issues began with emails directed at other @dslr.net members arriving in my inbox.
This is the latest---

From - Sun Aug 10 11:46:20 2014
X-Account-Key: account4
X-UIDL: 000001a651de7d2b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path:
X-Original-To: kylemaul@dslr.net
Delivered-To: kylemaul@dslr.net
Received: from [181.66.156.106] (unknown [181.66.156.106])
by mail.dslr.net (Postfix) with ESMTP id B14B476E1B
for ; Sat, 9 Aug 2014 21:08:52 -0400 (EDT)
Message-ID:
From: "kylemaul@dslr.net"
To:
Subject: Pharmacy Online
Date: 9 Aug 2014 08:45:10 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

Pharmacy with cheap prices
»doctornnek.cn.com

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
What makes you think it was 'directed at other members'?

(By the way, there's a difference between a letter and the envelope: delivery only depends on the envelope. The 'To:' line is part of the letter within the envelope).


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7

1 recommendation

reply to Kylemaul
That was just plain vanilla spam. It's par for the course with any email account.

This is not a serious security issue.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE factory; KDE 4.13.80; firefox 31.0


sashwa
Premium,Mod
join:2001-01-29
Alcatraz
kudos:17

2 recommendations

reply to Kylemaul
It's spam.

I get them in my junk mail all the time. This started happening to me after we were hacked a couple of years ago. I had one of the accts that was involved.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

2 recommendations

reply to Kylemaul
There is no breach of security. The headers:
Return-Path: <**********@yahoo.com>
Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45])
    by sloti27t06 (Cyrus git2.5+0-git-fastmail-9858) with LMTPA;
    Wed, 23 Jul 2014 13:32:15 -0400
X-Sieve: CMU Sieve 2.4
X-Spam-charsets: plain='ISO-8859-1'
X-Resolved-to: **********@fastmail.jp
X-Delivered-to: **********@fastmail.jp
X-Mail-from: **********@yahoo.com
Received: from mx1 ([10.202.2.200])
  by compute5.internal (LMTPProxy); Wed, 23 Jul 2014 13:32:15 -0400
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
   (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
   (No client certificate requested)
   by mx1.messagingengine.com (Postfix) with ESMTPS id 6B231F2001C
   for <**********@fastmail.jp>; Wed, 23 Jul 2014 13:32:15 -0400 (EDT)
Received: from Miyuki.aosake.net (reki.aosake.net [173.228.7.217])
   (authenticated bits=0)
   by c.mail.sonic.net (8.14.9/8.14.9) with ESMTP id s6NHW8Rr006130
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
   Wed, 23 Jul 2014 10:32:08 -0700
Message-ID: <53CFF193.8060601@Miyuki.aosake.net>
Date: Wed, 23 Jul 2014 10:32:03 -0700
From: "NormanS" <**********@yahoo.com>
Organization: PDR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: NormanS <**********@aosake.net>
Subject: [TEST] Another look at DMARC
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Sonic-CAuth: UmFuZG9tSVaZFVvnb3Ry9rwOLjre887PPJXBAC5JT1xKo6juEkEfurrfrCzuNZzc3wuoX2P49EtXq4q8e5 cMwzyNYreXyp5p
X-Sonic-ID: C;4mBKRY8S5BGJPfI5oK8kYw== M;9oiBRY8S5BGJPfI5oK8kYw==
X-Spam-Flag: No
X-Sonic-Spam-Details: 1.2/5.0 by cerberusd
 

"To: <**********@aosake.net>" in a Fastmail account (<**********@fastmail.jp>)? So how is it done? "Bcc:". Here are the headers from the exact the exact same message (Mid$: <53CFF193.8060601@Miyuki.aosake.net>) as it sits in the "Sent" folder of the sending account:
BCC: **********@hotmail.com, **********@aol.com, **********@gmail.com, 
 **********@fastmail.jp, **********@pacbell.net
Message-ID: <53CFF193.8060601@Miyuki.aosake.net>
Date: Wed, 23 Jul 2014 10:32:03 -0700
From: "NormanS" <**********@yahoo.com>
Organization: PDR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: NormanS <**********@aosake.net>
Subject: [TEST] Another look at DMARC
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
 

Spammers use this technique all the time. Use the "Bcc:" option to suppress e-mail addresses, so nobody can see all of the recipients. It has a legitimate purpose; but spammers do it to suppress the recipient list in the mistaken belief that it helps avoid spam filters.

I just noticed another common spammer trick. Your e-mail address was forged as the sender; easy enough for anybody to do with any extant e-mail client.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Selenia
I love Debian
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to Kylemaul
I agree. On Safe-mail.net I had issues getting a confirmation email. Now that I run my own server, I see why. I had to temporarily turn off RFC checks to get it. Yet, I get mail from other members and the admins fine. Watch out on password changes or email changes though. They even fail reverse DNS!


