Email / Viruses / Security Info

by Amazing 12 Replies latest jw friends

  • Jourles
    Jourles

    Rather than someone physically being at a location such as a public library, which may have their own servers running in the back room for whatever reason, most hackers prefer to spoof(fake) an email address rather than breaking into someone's account and sending mail directly from the real mail account. It is very simple to do once you know where to find email servers which allow open relaying. Email servers which allow relaying are used frequently by spammers. The reason for doing so is because it hinders you from tracing the spam back to its sender. That is why when you run a trace on the originating IP address in a spam email header, it will resolve back to the open relay email server. What are you going to do then? Go after the library or high school where the email was relayed through?

    Open relay servers will let anyone connect to port 25 which is used for sending and receiving mail between servers and allow them to use ANY fictitious or real email account name they please. This is called spoofing, or faking an email account name. I could connect to one of these open relay email servers and send you an email from [email protected] if I wanted to. OR, [email protected] for that matter. I could then simply say to email me back at another address, say Hotmail, and ask you to "send me your login password to JWD because of a software upgrade that I need to test. Not to worry, I'm Simon and you already know me very well from my site. My jehovahs-witness email account isn't receiving mail right now its only sending, so that is why I need you to send it to my hotmail account." Do you see how easy a naive person could fall for that?

    There are databases which allow you to submit email servers which allow relaying to be blocked. Such as ORDB and MAPS. These databases allow most email servers to query their IP address lists which show what IP's are allowing open relaying and being abused for spamming purposes. If a match occurs, an email server can be config'd to deny mail from IP addresses on their lists. Result? No more spam email pouring into your box. http://www.ordb.org/lookup/ will allow you to input an IP address and see if it is listed.

    Bottom line is, unless someone is sniffing your network listening to all traffic over ports 25 and 110(both used for email) and capturing your password in CLEAR text, or you have a very weak password, 99% of the time when you receive an email from someone you do not know(literally), but the address is one you recognize, it is more than likely a hacker spoofing the email address through an email server which is allowing relaying.

  • Simon
    Simon

    Anyone running open relay servers is part of the problem, not the solutions. They deserve all they get.

    I have been thinking of coordinating or creating an 'exJW certificate service' which would allow email messages to be verified / authenticated as genuine to prevent this type of spoofing (which people have done)

    Just to make clear - I would never send out a program and ask anyone to run it or ask for your password. In fact, come the next version of the software, even I won't have access to your password so I will only be able to reset it, not retrieve it.

  • Jourles
    Jourles

    Here is a cut and paste of one of my email server logs, notice the spam blocking ability -----

    Mon 2002-06-17 21:55:16: [376:268] Accepting SMTP connection from [65.17.108.194]
    Mon 2002-06-17 21:55:16: [376:268] Looking up PTR record for 65.17.108.194 (194.108.17.65.IN-ADDR.ARPA)
    Mon 2002-06-17 21:55:16: [376:268] D=194.108.17.65.IN-ADDR.ARPA TTL=(1440) PTR=[host108-194.rancor.birch.net]
    Mon 2002-06-17 21:55:16: [376:268] Gathering A-records for PTR hosts
    Mon 2002-06-17 21:55:16: [376:268] A-record resolution of [host108-194.rancor.birch.net] in progress (DNS Server: XXX.XXX.XXX.XXX)...
    Mon 2002-06-17 21:55:17: [376:268] D=host108-194.rancor.birch.net TTL=(30) A=[65.17.108.194]
    Mon 2002-06-17 21:55:17: [376:268] 220 xxxx.xxx ESMTP; Mon, 17 Jun 2002 21:55:17 -0400
    Mon 2002-06-17 21:55:17: [376:268] EHLO netmax.internal.tv
    Mon 2002-06-17 21:55:17: [376:268] 250-xxxx.xxx Hello host108-194.rancor.birch.net, pleased to meet you
    Mon 2002-06-17 21:55:17: [376:268] 250-ETRN
    Mon 2002-06-17 21:55:17: [376:268] 250-AUTH LOGIN CRAM
    Mon 2002-06-17 21:55:17: [376:268] 250 SIZE
    Mon 2002-06-17 21:55:17: [376:268] MAIL From:< [email protected]> SIZE=18026
    Mon 2002-06-17 21:55:17: [376:268] Spam Blocker checking 65.17.108.194 using 194.108.17.65.relays.ordb.org...
    Mon 2002-06-17 21:55:17: [376:268] Spam Blocker A-record resolution of [194.108.17.65.relays.ordb.org] in progress (DNS Server: XXX.XXX.XXX.XXX)...
    Mon 2002-06-17 21:55:21: [376:268] Spam Blocker D=194.108.17.65.relays.ordb.org TTL=(5) A=[127.0.0.2]
    Mon 2002-06-17 21:55:21: [376:268] 550 mail from 65.17.108.194 refused by ORDB, see http://www.ordb.org/faq/
    Mon 2002-06-17 21:55:21: [376:268] SMTP session abnormally terminated, 78 bytes transferred.

    From this we can see that the host of this spammer is host108-194.rancor.birch.net. If we do a quick scan of their open ports to see what services are running we find ---

    * + 65.17.108.194 host108-194.rancor.birch.net
    |___ 21 File Transfer Protocol [Control]
    |___ 22 SSH Remote Login Protocol
    |___ SSH-1.99-OpenSSH_3.1p1.
    |___ 23 Telnet
    |___ ..... ..#..'
    |___ 25 Simple Mail Transfer
    |___ 220 netmax.internal.tv ESMTP Sendmail 8.11.0/8.11.0; Thu, 20 Jun 2002 17:33:02 -0400..
    |___ 53 Domain Name Server
    |___ 80 World Wide Web HTTP
    |___ HTTP/1.1 200 OK..Date: Thu, 20 Jun 2002 21:33:05 GMT..Server: Apache/1.3.14 (Unix) mod_ssl/2.7.0 OpenSSL/0.9.5a PHP/3.0.16 Fron
    |___ 109 Post Office Protocol - Version 2
    |___ + POP2 www.thinertia.com v4.55 server ready..
    |___ 110 Post Office Protocol - Version 3
    |___ +OK POP3 www.thinertia.com v7.64 server ready..

    So they have a web server running on Apache. Well, lets go see what their website is all about. -----> http://65.17.108.194 Aha, it is a website for a church that has a big rappelling tower and climbing wall in Kansas City, MO. Now do you really think that these people are trying to spam me with business offers disguised as [email protected]? It's funny that consultant.com does not even exist on the web.

Share this

Google+
Pinterest
Reddit