Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
BDFL
49619 posts

Uber Geek
+1 received by user: 4465

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966877 14-Jan-2014 15:18 Send private message

I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.






1169 posts

Uber Geek
+1 received by user: 41


  Reply # 966941 14-Jan-2014 16:20 Send private message

freitasm: I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.



I think thats what the post before this was getting at. I don't think he was seeking admital to confirm a breach in the last week or so that's caused this sending from yahoo/xtra, but more to a 'yep it looks like it was' to confirm it's the previous stolen/harvested data being used. I'll check my cases sent folder but going by the header information (common computername source) I doub't I will find any. There was also no malicious off-site access in the beffed validation checks and security logs.

Of the 2 I got they are fairly consistent with the likelyhood it is stolen/harvested data. The names (only 4) in the CC are confirmed contacts with the apparent spoofed sender (a relation) that appear to have been auto saved when sending emails from abroad while on holiday using the web interface.

7705 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 966943 14-Jan-2014 16:22 Send private message

It sounds fishy... spoofed email is usually filtered by standard anti spam checks (spf/sender id/reverse dns).

A quick look at the headers of of the spam being sent will show whether it's coming from yahoo servers or not.


1169 posts

Uber Geek
+1 received by user: 41


  Reply # 966945 14-Jan-2014 16:26 Send private message

Couple of examples on pg 1/2 of thread if you want to do some reverses

7705 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 966987 14-Jan-2014 17:24 Send private message

Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?

7705 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 966992 14-Jan-2014 17:32 Send private message

Ragnor:
Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?


Oh I see, xtra.co.nz does not have a valid txt/spf record setup.... fail

With google apps you can add a spf/txt record to you domain (eg: include:_spf.google.com) that designates google servers as senders for your domain so SPF can work.

Does Yahoo not have something similar?

7173 posts

Uber Geek
+1 received by user: 395


  Reply # 966994 14-Jan-2014 17:33 Send private message

We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

7705 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 966996 14-Jan-2014 17:36 One person supports this post Send private message

mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

10990 posts

Uber Geek
+1 received by user: 494

Trusted
Subscriber

  Reply # 967058 14-Jan-2014 19:43 Send private message

I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.




Richard rich.ms

7046 posts

Uber Geek
+1 received by user: 813

Trusted
Subscriber

  Reply # 967060 14-Jan-2014 19:46 Send private message

richms: I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.


HAHA that would cut down peoples workloads at your office, when 90% of the people who email you don't get delivered.

7173 posts

Uber Geek
+1 received by user: 395


  Reply # 967134 14-Jan-2014 21:16 Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


But if it is normal spoofing, how come I am mainly getting emailed  by those xtra.co.nz email address who I have previously been in correspondence with in the past. I would expect to receive emails from other xtra users as well as from other ISPs too, as well as yahoo.co.nz addresses, if it was normal spoofing. But in this case it looks like they have harvested the email addresses from people who I have have previous correspondence with. Whether these peoples computers have malware, but if that was the case, I would expect to receive this type of email from other domains too.

1169 posts

Uber Geek
+1 received by user: 41


  Reply # 967153 14-Jan-2014 21:30 One person supports this post Send private message

I thought we had already established and explained that already?

Hacked Webmail yahoo. Steal saved contacts from effected users (as soon as you hit reply etc from the enhanced layout). Wait period of months

Hijack overseas mail servers

Use stolen database to send email to said contacts via CC field, spoofing from as [email protected] contacts were harvested from.

No reverse on xtra.co.nz to ensure matching source IP of server sending the mail

Job done.

7173 posts

Uber Geek
+1 received by user: 395


  Reply # 967162 14-Jan-2014 21:46 Send private message

Oblivian: I thought we had already established and explained that already?


Use stolen database to send email to said contacts via CC field, spoofing from as [email protected] contacts were harvested from.

Job done.

Have they ever said that poeples contact details were hacked from system,  and are now in the hands of hackers? Previously it appears the emails were sent from inside their network, so none of that addressbook data was exported out. But this issue indicates that those details are now outside their network, and spammers now have them.

If they had listed those particular reason as concisely as you, it would make more sense as to what has happened, but their press release isn't that clear and looks very carefully worded.

623 posts

Ultimate Geek
+1 received by user: 97


  Reply # 967168 14-Jan-2014 21:55 Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


On that note out of interests sake, a quick check and the following have SPF records:
snap.net.nz
paradise.net.nz
clear.net.nz
ihug.co.nz
actrix.co.nz
xnet.co.nz
unleash.co.nz
hd.net.nz

No SPF:
xtra.co.nz
vodafone.co.nz
orcon.net.nz
slingshot.co.nz
maxnet.co.nz

1169 posts

Uber Geek
+1 received by user: 41


  Reply # 967177 14-Jan-2014 22:07 Send private message

That or The host that sent my particular one still has yahoo ties :P

I found a hit that btopenworld.com (where mine apparently originated) use to be dun dun dunnnn "BT Yahoo!" lol

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Moment of Truth?
Created by BarTender, last reply by Geektastic on 19-Sep-2014 19:00 (401 replies)
Pages... 25 26 27


Mr. Key to extradite Kim Dotcom?
Created by TimA, last reply by SaltyNZ on 18-Sep-2014 09:20 (126 replies)
Pages... 7 8 9


IOS8 - Network Load
Created by FireEngine, last reply by coffeebaron on 19-Sep-2014 22:05 (40 replies)
Pages... 2 3


New On Account mobile plans - Red+
Created by NikT, last reply by KiwiSurfer on 19-Sep-2014 20:51 (36 replies)
Pages... 2 3


2014 Holden SS (V8) or Ford XR6-T (in-line 6 turbo)
Created by joker97, last reply by ilovemusic on 16-Sep-2014 14:34 (71 replies)
Pages... 3 4 5


6.6Mb/s "in spec" for Torbay, Auckland?
Created by theasset13, last reply by dcole13 on 19-Sep-2014 21:11 (16 replies)
Pages... 2


Computer Lounge's Zen Radical
Created by JayADee, last reply by JayADee on 19-Sep-2014 14:51 (15 replies)

Maybe some politicians should go back to school?
Created by jarledb, last reply by DarthKermit on 18-Sep-2014 18:27 (31 replies)
Pages... 2 3



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.