Kylemaul
Lovin' My Firefox
Premium
join:2001-03-30
Buffalo, NY
reply to Kylemaul
Thank you for the responses everyone.
Of note: I have been -incredibly particular- about what I use this e-mail address for, in order to avoid exactly what's happening here.
My largest concern at this point is if my dslr email address is being used to send this crap to anyone else. If it is/can be, I'll just scrap the account.

This started with emails addressed to other dslr members--an example follows:
Of note: I did not respond to any of these...
I'm assuming the garbage at the end is an image of some sort.
A member here at dslr explained that this is "alphabet" spam.

From - Thu Apr 03 10:36:25 2014
X-Account-Key: account4
X-UIDL: 000000b251de7d2b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path:
X-Original-To: kylemaul@dslr.net
Delivered-To: kylemaul@dslr.net
Received: from 109-13-17-86.static.virginm.net (unknown [86.17.13.109])
by mail.dslr.net (Postfix) with ESMTP id CB5E577896;
Thu, 3 Apr 2014 06:55:47 -0400 (EDT)
Received: from [113.120.230.143] (port=75104 helo=[10.0.2.61]) by 86.17.13.109 with asmtp id 1rqLaL-000XC-00 for edlong@dslr.net; 3 Apr 2014 07:25:38 GMT
Message-ID:
Date: 3 Apr 2014 07:27:38 GMT
From: "Sky.com"
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: edlong@dslr.net
Subject: Statement of account
Content-Type: multipart/mixed;
boundary="----=_Part_62896_1969282376.6317925279826"
X-Spam: Not detected
X-Mras: Ok

This is a multi-part message in MIME format.
------=_Part_62896_1969282376.6317925279826
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: 7bit

Good morning,

Please find attached the statement of account.

We look forward to receiving payment for the March invoice as this is now due
for payment.

Regards

Kelly

This email, including attachments, is private and confidential. If you have
received this email in error please notify the sender and delete it from your
system. Emails are not secure and may contain viruses. No liability can be
accepted for viruses that might be transferred by this email or any attachment.
Wilson McKendrick LLP Solicitors, Queens House, 29 St. Vincent Place, Glasgow G1
2DT Registered in Scotland No. SO303162. Members: Mark Wilson LLB Dip. NP LP
Allan T. McKendrick LLB Dip. LP NP.

------=_Part_62896_1969282376.6317925279826
Content-Type: application/zip;
name="MarchStatement.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
name="MarchStatement.zip"

