Recent directory harvest attacks:
03/30 10:02:59 by IP: 98.215.146.62 - Comcast
03/29 11:06:51 by IP: 71.1.227.69 - Embarq
03/28 22:32:19 by IP: 71.245.168.231 - Verizon
Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Monday, March 30, 2009
Email Attachments Replaced In Transit
Don't think your email can be altered in transit? Don't see a need for TLS? Find out how the Dalai Lama and US government computers have recently been hacked? The Dalai Lama had email attachments appearing to be from coworkers replaced in transit:
Emails Hacked In Transit
Using TLS is at least a starting point to help reduce this kind of thing. I am not well versed enough to know if it would prevent what the Chinse hackers did in this case to swap out email attachments in transit, however at least it provides authentication on both ends of the message and fixes a few problems in SSL.
Emails Hacked In Transit
Using TLS is at least a starting point to help reduce this kind of thing. I am not well versed enough to know if it would prevent what the Chinse hackers did in this case to swap out email attachments in transit, however at least it provides authentication on both ends of the message and fixes a few problems in SSL.
Gmail Spamming Network Solutions
I have a gmail email address and a business email address that I have used to email Network Solutions in the past. Someone has bombarded Network Solutions with spam from my email addresses - both of them - so my email addresses got blocked by Network Solutions. The person at Network Solutions said the emails contained Viagra spam among other things.
The most annoying thing is that Network Solutions will not give me any of the mail headers so I can see who is doing it. The second most annoying thing is that I have set up TLS communication between myself and Network Solutions SSL. They had to email me the attachment via GMail - which is obviously not very secure.
I have contended for a long time that someone has been messing with my email and this pretty much confirms it. Coinicidence that it was both my gmail account and my business account? I doubt it.
So is it a problem with Gmail that someone can spoof my address to Network Solutions? Is this a problem with Gmail SPF records or lack thereof? Or is the problem that Network Solutions systems are not correctly checking SPF records and cannot tell the difference between spam and real emails that are actually from me?
The other problem with this whole scenario is the Network Solutions person said they were getting my emails, and replying to them. How is it that if my email address was blacklisted due to spam, they can still RECEIVE my emails (potentially spam) but not SEND emails to me? This doesn't really make sense to me. Don't you usually block spam? When they send to me they get no errors - so they didn't know they couldn't get emails to me until I called them and complained that someone really needs to fix this.
Additionally, they at first did not want to add the week onto my certificate for the time I have spent trying to get this to work - when the problem was not my fault. I cannot control their mail servers and know they are trying to email me but they cannot. This whole thing is very odd.
The other interesting thing is that they say they are sending these emails from the UK. This cannot be true because I have a block on emails from the UK. And it is also quite coincidental that one of my customers has been complaining suddenly that he cannot send emails to/from the UK -- but when he sent me the email header in question -- it was coming out of Texas.
Really, what is going on here? When is anyone going to believe that our email systems are really hacked and messed up and everyone needs to start using TLS (if that even works but it seems to be better due to authentication on both sides of the equation).
The most annoying thing is that Network Solutions will not give me any of the mail headers so I can see who is doing it. The second most annoying thing is that I have set up TLS communication between myself and Network Solutions SSL. They had to email me the attachment via GMail - which is obviously not very secure.
I have contended for a long time that someone has been messing with my email and this pretty much confirms it. Coinicidence that it was both my gmail account and my business account? I doubt it.
So is it a problem with Gmail that someone can spoof my address to Network Solutions? Is this a problem with Gmail SPF records or lack thereof? Or is the problem that Network Solutions systems are not correctly checking SPF records and cannot tell the difference between spam and real emails that are actually from me?
The other problem with this whole scenario is the Network Solutions person said they were getting my emails, and replying to them. How is it that if my email address was blacklisted due to spam, they can still RECEIVE my emails (potentially spam) but not SEND emails to me? This doesn't really make sense to me. Don't you usually block spam? When they send to me they get no errors - so they didn't know they couldn't get emails to me until I called them and complained that someone really needs to fix this.
Additionally, they at first did not want to add the week onto my certificate for the time I have spent trying to get this to work - when the problem was not my fault. I cannot control their mail servers and know they are trying to email me but they cannot. This whole thing is very odd.
The other interesting thing is that they say they are sending these emails from the UK. This cannot be true because I have a block on emails from the UK. And it is also quite coincidental that one of my customers has been complaining suddenly that he cannot send emails to/from the UK -- but when he sent me the email header in question -- it was coming out of Texas.
Really, what is going on here? When is anyone going to believe that our email systems are really hacked and messed up and everyone needs to start using TLS (if that even works but it seems to be better due to authentication on both sides of the equation).
Thursday, March 26, 2009
123People - 123 People
Norton is reporting that 123 People is hosting drive by download software. Not to mention the completely bogus information they are displaying on their site. This site is bad news. Don't give them any "correct" information either, because who knows how they are using it.
Network Solutions SSL Cannot Email Me....
