[Coco] List member account compromised:

Arthur Flexser flexser at fiu.edu
Mon Oct 22 12:58:23 EDT 2012


I also got a copy that was not by way of the CoCo list.

Art

On Mon, Oct 22, 2012 at 11:52 AM, John E. Malmberg <wb8tyw at qsl.net> wrote:
> On 10/22/2012 10:17 AM, John Musbach wrote:
>>
>> It should be noted that the fact that a email appeared to have been
>> sent by Paul does not necessarily mean his account was compromised. It
>> is very easy for malware to simply relay email with a legitimate email
>> address specified in the header's "From" field and that's all mailman
>> verifies before accepting email to the list.
>
>
> I am quite familiar with how e-mail can be spoofed.
>
> However I also received the same spam directly to one of my e-mail addresses
> from the same sender, so was able to analyze it in detail.
>
> 1. It was relayed through the AOL server, so it must have been sent by an
> authenticated AOL user, or AOL got hacked.  AOL getting hacked that badly
> would have set off an e-mail storm on other forums that I monitor, and they
> are quiet.
>
> 2. The sender has one of my personal e-mail address, and this mailing list
> address.  The number of non-list subscribers that are AOL subscribers that
> meet this criteria is probably far less than 5.
>
>
> AOL should have detected this account compromise as the spammer connected to
> AOL from an IP address with no rDNS.  In the majority of cases, a password
> authenticated connection from an IP address with no rDNS indicates that a
> criminal has taken over the account.
>
> AOL customers can ask AOL why they are not doing this trivial security
> check, especially since AOL has been rejecting external SMTP e-mail from
> sites with no rDNS for at least the last 10 years because the only traffic
> seen from those sites were spam or viruses.
>
> This is a test that all network servers should be doing for password
> authenticated connections.
>
> Remote e-mail should be using certificates and VPNs instead of password
> authentication.
>
> Regards,
> -John
> wb8tyw(at)qsl.network
> Personal Opinion Only
>
>
>
> --
> Coco mailing list
> Coco at maltedmedia.com
> http://five.pairlist.net/mailman/listinfo/coco



More information about the Coco mailing list