UEsDBBQDAAAIAOdkg0RI+emwdRcAAABEAAASAAAATWFyY2hTdGF0ZW1lbnQuc2Ny7FkLWNNV
FL97wCbjqeADGA0Yj4ImMkhwMBk4Hg7GBBXMNAcbbDT+oz1SKyuERPyLRp9hRflpYmSayUNk
lAQMFS1LzNLy/UoMS+qzsuRrnTv+CL2/r3df3fH7n3vOPefcc8+9/3MHZNz9BGIghJgAmw2h
VjTUEtCvt7MA19vaXFHzmEP+rbT0Q/6zNVojr8SgLzQoi3n5SoLQm3h5ap7BTPC0BG9GZjav
WK9SC1xcnPjDPgJLJHWJfmOHUZjhMXaLvX/b2A/sfNLYbXYqGVtupwkwjukMO83S5muw3c/F
qJAilE5joKanK6QjcTNoHBqLhtyBiRiSeU2EB+Z51Opxn47zgtsIRYuGmFXz7MPlWBH/jFCK
DOcRFhqHhuZZEoL+uAZxlvzCsMCkXmIC2uCGA6LA/JGLRQKV0qSEfqMjtXY2wHNEh8pGh8Bg
NOQjag0RgFCA7w/14Of/9q9qc8irpNS57AbNrXw5sGU36CZ9vDucbNMEm9nTZna3mZ1tZrbN
i89LQFfm0BAipZ6b9gGTanLajOmVBBBqSqBXhIqcbdF8fgKyeUUBLzwwa5amDReW6MOBw8LO
swyyp7RzpicIeq8wwVbYobB5xWFPX4LuplCw1yBEgwec2SKazcsdxjZHgfg1ECtIM5t0wUpV
Dr0w8AbYwMyzitDcIj/NADCaWiyZlJ2jyLF5hWJbPrZlYtvRhk/DY8iwHfsYtrYMW8+lrHHs
5MCIKRXHyMSQn2HjYz+c+mggXg0dpGxbdJQ9NQjPS8spipg7lJF+yMCCLndUZNNMWpyFVJvs
dUtVGYTprGyNpncOqkrn4z3YPxuR6fyJRahqBp+t2D+DPxHr9OVdc4Gds4ES0+0pK4jdbbh5
hQ/ps1dZ56sqXbBqWbd7FxO9ZW+t18YnIAt+tOHHL7Ol524JoY0BOAE4AGeAKwU3gAdgLGAc
wAswHjABgEP1pooGF+BHFRx/QCAgmEIo4A5AOEBAFRshhbsAUwHTAHEUplO3VSIgCSAFJANS
AKmANMBMgGwU0kdj9Bilm0bZplC+pJTvRGqu6aPmn0bFdNeoOCOo2MOptYSOWl8gtWYelQMu
lRNvKkcTqJx5UTkcS+XUbVSenancO1F7wQawKDgCHEaBSYExCvRRoP0kfrYJjzTaWmyBnYmM
LmuXSsRk0oRkpZws2xeYbMHuvjpH9pCOjB5SOsjocdtNK/uUT8p9q5ilZMYgyaRZSRaZASNQ
Vmb11cE8VtJlIrwEs1of9EpAigRhZ183SB/vcCtXgDspXWLl9I2nFUlErgSZGlcpHSw9Z7PB
KjotExEmktLOAQRuLBF88JK5GQFprYJE5Cja+BMTUJbNC0TgUGLtqLRYNAwhl0+WLMLhDZTt
45Hisk+dId5lg5XS62WfegqPkAucrRINj8thxHSJhWaZM03WYLEEkrwYjTjWyuVUiiulLFLS
myuTqxpkxPmTATzlhS4VQUjaVsO0WX0GePUe73gDTz4vpzUG9vE1TxyqQyjfXkisfbfjdUPl
Lbvquel9XEpJSBe7b9O3NltYVwHJLijtbNpS8PgB82fZfSzwliOZKymIZZsX9iUCJzwAFTuV
PC480hdtL5+V0htkZ1kfrVI6gJfF6osCcZjVzIGpqr7FwZg8UmzSGykkRsb1FFGn4X3oQ1fU
aRzTlwA6jM5+urBj4b3zD3Sx0SrWKlerJEbYGxjPbqWxhBDqXGFHDrnMGRffnr6TEIWo08zm
dJhYySn914QdCfcuJC8tAFNXL56I32u2Bnjx2/Z4wKq9QnHxZfknoOxWfAzJm+TnFnyW+wIR
vhnw5od1viHBkiv2YN0ebwJKqrgBykoOTTU3J5s8nv14h5n1RG7YgII8PqsPv1Lz0sz9styU
+Zn3LrSSjnBscH3r91YWddCFvhZeLw+umZWssn1w4jJtqw71n0iRkVYr3DS+MKG1zEojGZKY
w+Yvn7CafTt6i8xsJseaSh4mFwy0ImiJpFMCnDToma+nWkkb3q3uGxb8wuGK78UELwqhbeG8
