dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed

rebus9

join:2002-03-26
Tampa Bay
reply to Snowy

Re: DynDNS Hacked?

Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
said by rebus9:

Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)

As someone who adopted this methodology of trying to prevent spam and "track the source who distributed the Email address", I can assure you with absolute certainty that in the long term / grand scheme of things it doesn't work.

For example, my method was to use things like dyndns@subdomain.domain.com. Sure, it worked wonderfully, until spammers began changing their methods/models. They don't care about bouncebacks or SMTP rejections (no such user) any more -- they quite literally just guess whatever as the username, send the mail out as best they can, and discard the results. They take words out of dictionaries, make their own permutations, take common names of services/companies/etc., and use them as the username portion as as the domain portion and just "hope for the best".

So in my case, what's the chance of them ""guessing"" dyndns@subdomain.domain.com, despite it never being mentioned anywhere or used anywhere but with DynDNS? Answer: extremely high. In fact, it's even higher than the likelihood of DynDNS selling my Email address.

Obviously if you used something like jds3i2jke00_34hskj@domain.com where the username portion was totally random and very long (we're talking 12+ characters minimum), the chance of this happening is very low, but it's still possible. Remember: spammers will figure it out, even if just by chance.

A colleague of mine has been using a clever-but-different version of the above model with pretty good results -- specifically, username@{year}.hisdomain.com. When the year rolls, he nukes the A/MX records for the previous year, and adds ones for the current. The downside to this method is that he has to "train" human beings to remember to specify the correct year when Emailing him (e.g. address books have to be updated once a year). But overall it works.

That's all I have to say on the matter.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

rebus9

join:2002-03-26
Tampa Bay
Reviews:
·Verizon FiOS
·Bright House
said by koitsu:

said by rebus9:

Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)

As someone who adopted this methodology of trying to prevent spam and "track the source who distributed the Email address", I can assure you with absolute certainty that in the long term / grand scheme of things it doesn't work.

We'll agree to disagree. I've been doing this since I registered my first domain way back in 1996. It has worked spectacularly well for 16 years, and continues to do so. Within the past year or so, the same thing happened to a small nutritional supplement vendor. They had no clue their user data had been compromised until I phoned them after receiving a phish email to that alias.

It also comes in handy for detecting which websites prostitute their users out to 3rd parties. I had a couple of aliases that received floods of unsolicited messages (calling them that, instead of spam, because it was focused/targeted content and not random). There was absoltely no doubt who'd sold their lists to 3rd parties who sold products that correlated with the orignal vendor's genre.

Sure, I'll name the worst offender-- active.com. I used them to sign up for a few races, and within a couple of months I was flooded with advertising emails from many different vendors of running shoes, running clothing, accessories (gps trainers, heartrate monitors, etc). And before you ask-- I always make sure I've un-checked any boxes that ask for permission to give my address to partners and 3rd parties, or asking if I want to receive periodic emails, etc.


aha

@your-server.de
Now I got similar mails like KodloN...

I use MD5sums (MD5 of site and username) as local part my of email-addresses.
At the moment I have 5 of them because I have to manage 5 different dyndns-accounts for my customers

Today I got 4 mails (to 4 different for-dyndns-used-addresses) like this:

--- SNIP ---
Return-Path:
Received: from web25.webkontrol.doruk.net.tr (unknown [212.58.2.167])
by my-mailserver (Postfix) with ESMTP id 41D922A9BC
for ; Fri, 26 Oct 2012 13:09:55 +0200 (CEST)
Received: from WEB25 ([127.0.0.1]) by web25.webkontrol.doruk.net.tr with MailEnable ESMTP; Fri, 26 Oct 2012 14:09:36 +0300
Date: Fri, 26 Oct 2012 14:09:36 +0300
Subject: *SPAMVERDACHT*UPS delivery problem # Error ID21777
To: the@ddress
From: "UPS Support"
X-Mailer: MIME-tools5.503(Entity5.501)
Reply-To: "UPS Support"
Message-ID:
--- SNAP ---

or this

--- SNIP ---
Return-Path:
Received: from yumatrix.arvixededicated.com (unknown [65.98.83.154])
by mailserver (Postfix) with ESMTPS id 177162B34F
for ; Fri, 26 Oct 2012 02:24:50 +0200 (CEST)
Received: from yumatrix by yumatrix.arvixededicated.com with local (Exim 4.80)
(envelope-from )
id 1TRXPA-00070C-PU
for my2nd@ddress; Thu, 25 Oct 2012 20:04:04 -0400
To: my2nd@ddress
Subject: Error in the delivery address ID#66305
From: "UPS Information"
X-Mailer: CSMTPConnectionv1.3
Reply-To: "UPS Information"
Message-Id:
Date: Thu, 25 Oct 2012 20:04:04 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - yumatrix.arvixededicated.com
X-AntiAbuse: Original Domain - mydomain
X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
X-AntiAbuse: Sender Address Domain - yumatrix.arvixededicated.com
--- SNAP ---

That really looks like somebody hacked Dyndns!


thermoman

@mediaWays.net
Hi there,

just found the following phishing mail in my INBOX addressed to an unique email address only used for my dyndns account:

To:
Subject: My resume
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="__MESSAGE__ID__ABcSZaXcVzngFw"
 
--__MESSAGE__ID__ABcSZaXcVzngFw
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
 
Hello,
 
Thank you for getting back to me about the clerk position.
I really want to be a part of the company and the job sound great.
So I'm sending you all documents with the scan of my passport.
 
Looking forward to your reply.
Thank you.
--__MESSAGE__ID__ABcSZaXcVzngFw
Content-Type: application/x-msdownload; name="Resume_CV_Passport_Scans.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Resume_CV_Passport_Scans.zip"
 
...
 

Googled "dyndns hacked" just after reading this mail and found this board.


thermoman

@mediaWays.net
Seems they are already aware of the situation:

»twitter.com/DynInc/status/261864026571677696

rebus9

join:2002-03-26
Tampa Bay
Reviews:
·Verizon FiOS
·Bright House
said by thermoman :

Seems they are already aware of the situation:

»twitter.com/DynInc/status/261864026571677696

I emailed them directly around the time I made the original post here, and got a response from Dyn asking for the spam/scam message and full headers. (which I sent) Seeing that other users are also getting the same spam kind of confirms my suspicion that the Dyn email list is "out there".

Now the question is how it got there-- either via 3rd party, or system compromise.