[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] appropriate response for mail break-in
From: "R. DuFresne" <dufresne () sysinfo ! com>
Date: 2002-10-28 13:24:51
[Download RAW message or body]
Or, in this case, a trivial drop via procmail, afterall, I'm guessing you
seldom send yourself e-mails, though, you might now and then, but, you can
still apply some filtering via procmail to limit this.
Thanks,
Ron DuFresne
On Sun, 27 Oct 2002, Ryan M. Ferris wrote:
> Sorry to have dashed out the message about my mail messages so quickly. Thanks for \
> all the help. Comparing two headers (real) and (faked), it looks like the Message \
> ID has been spoofed by IP address 172.195.75.206 using my mail server IP \
> 161.58.164.17.
> I guess this counts as a trivial spoof best handled with the delete key.
>
> Ryan
>
>
> (Real)
> Received: from honor.trusecure.com (honor.trusecure.com [65.202.253.137]) by \
> 161.58.164.17 (8.11.6) id g9S12i251039; Sun, 27 Oct 2002 18:02:44 \
> -0700 (MST)
> Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1])
> by honor.trusecure.com (Postfix) with ESMTP
> id 4D039730A; Sun, 27 Oct 2002 19:45:11 -0500 (EST)
> Delivered-To: firewall-wizards@honor.icsalabs.com
> Received: from 161.58.164.17 (rmfdevelopment.com [161.58.164.17])
> by honor.trusecure.com (Postfix) with ESMTP id B229D733A
> for <firewall-wizards@honor.icsalabs.com>; Sun, 27 Oct 2002 13:50:53 -0500 (EST)
> Received: from RMFLaptop ([207.149.220.199]) by 161.58.164.17 (8.11.6) id \
> g9RJ6aX71546; Sun, 27 Oct 2002 12:06:37 -0700 (MST)
> Message-ID: <001101c27deb$f1f3d2b0$c7dc95cf@RMFLaptop>
> From: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
> To: <firewall-wizards@honor.icsalabs.com>
> References: <Pine.LNX.4.33.0210270936360.5826-100000@gargoyle.users.patriot.net>
>
> (faked)
> Received: from Key (ACC34BCE.ipt.aol.com [172.195.75.206]) by 161.58.164.17 \
> (8.11.6) id g9QNTlo89547; Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
> Date: Sat, 26 Oct 2002 17:29:47 -0600 (MDT)
> Message-Id: <200210262329.g9QNTlo89547@161.58.164.17>
> From: rferris <rferris@rmfdevelopment.com>
> To: rferris@rmfdevelopment.com
> Subject: End ImageReady Slices 120
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=P76X3G980M54iLT488z3s
> X-UIDL: M@G!!395!!K=`!!-n`!!
>
>
>
>
>
> ----- Original Message -----
> From: "Paul D. Robertson" <proberts@patriot.net>
> To: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
> Cc: <firewall-wizards@honor.icsalabs.com>
> Sent: Sunday, October 27, 2002 5:06 PM
> Subject: Re: [fw-wiz] appropriate response for mail break-in
>
>
> > On Sun, 27 Oct 2002, Ryan M. Ferris wrote:
> >
> > > This is off topic. Someone is using my account to send me mail with binary
> > > attachments. I have contacted my provider and asked to change my mail
> > > password. I have sent on the message header to them. What is the next best
> > > step? Do I file a report with CERT? Any thoughts?
> >
> > When you say "Using my account," are you saying "the mail looks like it
> > comes from me," "the mail path is exactly the same and the message IDs
> > look like mine," "same path, different message IDs," or "heck if I know
> > what the deal is here?"
> >
> > If you post the full headers, we might have something to work with.
> >
> > Paul
> > -----------------------------------------------------------------------------
> > Paul D. Robertson "My statements in this message are personal opinions
> > proberts@patriot.net which may have no basis whatsoever in fact."
> > probertson@trusecure.com Director of Risk Assessmnet TruSecure Corporation
> >
> >
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic