Another round of Xtra\Yahoo spam?

Forums › Spark New Zealand (including Skinny and BigPipe) › Another round of Xtra\Yahoo spam?

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | ... | 11

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41070

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#966877 14-Jan-2014 15:18

I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#966941 14-Jan-2014 16:20

freitasm: I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.

I think thats what the post before this was getting at. I don't think he was seeking admital to confirm a breach in the last week or so that's caused this sending from yahoo/xtra, but more to a 'yep it looks like it was' to confirm it's the previous stolen/harvested data being used. I'll check my cases sent folder but going by the header information (common computername source) I doub't I will find any. There was also no malicious off-site access in the beffed validation checks and security logs.

Of the 2 I got they are fairly consistent with the likelyhood it is stolen/harvested data. The names (only 4) in the CC are confirmed contacts with the apparent spoofed sender (a relation) that appear to have been auto saved when sending emails from abroad while on holiday using the web interface.

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#966943 14-Jan-2014 16:22

It sounds fishy... spoofed email is usually filtered by standard anti spam checks (spf/sender id/reverse dns).

A quick look at the headers of of the spam being sent will show whether it's coming from yahoo servers or not.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#966945 14-Jan-2014 16:26

Couple of examples on pg 1/2 of thread if you want to do some reverses

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#966987 14-Jan-2014 17:24

Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses

If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#966992 14-Jan-2014 17:32

Ragnor:
Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses

If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?

Oh I see, xtra.co.nz does not have a valid txt/spf record setup.... fail

With google apps you can add a spf/txt record to you domain (eg: include:_spf.google.com) that designates google servers as senders for your domain so SPF can work.

Does Yahoo not have something similar?

Lego

Shop now for Lego sets and other gifts (affiliate link).

mattwnz

20520 posts

Uber Geek
+1 received by user: 4797

#966994 14-Jan-2014 17:33

We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#966996 14-Jan-2014 17:36

mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

richms

29104 posts

Uber Geek
+1 received by user: 10222

Trusted

Lifetime subscriber

#967058 14-Jan-2014 19:43

I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.

Richard rich.ms

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15468

ID Verified

Trusted

Lifetime subscriber

#967060 14-Jan-2014 19:46

richms: I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.

HAHA that would cut down peoples workloads at your office, when 90% of the people who email you don't get delivered.

mattwnz

20520 posts

Uber Geek
+1 received by user: 4797

#967134 14-Jan-2014 21:16

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

But if it is normal spoofing, how come I am mainly getting emailed by those xtra.co.nz email address who I have previously been in correspondence with in the past. I would expect to receive emails from other xtra users as well as from other ISPs too, as well as yahoo.co.nz addresses, if it was normal spoofing. But in this case it looks like they have harvested the email addresses from people who I have have previous correspondence with. Whether these peoples computers have malware, but if that was the case, I would expect to receive this type of email from other domains too.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#967153 14-Jan-2014 21:30

I thought we had already established and explained that already?

Hacked Webmail yahoo. Steal saved contacts from effected users (as soon as you hit reply etc from the enhanced layout). Wait period of months

Hijack overseas mail servers

Use stolen database to send email to said contacts via CC field, spoofing from as person@xtra.co.nz contacts were harvested from.

No reverse on xtra.co.nz to ensure matching source IP of server sending the mail

Job done.

mattwnz

20520 posts

Uber Geek
+1 received by user: 4797

#967162 14-Jan-2014 21:46

Oblivian: I thought we had already established and explained that already?

Use stolen database to send email to said contacts via CC field, spoofing from as person@xtra.co.nz contacts were harvested from.

Job done.

Have they ever said that poeples contact details were hacked from system, and are now in the hands of hackers? Previously it appears the emails were sent from inside their network, so none of that addressbook data was exported out. But this issue indicates that those details are now outside their network, and spammers now have them.

If they had listed those particular reason as concisely as you, it would make more sense as to what has happened, but their press release isn't that clear and looks very carefully worded.

JamesL

956 posts

Ultimate Geek
+1 received by user: 342
Inactive user

#967168 14-Jan-2014 21:55

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

On that note out of interests sake, a quick check and the following have SPF records:
snap.net.nz
paradise.net.nz
clear.net.nz
ihug.co.nz
actrix.co.nz
xnet.co.nz
unleash.co.nz
hd.net.nz

No SPF:
xtra.co.nz
vodafone.co.nz
orcon.net.nz
slingshot.co.nz
maxnet.co.nz

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#967177 14-Jan-2014 22:07

That or The host that sent my particular one still has yahoo ties :P

I found a hit that btopenworld.com (where mine apparently originated) use to be dun dun dunnnn "BT Yahoo!" lol

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | ... | 11