Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
BDFL
50192 posts

Uber Geek
+1 received by user: 4743

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966877 14-Jan-2014 15:18 Send private message

I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.






1199 posts

Uber Geek
+1 received by user: 46


  Reply # 966941 14-Jan-2014 16:20 Send private message

freitasm: I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.



I think thats what the post before this was getting at. I don't think he was seeking admital to confirm a breach in the last week or so that's caused this sending from yahoo/xtra, but more to a 'yep it looks like it was' to confirm it's the previous stolen/harvested data being used. I'll check my cases sent folder but going by the header information (common computername source) I doub't I will find any. There was also no malicious off-site access in the beffed validation checks and security logs.

Of the 2 I got they are fairly consistent with the likelyhood it is stolen/harvested data. The names (only 4) in the CC are confirmed contacts with the apparent spoofed sender (a relation) that appear to have been auto saved when sending emails from abroad while on holiday using the web interface.

7777 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 966943 14-Jan-2014 16:22 Send private message

It sounds fishy... spoofed email is usually filtered by standard anti spam checks (spf/sender id/reverse dns).

A quick look at the headers of of the spam being sent will show whether it's coming from yahoo servers or not.


1199 posts

Uber Geek
+1 received by user: 46


  Reply # 966945 14-Jan-2014 16:26 Send private message

Couple of examples on pg 1/2 of thread if you want to do some reverses

7777 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 966987 14-Jan-2014 17:24 Send private message

Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?

7777 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 966992 14-Jan-2014 17:32 Send private message

Ragnor:
Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?


Oh I see, xtra.co.nz does not have a valid txt/spf record setup.... fail

With google apps you can add a spf/txt record to you domain (eg: include:_spf.google.com) that designates google servers as senders for your domain so SPF can work.

Does Yahoo not have something similar?

7477 posts

Uber Geek
+1 received by user: 420


  Reply # 966994 14-Jan-2014 17:33 Send private message

We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

7777 posts

Uber Geek
+1 received by user: 326

Trusted
Subscriber

  Reply # 966996 14-Jan-2014 17:36 One person supports this post Send private message

mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

11361 posts

Uber Geek
+1 received by user: 624

Trusted
Subscriber

  Reply # 967058 14-Jan-2014 19:43 Send private message

I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.




Richard rich.ms

7439 posts

Uber Geek
+1 received by user: 956

Trusted
Subscriber

  Reply # 967060 14-Jan-2014 19:46 Send private message

richms: I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.


HAHA that would cut down peoples workloads at your office, when 90% of the people who email you don't get delivered.

7477 posts

Uber Geek
+1 received by user: 420


  Reply # 967134 14-Jan-2014 21:16 Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


But if it is normal spoofing, how come I am mainly getting emailed  by those xtra.co.nz email address who I have previously been in correspondence with in the past. I would expect to receive emails from other xtra users as well as from other ISPs too, as well as yahoo.co.nz addresses, if it was normal spoofing. But in this case it looks like they have harvested the email addresses from people who I have have previous correspondence with. Whether these peoples computers have malware, but if that was the case, I would expect to receive this type of email from other domains too.

1199 posts

Uber Geek
+1 received by user: 46


  Reply # 967153 14-Jan-2014 21:30 One person supports this post Send private message

I thought we had already established and explained that already?

Hacked Webmail yahoo. Steal saved contacts from effected users (as soon as you hit reply etc from the enhanced layout). Wait period of months

Hijack overseas mail servers

Use stolen database to send email to said contacts via CC field, spoofing from as [email protected] contacts were harvested from.

No reverse on xtra.co.nz to ensure matching source IP of server sending the mail

Job done.

7477 posts

Uber Geek
+1 received by user: 420


  Reply # 967162 14-Jan-2014 21:46 Send private message

Oblivian: I thought we had already established and explained that already?


Use stolen database to send email to said contacts via CC field, spoofing from as [email protected] contacts were harvested from.

Job done.

Have they ever said that poeples contact details were hacked from system,  and are now in the hands of hackers? Previously it appears the emails were sent from inside their network, so none of that addressbook data was exported out. But this issue indicates that those details are now outside their network, and spammers now have them.

If they had listed those particular reason as concisely as you, it would make more sense as to what has happened, but their press release isn't that clear and looks very carefully worded.

647 posts

Ultimate Geek
+1 received by user: 107


  Reply # 967168 14-Jan-2014 21:55 Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


On that note out of interests sake, a quick check and the following have SPF records:
snap.net.nz
paradise.net.nz
clear.net.nz
ihug.co.nz
actrix.co.nz
xnet.co.nz
unleash.co.nz
hd.net.nz

No SPF:
xtra.co.nz
vodafone.co.nz
orcon.net.nz
slingshot.co.nz
maxnet.co.nz

1199 posts

Uber Geek
+1 received by user: 46


  Reply # 967177 14-Jan-2014 22:07 Send private message

That or The host that sent my particular one still has yahoo ties :P

I found a hit that btopenworld.com (where mine apparently originated) use to be dun dun dunnnn "BT Yahoo!" lol

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Click Monday Deals
Created by mrtoken, last reply by Krishant007 on 24-Nov-2014 17:11 (25 replies)
Pages... 2


Gull Employment Dispute.
Created by networkn, last reply by Geektastic on 26-Nov-2014 14:46 (141 replies)
Pages... 8 9 10


The Warehouse pulling R18 games and DVD's
Created by semigeek, last reply by throbb on 26-Nov-2014 15:42 (55 replies)
Pages... 2 3 4


Current Netflix payment method as of Nov 14 - Cant pay
Created by andynz, last reply by Kiwipixter on 25-Nov-2014 10:45 (33 replies)
Pages... 2 3


HP Stream 7 arrives
Created by gnfb, last reply by gzt on 26-Nov-2014 15:26 (15 replies)

Lollipop no more
Created by ronw, last reply by kiwitrc on 26-Nov-2014 13:44 (13 replies)

Knock off electronics in The Warehouse
Created by jpoc, last reply by openmedia on 26-Nov-2014 13:01 (13 replies)

Voda VDSL, Horrid offnet performance.
Created by TimA, last reply by ckc on 26-Nov-2014 10:54 (31 replies)
Pages... 2 3



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.