[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] appropriate response for mail break-in
From:       "R. DuFresne" <dufresne () sysinfo ! com>
Date:       2002-10-28 13:24:51
[Download RAW message or body]


Or, in this case, a trivial drop via procmail, afterall, I'm guessing you
seldom send yourself e-mails, though, you might now and then, but, you can
still apply some filtering via procmail to limit this.

Thanks,

Ron DuFresne


On Sun, 27 Oct 2002, Ryan M. Ferris wrote:

> Sorry to have dashed out the message about my mail messages so quickly. Thanks for \
> all the help. Comparing two headers (real) and (faked), it looks like the Message \
> ID has been spoofed by IP address 172.195.75.206  using my mail server IP \
> 161.58.164.17. 
> I guess this counts as a trivial spoof best handled with the delete key.
> 
> Ryan
> 
> 
> (Real)
> Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by \
>                 161.58.164.17 (8.11.6) id g9S12i251039; Sun, 27 Oct 2002 18:02:44 \
>                 -0700 (MST)
> Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1])
> by honor.trusecure.com (Postfix) with ESMTP
> id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST)
> Delivered-To: firewall-wizards@honor.icsalabs.com
> Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17])
> by honor.trusecure.com (Postfix) with ESMTP id B229D733A
> for <firewall-wizards@honor.icsalabs.com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST)
> Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id \
>                 g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 -0700 (MST)
> Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop>
> From: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
> To: <firewall-wizards@honor.icsalabs.com>
> References: <Pine.LNX.4.33.0210270936360.5826-100000@gargoyle.users.patriot.net>
> 
> (faked)
> Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 \
>                 (8.11.6) id g9QNTlo89547; Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
> Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
> Message-Id: <200210262329.g9QNTlo89547@161.58.164.17>
> From: rferris <rferris@rmfdevelopment.com>
> To: rferris@rmfdevelopment.com
> Subject: End ImageReady Slices 120 
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=P76X3G980M54iLT488z3s
> X-UIDL: M@G!!395!!K=`!!-n`!!
> 
> 
> 
> 
> 
> ----- Original Message ----- 
> From: "Paul D. Robertson" <proberts@patriot.net>
> To: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
> Cc: <firewall-wizards@honor.icsalabs.com>
> Sent: Sunday, October 27, 2002 5:06 PM
> Subject: Re: [fw-wiz] appropriate response for mail break-in
> 
> 
> > On Sun, 27 Oct 2002, Ryan M. Ferris wrote:
> > 
> > > This is off topic. Someone is using my account to send me mail with binary
> > > attachments.  I have contacted my provider and  asked to change my mail
> > > password. I have sent on the message header to them. What is the next best
> > > step?  Do I file a report with CERT? Any thoughts?
> > 
> > When you say "Using my account," are you saying "the mail looks like it 
> > comes from me," "the mail path is exactly the same and the message IDs 
> > look like mine,"  "same path, different message IDs," or "heck if I know 
> > what the deal is here?"
> > 
> > If you post the full headers, we might have something to work with.
> > 
> > Paul
> > -----------------------------------------------------------------------------
> > Paul D. Robertson      "My statements in this message are personal opinions
> > proberts@patriot.net      which may have no basis whatsoever in fact."
> > probertson@trusecure.com Director of Risk Assessmnet TruSecure Corporation
> > 
> > 
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic