Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
BDFL - Memuneh
67081 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #966877 14-Jan-2014 15:18
Send private message

I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.






3821 posts

Uber Geek


  #966941 14-Jan-2014 16:20
Send private message

freitasm: I think the real evidence of sender spoofing would be if there is any email in the Sent folders. If there isn't any then it was spoofed. In previous cases there were emails so we knew it was a breach. This time I haven't seen anyone confirming it yet.



I think thats what the post before this was getting at. I don't think he was seeking admital to confirm a breach in the last week or so that's caused this sending from yahoo/xtra, but more to a 'yep it looks like it was' to confirm it's the previous stolen/harvested data being used. I'll check my cases sent folder but going by the header information (common computername source) I doub't I will find any. There was also no malicious off-site access in the beffed validation checks and security logs.

Of the 2 I got they are fairly consistent with the likelyhood it is stolen/harvested data. The names (only 4) in the CC are confirmed contacts with the apparent spoofed sender (a relation) that appear to have been auto saved when sending emails from abroad while on holiday using the web interface.

 
 
 
 


8035 posts

Uber Geek

Trusted

  #966943 14-Jan-2014 16:22
Send private message

It sounds fishy... spoofed email is usually filtered by standard anti spam checks (spf/sender id/reverse dns).

A quick look at the headers of of the spam being sent will show whether it's coming from yahoo servers or not.


3821 posts

Uber Geek


  #966945 14-Jan-2014 16:26
Send private message

Couple of examples on pg 1/2 of thread if you want to do some reverses

8035 posts

Uber Geek

Trusted

  #966987 14-Jan-2014 17:24
Send private message

Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?

8035 posts

Uber Geek

Trusted

  #966992 14-Jan-2014 17:32
Send private message

Ragnor:
Oblivian: Couple of examples on pg 1/2 of thread if you want to do some reverses


If it's being sent via some random smtp server yet the from address is an xtra.co.nz why doesn't your receiving mail server check if the random smtp server is a designated sender for the xtra.co.nz (spf) and reject it if not?


Oh I see, xtra.co.nz does not have a valid txt/spf record setup.... fail

With google apps you can add a spf/txt record to you domain (eg: include:_spf.google.com) that designates google servers as senders for your domain so SPF can work.

Does Yahoo not have something similar?

16181 posts

Uber Geek


  #966994 14-Jan-2014 17:33
Send private message

We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.

 
 
 
 


8035 posts

Uber Geek

Trusted

  #966996 14-Jan-2014 17:36
Send private message

mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.

23274 posts

Uber Geek

Trusted
Subscriber

  #967058 14-Jan-2014 19:43
Send private message

I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.




Richard rich.ms

22545 posts

Uber Geek

Trusted
Lifetime subscriber

  #967060 14-Jan-2014 19:46
Send private message

richms: I really think the time has come to just refuse mail from domains without SPF records configured. Its so easy to do and makes the spoofing problem largely go away.


HAHA that would cut down peoples workloads at your office, when 90% of the people who email you don't get delivered.

16181 posts

Uber Geek


  #967134 14-Jan-2014 21:16
Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


But if it is normal spoofing, how come I am mainly getting emailed  by those xtra.co.nz email address who I have previously been in correspondence with in the past. I would expect to receive emails from other xtra users as well as from other ISPs too, as well as yahoo.co.nz addresses, if it was normal spoofing. But in this case it looks like they have harvested the email addresses from people who I have have previous correspondence with. Whether these peoples computers have malware, but if that was the case, I would expect to receive this type of email from other domains too.

3821 posts

Uber Geek


  #967153 14-Jan-2014 21:30
Send private message

I thought we had already established and explained that already?

Hacked Webmail yahoo. Steal saved contacts from effected users (as soon as you hit reply etc from the enhanced layout). Wait period of months

Hijack overseas mail servers

Use stolen database to send email to said contacts via CC field, spoofing from as person@xtra.co.nz contacts were harvested from.

No reverse on xtra.co.nz to ensure matching source IP of server sending the mail

Job done.

16181 posts

Uber Geek


  #967162 14-Jan-2014 21:46
Send private message

Oblivian: I thought we had already established and explained that already?


Use stolen database to send email to said contacts via CC field, spoofing from as person@xtra.co.nz contacts were harvested from.

Job done.

Have they ever said that poeples contact details were hacked from system,  and are now in the hands of hackers? Previously it appears the emails were sent from inside their network, so none of that addressbook data was exported out. But this issue indicates that those details are now outside their network, and spammers now have them.

If they had listed those particular reason as concisely as you, it would make more sense as to what has happened, but their press release isn't that clear and looks very carefully worded.

956 posts

Ultimate Geek
Inactive user


  #967168 14-Jan-2014 21:55
Send private message

Ragnor:
mattwnz: We don't really know what is going on, as it hasn't been communicated. But it isn't affecting other ISPs email addresses.


Read Troy from Telecom's post on previous page, they say it's spoofing.

However again it appears to be incompetence since they don't even have SPF setup for xtra.co.nz, they can't prevent spoof emails from being sent but they can prevent them being received by almost every mail filtering product in the market by implementing SPF.


On that note out of interests sake, a quick check and the following have SPF records:
snap.net.nz
paradise.net.nz
clear.net.nz
ihug.co.nz
actrix.co.nz
xnet.co.nz
unleash.co.nz
hd.net.nz

No SPF:
xtra.co.nz
vodafone.co.nz
orcon.net.nz
slingshot.co.nz
maxnet.co.nz

3821 posts

Uber Geek


  #967177 14-Jan-2014 22:07
Send private message

That or The host that sent my particular one still has yahoo ties :P

I found a hit that btopenworld.com (where mine apparently originated) use to be dun dun dunnnn "BT Yahoo!" lol

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00


OPPO A91 is a high specs mid-range smartphone
Posted 23-Apr-2020 16:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.