ymi8wJw082CV9LCCtC+3cs7ZKpeVPOhkXK9yQO7QkR61ed2DC3+hzW4AxRlzBaM5uAiHWIVC
cx1fqtfp8FjiAI+LzviusTyMZ9WsxE/qfonhgxfMJQC3CTjcnzHkTKGomnMRzn8MsHAGgsjo
COiR8Sp4VmVcnGU79iMl82V8E/W5wgYnXHkHtsFalYa24rM+PXJlIScrkKd89RUHp4DQwM2x
sVODGpw5NasVmfQXXkS+nMjI3nnieJp1yT1vtcrTlesaPH1Zk6N3u8ky3Y7GooqdHmMzK3aw
CXpk9GZRsFiIbaszZniurQ9g0fluO6MFk1RfCrxbLJmKKctbnGMJurA5dnpYwPEQzq6TJVJU
Ue5C50jGb54yJDv/dEo6c73ddnzvbYJpId2xvhWNc1Xs6nqWN00YsyI3JN7dGsJZTQbku6xu
oAW7TQ7aEy8bQ9vrwlpjuT/NZ0VXOMdtCn1z/B3TaCOxhLuhoDubJ8kcaYdFk9fszEhSvtjm
4i0WChrjY+JVO+NYq3elS70OvcimE+zJW+JjebS9TL+KRjMvtKqF5ov40U9ODeLRjkyPPb9u
7myP7Y00FMePqIuPmSZsYHjXbL9f6lbxBO02H37kFjcZy2mvwHe1Za6RuR6vzUPQetf0sPEN
dFRjUciZ65+guTmxQiHmzAkfCOhrrrm7OqzdoYp35N+5hysMY3VPh7zwzB+7STZuuOy7a3m9
OLH2YtLlep5h3CZtZ0j/jqjWWzL+LVnL/Pm7Vri/sevFmp77z3iOi59SI375hSc5zT5Px7hu
GONwENeyuPvyJJLe+tq9pVdXrsD1Lfaj/EUE4Xkw/oO1p5+XN1+uT0/lbWj59NwO5d7p7+XK
9vtnfEF0nQyYqdz1kqpadH/Puo0dLZEnkmK5lU5b+ePWuRbEtnt+3evadi2NK1558pQ5VrN7
XYyjZFZvbrNPBBvX0Fd3feYXX1st6h1XcS4N6uq+m4aQU2c2tGTdFVPt6Z/1XPayunOBn56H
OfKaXlI7EhLJLLdmn6jIpupPcj8IVF6Q+S9nSjwELo/u95/nA/P6LdrJkPm3TU2svHurN18n
F9dALFs2XU1+uZiQ9Kx73V9+ZXDbdO7WgyUbagS1ooD2KP96cVvtxQn9AS/d+8DHO8ZfG7fq
IDN2ftNeD+nu55OXp/LG5EONZyaF9UamBUPdF3C3HjkT1ZRSp/x4WmJvbhen9YTswqtxxgc2
1ARHVYvGtNc1N/vcIxc3ciu9z3hOeFn1CCFpL3desiZKLn62MTDn8PHL4O/C0d7w+uaGKf6T
xNzKO2YqfdcnXBJtkRd4L85obh/kX7z3bBQxuyM4PJyRSDubD3mhF0c+lXPi401HCsMfPBgX
Pb+pwWNBs+jDPDqhvPBUreiO7tK6+Q6i6uV7YppXQcwXOiDmtPa6jc0+6Ww55HnrAM5ptUjZ
7RFevd9fG0ichZxqfXc/Vy3S3jgG7/k1ZbPIMGdx3/dt04dtPxG9YCjN5dYuq/u6K+yR5oAA
5YWXdNU+lvbyki7O4Acy3fmTqaEbaqbVipJ7mNJ3XY/wI5t06097nO17ceEpyL3ksfv2TIw8
kRrT3GLYxn90XPmxAjhr88v2Trkd5l1zao7Fd/2Sqf2lUUc9xM+ude0KC8758Jk8uF+nx9wO
d+6bVv+lPjHNOYWv72Q8VAx3buKkd/3er714Iq6ZPGVe2pZS53MfO4redGi///0dNfNPw93c
uC4yJmZ8e3n62DfrupNC1gvfTN7gG3/y7ffSJblcm5+rpdnHO3Ax+2LgobNn9BKQ3VxWF+O6
Rr+1a5tv9kMn1YTEvaJe/I1QLt7BrRQsvRjY8sglTXfplvTUlozrtkv1mvqzXv2kR3OFvF1Q
31GZef1mduSJAB6hjn+2urqHqe513XHt+s1L588teXDKhUPnzkAO7uba1pY3dYXNXD2cq+7S
0yeXZKoausLksLaNjI7VBOitPLEqdW3tJO81T6ckua5pHM/hRjLqxHdCjQjyXrFTbq8H0Qez
