Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
BDFL
49741 posts

Uber Geek
+1 received by user: 4523

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966877 14-Jan-2014 15:18 Send private message

I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.






1182 posts

Uber Geek
+1 received by user: 41


  Reply # 966941 14-Jan-2014 16:20 Send private message

freitasm: I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.



I think thats what the post before this was getting at. I don't think he was seeking admital to confirm a breach in the last week or so that's caused this sending from yahoo/xtra, but more to a 'yep it looks like it was' to confirm it's the previous stolen/harvested data being used. I'll check my cases sent folder but going by the header information (common computername source) I doub't I will find any. There was also no malicious off-site access in the beffed validation checks and security logs.

Of the 2 I got they are fairly consistent with the likelyhood it is stolen/harvested data. The names (only 4) in the CC are confirmed contacts with the apparent spoofed sender (a relation) that appear to have been auto saved when sending emails from abroad while on holiday using the web interface.

7720 posts

Uber Geek
+1 received by user: 298

Trusted
Subscriber

  Reply # 966943 14-Jan-2014 16:22 Send private message

It sounds fishy... spoofed email is usually filtered by standard anti spam checks (spf/sender id/reverse dns).

A quick look at the headers of of the spam being sent will show whether it's coming from yahoo servers or not.


1182 posts

Uber Geek
+1 received by user: 41


  Reply # 966945 14-Jan-2014 16:26 Send private message

Couple of examples on pg 1/2 of thread if you want to do some reverses

7720 posts

Uber Geek
+1 received by user: 298

Trusted
Subscriber

  Reply # 966987 14-Jan-2014 17:24 Send private message

Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?

7720 posts

Uber Geek
+1 received by user: 298

Trusted
Subscriber

  Reply # 966992 14-Jan-2014 17:32 Send private message

Ragnor:
Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?


Oh I see, xtra.co.nz does not have a valid txt/spf record setup.... fail

With google apps you can add a spf/txt record to you domain (eg: include:_spf.google.com) that designates google servers as senders for your domain so SPF can work.

Does Yahoo not have something similar?

7244 posts

Uber Geek
+1 received by user: 404


  Reply # 966994 14-Jan-2014 17:33 Send private message

We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

7720 posts

Uber Geek
+1 received by user: 298

Trusted
Subscriber

  Reply # 966996 14-Jan-2014 17:36 One person supports this post Send private message

mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

11019 posts

Uber Geek
+1 received by user: 507

Trusted
Subscriber

  Reply # 967058 14-Jan-2014 19:43 Send private message

I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.




Richard rich.ms

7129 posts

Uber Geek
+1 received by user: 841

Trusted
Subscriber

  Reply # 967060 14-Jan-2014 19:46 Send private message

richms: I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.


HAHA that would cut down peoples workloads at your office, when 90% of the people who email you don't get delivered.

7244 posts

Uber Geek
+1 received by user: 404


  Reply # 967134 14-Jan-2014 21:16 Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


But if it is normal spoofing, how come I am mainly getting emailed  by those xtra.co.nz email address who I have previously been in correspondence with in the past. I would expect to receive emails from other xtra users as well as from other ISPs too, as well as yahoo.co.nz addresses, if it was normal spoofing. But in this case it looks like they have harvested the email addresses from people who I have have previous correspondence with. Whether these peoples computers have malware, but if that was the case, I would expect to receive this type of email from other domains too.

1182 posts

Uber Geek
+1 received by user: 41


  Reply # 967153 14-Jan-2014 21:30 One person supports this post Send private message

I thought we had already established and explained that already?

Hacked Webmail yahoo. Steal saved contacts from effected users (as soon as you hit reply etc from the enhanced layout). Wait period of months

Hijack overseas mail servers

Use stolen database to send email to said contacts via CC field, spoofing from as [email protected] contacts were harvested from.

No reverse on xtra.co.nz to ensure matching source IP of server sending the mail

Job done.

7244 posts

Uber Geek
+1 received by user: 404


  Reply # 967162 14-Jan-2014 21:46 Send private message

Oblivian: I thought we had already established and explained that already?


Use stolen database to send email to said contacts via CC field, spoofing from as [email protected] contacts were harvested from.

Job done.

Have they ever said that poeples contact details were hacked from system,  and are now in the hands of hackers? Previously it appears the emails were sent from inside their network, so none of that addressbook data was exported out. But this issue indicates that those details are now outside their network, and spammers now have them.

If they had listed those particular reason as concisely as you, it would make more sense as to what has happened, but their press release isn't that clear and looks very carefully worded.

627 posts

Ultimate Geek
+1 received by user: 98


  Reply # 967168 14-Jan-2014 21:55 Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


On that note out of interests sake, a quick check and the following have SPF records:
snap.net.nz
paradise.net.nz
clear.net.nz
ihug.co.nz
actrix.co.nz
xnet.co.nz
unleash.co.nz
hd.net.nz

No SPF:
xtra.co.nz
vodafone.co.nz
orcon.net.nz
slingshot.co.nz
maxnet.co.nz

1182 posts

Uber Geek
+1 received by user: 41


  Reply # 967177 14-Jan-2014 22:07 Send private message

That or The host that sent my particular one still has yahoo ties :P

I found a hit that btopenworld.com (where mine apparently originated) use to be dun dun dunnnn "BT Yahoo!" lol

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Windows 10 announced, as well as developer preview
Created by macuser, last reply by networkn on 2-Oct-2014 15:17 (101 replies)
Pages... 5 6 7


Moment of Truth?
Created by BarTender, last reply by JimmyC on 29-Sep-2014 09:16 (441 replies)
Pages... 28 29 30


Can i have 2 ISP's at home?
Created by ReckITT, last reply by Lazarui on 30-Sep-2014 18:15 (49 replies)
Pages... 2 3 4


What time will the Apple Store online be selling the iPhone 6?
Created by scotiwis, last reply by Bextinaa on 2-Oct-2014 15:26 (135 replies)
Pages... 7 8 9


Why is your nickname what it is, what are the origins of it?
Created by Presso, last reply by xontech on 2-Oct-2014 11:02 (91 replies)
Pages... 5 6 7


Harvey Norman's Biggest Ever Retail Sale
Created by DravidDavid, last reply by joker97 on 2-Oct-2014 14:24 (30 replies)
Pages... 2


iPhone 6 From Spark - Order Dates and Pricing?
Created by Otagolad, last reply by seymor1000 on 2-Oct-2014 13:50 (350 replies)
Pages... 22 23 24


Easiest way to have iPhone warranty service
Created by JoshWright, last reply by nitrotech on 30-Sep-2014 21:37 (15 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.