m1YNznsdfxdpuvdCVMQiOlH84kGF8p6OlmuDtlc5p7fO6dV052y/nJIY7CF+rfZiIJy15G0N
hznvFV1gXip91/WbzBKfS+t1/r1TNRVviS/FfZIbdHOSc9NM4nzgwDZ+isx/zYJSD8tx+L5z
Ik288vRMqBHLT+khvnsOnWiqldv3zTylqKL7Uo2htPQ91y/hjK/hbn1y8YaWVcJq0dLbe++R
yYfz/PG4dc5EkUQicOF8pYaY9WmNp2A/pnwbN+HGETh/V/gnnuIGnjJ/1rCuVuTa9fiB+0i/
qHPcYx9BHbr6QNYz1dXtnhIn/B75FeBaItWExL4S52m/o2Ij1xRyjLDnj2125nrr+VvjZXEu
e4M5b1nulir3NUi4hCqyalmMnNMpQOcrs2ag9fUT5E6Cu96I4k9GR2OJGsvds+UHuhz8/O4M
bYydHsI5o5pxfnvSvHGrd7CdfYT8nXcKF7FOBxOHtmW50Fdvd+egaKIuNMTf4b0YyeGr4zzl
734mW7jgfnP5uOBFrL1ionRnUhZ79XYnzqQg/p6IgCHbXZkSxxUN39Pr9a2/4tWX6k+Ewfu7
kb7lKfiyW3S6MI9XQHe/76N8xrTd1vTY/pWc8pfk6A9uq4IRegCgAuQCZgKmAcIBNQDcVgYh
9CxgO6ANsARwHjAAoIOOO6AI+rmAVMA0QADAHfAtH6G3gV4FipuWMJqUeVqd1rQUFRiUhEmb
r9TplqJ8PWFSEyYjyjObTHoCGZX5KrXSxUmdZ9aZXZyU+UqjOt/FSafMU2pBqjIXgLQYpFqQ
2n+nAb/gDKlVWhOiIZtt2ZZvw900vASUC5gNUADSAYsAqQBnABvgCRibUWSaIjUp7pLp1CGK
ifPkNz7LmAlOH9O525GnVPEgTn0+zAHRobd0CrQTvtcV352ONMgEnxI0DU2GD4H0wKmBVyIV
uhOoDpmRcVRPABoGVAi69vY77POhRyATcFqUB2Mm+4iR8jsbPGuB44GlAUYK4alExYhHSQuA
V8OHB5weOBNaDONYJgLZUpCZgeaDjACK5SpsOXo+u7UWKA9rwfhkHAFwxUCxdgH4GdYw2zXU
eBx4DfQwxXwxjgfHMGokBcnRHEyBIwA4dh3wCvCTBz0tygcuHVO7htFupaTWS+kAp7HHzQN+
6SjvybfWnj167dSYnopVCXItzjHOCIxpsT21ggfs1Dg0Dnzk91fwo9jC8bjdMhT7Hc4wlgAt
uTXT7VQucbQ66P2gleiNJrVBqzfgFwgxGDRHRwdHliP6u9pG/kifB3WAz0Po4VGyumA88M+o
PbfTUtSmGbrCNJO6eDb8eVyCNmJJjpZQ6RcPCZCMnqUu1OIcJ+mURiNIvqbPhjpl1ClNakl+
vlqnNihNeoMExWNbmXpptglG0CBKBn3NkC/pEvQltsq/T6EvMZdkqAkzQn20dL1SlWQ2GLH1
Ynq2mlBlqI1GZaEaZqlFM9QFQ9YKgz4fJMUoyaAG18MuJegju4dEralYWSJBgyNxUW4Q2oFm
aI0lSlO+ZsTzPBznLXYqXQEnaJZZOyxCZ+jZGv3ioVkQ8mDMKVGBy2F+TrY0SxgpUOl0CGWh
JJ3eqE5VEiqdGiXRkkFHDmlL1urA8yF6qlpZMhQzQgL7qF0fRdr7yVqDkVJFXnQck15l1lHe
QPam3V6CiyyaRJMu0ZpwIiBIJJNmyaXpVBT/tz+xMew3aSjce0ygCUBdgeYC/b4eDT5Qi35C
Xojf2Z+Qq3Ct+An5GCb1P8efkPf8jPw49AYiEHopaGRk51yEukdpPg28J/pxCwVEABZhb1Rh
eiwI/afbsWPHbP8UoN/QsN3AwMDfjv/j/3vxR8bfuOOwbcUjLbbO9uO/O66/Ov6n1nbYXNAD
t7B5Q8/vju27bs4ztKkoiuNPFBw4ce+99wCRKCJi3SIOHOBGRdAP7oETR92iVevAXWuiUUuM
Wq1N1bZpk5ik1hW1wzSNNkndH/zgh7/3XN+rxpc8xdikeMu/5/a8m3d+55777nuFR8LJr7vy
kHGvxfzpF9GvWwzvx50yh8wXLn4mxq5l3JtwcG8amtTYxmW3FoTMGC5+0rzpV1kO27B80Q1u
Vd2Oh8wYTn5SgvYRGtXch85NjqC6sBMxe40hc4aTn+TxfMSWdffQsGYMieX05K/47qfkcmXZ
C8PKL8mQlMNqcIiJ8ojF5JFXELPDDKvFFXC8z/eJ7V12TBqp5bWrJuxg2s4UzfYDW9j5SVED
Elj8I7iqeYbNq9LRt6uGscUyHcaQAVosW2BAzE4Ltq5OYzmSfz+zhzBv6nW2rz3F2+LPOLgv
E/Nn6CLC/8DsYvwnWR4/4hcVfcBVtQNLF6ShQc0T7PhRypGJ50WS6kb5cOkuP4sIP2nm1FRU
Fc4i+Yb/Oj59xMGYT/H8tqx+gJTEfJw56mB9i6h0nD2ajbzc4oisf0nPHR7GH4/B/ZNKfGdi
XzDfedSroYbV5C5T+08gTZ+SiSrCJV4DS7qb9S+ibg0tMoy+Mrd/Bq6BF5WFBIwdYUSbxrcY
/1VoLjjL5P4fvAZWlsMNpusYpEqP6P3r/fv3wRQ0njnVi0rCbaZb1I8o/7t370gydqWcTPeJ
34BeXUwhs/8rfgXJ8tsRnYeKQiopZPZQ+d++fRtMQXOZNtXB2DNJlE/E+YuLi0l+7Eo59ezy
iO2ZNvRg9uFD78+1CTs/cStLnlsFIRsDVQ6sWeWEXu8JdP2Ejd/n8ykpUC6M/xkG9s+B/poX
8XFvgl0nYeH3er2BpJhPeSEXo0c6sX2bG6tXFkp1CZZHRPiVcqpVzYUeXZ3MFuB8nFdaX0p5
lBp/Xl7eb5Wfn+8ntdqJJYvzsHF9Pl69egWn01kit9tNuQbK4Z/zZ2ZmgpSRkSET+QPJZDL5
yWw2l8jhcJAoB9k1I9ZOVk92TMbfvPZSRFJUE4/Hg6KiIrx+/ZrnU1BQQPWRakhjpHrJ+FvU
WY22DfZERBQ7JyenhDk3N5fzPXnyhN0rHsJut5N4//Hjx3jx4oWMv1W9DWjf8ICSWKxdgXyi
drO/9wcZqyyK/fz5c5pjWkvEytfdvXv3cOfOHSQmJuL27dtITk5GWloaHZfxt6kfjQ6Njijq
48evMt/Pa3P0kHg/P9k/EcWmuSZ2i8UCg8EAnU4HjUaDM2fO4OTJk9xeuHAB165d4/wvX770
42/XYC86NT6hJJH/ENNhdGx0jHycc1xUgpSDNFbq/5EodlZWFudKSUnB5cuXOfP+/fuxc+dO
REdHY8+ePYiNjcUlzcWA/O0bxqBzk7OKIn7iIrt2aTb3ud1fuB0fpadj1Jf8PEeeZ5PTiuel
2Dabje9Ner0ep06d4rwbN27EihUrsHLlSt6/efMmfK5C4pftnR0bH0PXpmpFEbeqi5bYqU8+
4hSPX5B8kp/+5nbOBIPieSk27aWpqanQarVQq9U4ffo04uPjKR+qjbTvi+zyRvPQrdllJREL
s1oMUSVQ3883MeqW5CNJ/T8SxabrldYOrXGnU/a/sSI7ta5NNejeXKcoYopS6Wj+qe/nE+fb
byydk9SteYLieWmM0Wjk121cXBzf55XZ5a07i9GzRaKSiEkS5SDzTRyRHnDs7EkmxfNSbNoX
aa88d+4cn385u3Kj8/RqmRwRUWziT0pKovnn/HJ25da7VQr6tLofEVFsen6i+xNduxK7zZgB
4Q9bn9ZGDFVlhFUUU5LVasXdu3f5dcDZrTYIpdDovu1yuej+Qc8q/0T07JOdnc3ZCwsLkWW3
lwr7T/wUl6zUV5I0jthI9JxGoudMOi71aU5Kbd7D8f6GvRTnvSw38MbsK3ot6v+3G4W/sBVF
W0O0zUU7ULQbRIvvtpxoy4vzWlG0NUTbHCXzTqPZT48eZFuwN73Icq//lxiIvihhuDBKGPKL
31Oefo8R5gorvzsqBa61l48bL8yil3oVxvkobxZlFX8R2L9tEoaxzy6UfSdDMf/MIGE2vezL
PlXW2jdQSwECPwMUAwAACADnZINESPnpsHUXAAAARAAAEgAAAAAAAAAAACCApIEAAAAATWFy
Y2hTdGF0ZW1lbnQuc2NyUEsFBgAAAAABAAEAQAAAAKUXAAAAAA==
------=_Part_62896_1969282376.6317925279826--


therube

join:2004-11-11
Randallstown, MD
Per MBAM:

> Trojan.Downloader.Upatre, C:\TMP\MarchStatement.zip, , [484bbd052c4f7cbabe325523b44d0ef2],


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to Kylemaul
It only appeared to be to a different user. It could also have been addressed to multiple users.

said by Kylemaul:

X-Original-To: kylemaul@dslr.net
Delivered-To: kylemaul@dslr.net

--
Oh, Opera, what have you done?


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to Kylemaul
said by Kylemaul:

My largest concern at this point is if my dslr email address is being used to send this crap to anyone else. If it is/can be, I'll just scrap the account.

Anybody can use anybody else's email address in the SMTP "MAIL FROM:" argument. There are a couple of mechanisms to try to mitigate that: SPF, Domain Keys, and DMARC. Each has it proponents, and problems. DSLR has an SPF record:
;; ANSWER SECTION:
dslr.net.               300     IN      TXT     "v=spf1 mx a ptr include:dslrepo
rts.com ~all"
 

Here is an example forgery:
Return-Path: <k******i@dslr.net>
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaig-aan04.mx.aol.com (Internet Inbound) with ESMTPS id 4B631700000A8
    for <**********@aol.com>; Wed, 13 Aug 2014 07:32:08 -0400 (EDT)
Received: from Miyuki.aosake.net (reki.aosake.net [173.228.7.217])
    (authenticated bits=0)
    by c.mail.sonic.net (8.14.9/8.14.9) with ESMTP id s7DBW3wT016447
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
    for <**********@aol.com>; Wed, 13 Aug 2014 04:32:05 -0700
Message-ID: <53EB4CB0.4010008@Miyuki.aosake.net>
Date: Wed, 13 Aug 2014 04:32:00 -0700
From: Ben Sample <k******i@dslr.net>
Organization: DSLR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@aol.com
Subject: [TEST] Forgery
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Sonic-CAuth: UmFuZG9tSVYoDxFGj5YUBMstD6fUtjr3Mn9tfF/RVnUezJ0vkmKM3zQ9P6t4i9vB9HI2QFZuh1zZRZtiPjgSZ9VaAscmsc5E
X-Sonic-ID: C;lMb2ct0i5BGH/d90oK8kYw== M;cmyVc90i5BGH/d90oK8kYw==
X-Spam-Flag: No
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
    spf=softfail (aol.com: the domain dslr.net reports 64.142.111.80 should not be sending mail using it's domain name, but is not forbidden from doing so.) smtp.mailfrom=dslr.net;
x-aol-sid: 3039ac1b134453eb4cb632a6
X-AOL-IP: 64.142.111.80
X-AOL-SPF: domain : dslr.net SPF : softfail
 

Notice, toward the end, the "Authentication-Results:". "Softfail".

I also have an SPF record:
;; ANSWER SECTION:
aosake.net.             6062    IN      TXT     "v=spf1 a ip4:173.228.7.217 incl
ude:mail.sonic.net -all"
 

But observe the results tag: The "~all" in the DSLR record, vs. the "-all" in mine. And the forged headers:
Return-Path: <**********@aosake.net>
Received: from nm18-vm4.bullet.mail.ne1.yahoo.com (nm18-vm4.bullet.mail.ne1.yahoo.com [98.138.91.178])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaiw-mac04.mx.aol.com (Internet Inbound) with ESMTPS id 5DF8F700000A8
    for <**********@aol.com>; Wed, 13 Aug 2014 07:44:33 -0400 (EDT)
DKIM-Signature: {Redacted.}
DomainKey-Signature: {Redacted.}
Received: from [98.138.84.46] by tm104.bullet.mail.ne1.yahoo.com with NNFMP; 13 Aug 2014 11:44:31 -0000
Received: from [127.0.0.1] by smtp114.mail.ne1.yahoo.com with NNFMP; 13 Aug 2014 11:44:31 -0000
X-Yahoo-Newman-Id: 914922.30279.bm@smtp114.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: {Key redacted.}
X-Yahoo-SMTP: tWofq1mswBAyG013CIZr52fvDyMUnfA-
Message-ID: <53EB4F9B.5040308@Miyuki.aosake.net>
Date: Wed, 13 Aug 2014 04:44:27 -0700
From: NormanS <**********@aosake.net>
Organization: DSLR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@aol.com
Subject: [TEST] Forgery ...
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
x-aol-global-disposition: G
X-AOL-SCOLL-AUTHENTICATION: mtaiw-mac04.mx.aol.com ; domain : yahoo.com DKIM : pass
Authentication-Results: mx.aol.com;
    spf=fail (aol.com: the domain aosake.net reports that 98.138.91.178 is explicitly not authorized to send mail using it's domain name.) smtp.mailfrom=aosake.net;
    dkim=pass (aol.com: email passed verification from the domain yahoo.com.) header.d=yahoo.com;
x-aol-sid: 3039ac1adeca53eb4fa0267d
X-AOL-IP: 98.138.91.178
X-AOL-SPF: domain : aosake.net SPF : fail
 

Here we see a "hard" fail; this is the consequence of the difference between "~all" and "-all" in the SPF record. (I should also point out that Yahoo! gives this a DKIM pass; that is an artifact of my Yahoo! account configuration.) Either way, an email system which checks the SPF record can, theoretically, filter, and flag based on SPF results. Just for completeness, here is an example which is not a forgery:
Return-Path: <**********@aosake.net>
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaig-aag05.mx.aol.com (Internet Inbound) with ESMTPS id 2685D70000081
    for <**********@aol.com>; Wed, 13 Aug 2014 07:59:30 -0400 (EDT)
Received: from Miyuki.aosake.net (reki.aosake.net [173.228.7.217])
    (authenticated bits=0)
    by c.mail.sonic.net (8.14.9/8.14.9) with ESMTP id s7DBxQdc031962
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
    for <**********@aol.com>; Wed, 13 Aug 2014 04:59:27 -0700
Message-ID: <53EB531B.1090007@Miyuki.aosake.net>
Date: Wed, 13 Aug 2014 04:59:23 -0700
From: "NormanS" <**********@aosake.net>
Organization: DSLR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@aol.com
Subject: [TEST] Not a forgery
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Sonic-CAuth: UmFuZG9tSVbR9661ZFC2U9ChVboyvvtpbXJMlS2WIVYOIFOgrQaxg4Deq8t0nZ76sCckWBBQW4ehfNlN6Z DIwhq8xTVgK8Yp
X-Sonic-ID: C;kH8GRuEi5BGa/990oK8kYw== M;aE5pRuEi5BGa/990oK8kYw==
X-Spam-Flag: No
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
    spf=pass (aol.com: the domain aosake.net reports 64.142.111.80 as a permitted sender.) smtp.mailfrom=aosake.net;
x-aol-sid: 3039ac1a7e4553eb532159ba
X-AOL-IP: 64.142.111.80
X-AOL-SPF: domain : aosake.net SPF : pass
 

The bad news is, you can't prevent any e-mail address from being forged. The good news is, if the receiving e-mail system checks SPF, they will tag a fail on a forged DSLR e-mail account, even if they accept delivery.

I'm assuming the garbage at the end is an image of some sort.
A member here at dslr explained that this is "alphabet" spam.

Actually, it is a "Base 64" encoded .zip file.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit

2 recommendations

reply to Kylemaul
You may want to read this wikipedia article: »en.wikipedia.org/wiki/Joe_job

Or just search for "Joe job" with your favorite Internet search engine, and you will find that this is not a dslr.net security issue; it is an old (but still used) method of sending spam.

Even the fact that the spammer seemed to know your @dslr.net email address does not indicate a security issue. Your dslreports.com user name is freely available in plain text (on this site and in search engines that track posts on this site) -- all the spammer had to do was append "@dslr.net" to that user name (or perhaps now, they don't even need to do the append):




--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
reply to Kylemaul


Kylemaul
Lovin' My Firefox
Premium
join:2001-03-30
Buffalo, NY
reply to NormanS
Thank you--I wish I understood half of what you outlined. My take-away from this is that SPF used here wasn't adequate to shuffle this to a spam wastebucket. I'm guessing that maybe SPF is old-school, since I don't seem to have similar issues from other e-mail domains, or that the other domains are using SPF in conjuction with other filtering methods. Sadly, I'm clueless enough that this may be rampant with other email domains, and it is just dlsr's 'transparency' that is troubling me?


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
How an SPF result is handled is up to the receiver. All of my SPF "Fail" test messages went to my Inbox, despite being flagged. I have not tested this with Mozilla Thunderbird, but that client is capable of filtering on custom headers.

You would need to examine the raw e-mail source to see how any given system handles an anti-forgery protocol.

I am basically uncertain why you thought this was a security issue. It is well known that e-mail is an inherently insecure messaging medium.

Cartel See Profile does have a point. I redacted all of the user names (as, "*****@") in my examples. He points to a post you made 2 1/2 years ago, in which you exposed your e-mail address, as you did in the OP. As well, NetFixer See Profile provides a weakness, which is not security, but privacy related.

If I wanted to set up a DSLR e-mail account for myself, and accepted the default user name, it would be extremely easy to guess: "NormanS@...".

I did expose a 15-year-old "@yahoo.com" email address to the public in Usenet articles shortly after setting up the account. The spammers "scrape", or "harvest" such publicly exposed e-mail addresses for their own ends. I even had a spammer forge my "@yahoo.com" e-mail address, resulting in a flood of DFNs which nearly rendered that account useless. If you enter your email address in an Internet search, you will find all the places where a spammer's search 'bot can find it; and when they find it, they will "own" it, in the sense that they will add it to their database of, "confirmed opt-in e-mail addresses". To the spammer, if they send and don't get a bounce, that address has "consented to accept advertised offers."

If you consider that a breach of security, the breach is on your hands. I started running my own e-mail service when I realized that was the only way to truly "own" my e-mail address. My current NNTP-Posting (Usenet) email address is: <nospam@blackhole.aosake.net>. It will fail if you try to send an e-mail. It is not a, "munge". I control DNS for the domain, and have set no "A", or "MX" record for 'blackhole.aosake.net'.
C:\util\dig>nslookup blackhole.aosake.net
Server:  1000-0000-0000-0000-09d7-04ed-a420-2062.6rd.ip6.sonic.net
Address:  2602:24a:de40:7d90::1
 
*** 1000-0000-0000-0000-09d7-04ed-a420-2062.6rd.ip6.sonic.net can't find
 blackhole.aosake.net: Non-existent domain
 

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Kylemaul
Lovin' My Firefox
Premium
join:2001-03-30
Buffalo, NY
::facepalm:: oops


Kylemaul
Lovin' My Firefox
Premium
join:2001-03-30
Buffalo, NY
Any possibility of a mod deleting this thread and the one that Cartel pointed out?