Just wondering what the problem is with Network Solutions trying to email me. Kind of odd - I've been a customer of theirs for years. Seems like the last few times I requested SSL certificates they couldn't send me an email with the new cert. They are fixing the problem now but I find this all kind of strange. Why me? Why a problem with my email address? What is going on? Email is so frustrating.
TLS Enforcement From Postini - Was Never Working?
Ok I've had TLS enforcement turned on in Postini since I got it for a particular domain of a company at which I was working. I just not got an error message stating that I cannot email this company because their mail server does not support TLS. I just used nslookup and telnet to test these mail servers and in fact they do not support TLS. So I don't know for how many months this "TLS Enforcement Policy" was not working. At all. I was sending messages to and from this client thinking they were encrypted.
Monday, March 23, 2009
Delay in TLS failure notifications
Apparently when using Postini TLS policy enforcement, there is quite a delay if you send an email to someone and their inbound server does not support TLS. It looks like it takes about a day or longer, so if you turn on TLS you won't know for some time that your email didn't go through.
Sunday, March 22, 2009
Volt Email Servers - TLS Failure
I tried TLS enforcement while sending to Volt email servers using Postini's TLS enforcement policies. I get a bounce back message saysing Volt servers do not support end to end TLS enforcement.
The error message is:
Technical details of temporary failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 451 451 Recipient does not support STARTTLS - psmtp (state 14).
This is very surprising since Volt is a very large technical staffing company. Why wouldn't they want the most secure email possible to protect the identities of their employees and their business communications?
The other odd thing is that I sent to another Volt person and the email seemed to go through. Either that or the TLS failure messages are very delayed and I haven't gotten that failure message yet, which seems odd. Shouldn't the message rejection be immediately available? Isn't there a way to test an email server to see if it supports TLS prior to sending the message so I don't get a whole bunch of failures over time and wastes mail server resources when they continually try to resend when an email server doesn't support TLS?
At any rate not sure why Volt email servers don't support TLS. This seems kind of odd. Additionally a person at Volt could not email me for some reason. There seems to be something strange going on with their mail servers.
The error message is:
Technical details of temporary failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 451 451 Recipient does not support STARTTLS - psmtp (state 14).
This is very surprising since Volt is a very large technical staffing company. Why wouldn't they want the most secure email possible to protect the identities of their employees and their business communications?
The other odd thing is that I sent to another Volt person and the email seemed to go through. Either that or the TLS failure messages are very delayed and I haven't gotten that failure message yet, which seems odd. Shouldn't the message rejection be immediately available? Isn't there a way to test an email server to see if it supports TLS prior to sending the message so I don't get a whole bunch of failures over time and wastes mail server resources when they continually try to resend when an email server doesn't support TLS?
At any rate not sure why Volt email servers don't support TLS. This seems kind of odd. Additionally a person at Volt could not email me for some reason. There seems to be something strange going on with their mail servers.
Google - MD5 Cipher
I just noticed that in my error messages on Google an MD5 Cipher is being used:
version=TLSv1/SSLv3 cipher=RC4-MD5
I am not an expert on TLS and SSL but the latest SSL hack that got a lot of hoopla in the news was using an SSL certificate with MD5 encryption. It has been widely reported that SHA is much more secure and MD5 has been vulnerable for a while. Why is Google using MD5 in that case?
MD5 hacked
version=TLSv1/SSLv3 cipher=RC4-MD5
I am not an expert on TLS and SSL but the latest SSL hack that got a lot of hoopla in the news was using an SSL certificate with MD5 encryption. It has been widely reported that SHA is much more secure and MD5 has been vulnerable for a while. Why is Google using MD5 in that case?
MD5 hacked
Wednesday, March 18, 2009
Postini Didn't Block Specified IP
Yesterday a customer complained about not getting email from one of his customers. I thought maybe the customer was in an IP range blocked by Postini so I asked him for a mail header if he could provide one.
For some reason an email was able to get through at some point and we haven't made any changes on our Postini account recently (unless Postini and Google Apps are making these changes related to the string of problems noted in my blogs since November on those Postini/Google Apps problems).
The thing I don't understand is that the IP address should have been blocked according to our mail configuration settings in the first place. This particular IP address that should have been blocked was coming through Microsoft's Hotmail service. The last IP in the email address was the Microsoft hotmail product. The originating IP address was in the UK in a range we had blocked.
Apparently, Postini must be only blocking the last mail server in the header but not the originating IP address, which could be problematic obviously. Hackers and spammers can simply go through a "good" mail server you don't want to block no matter what their particular originating IP address is and you cannot block them.
It would be better if Postini could somehow look at that originating IP address (if that's not what it's doing).
Maybe the issue here is that maybe different email headers have different formats and it can be tricky to parse out the originating IP. What if email headers had to conform to an XML standard with a schema to validate them. Would that help drill down to the correct IP address? Maybe backwards compatibility could be provided to parse out old headers and stuff them into XML - but if they don't work the mail gets rejected - with a message telling the person to upgrade their mail server to an XML header compliant system.
Additionally mail headers could have details encrypted in transit except for what is required to get the mail from end to end with some sort of hash to make sure the message was not altered in transit.
Just dreaming here on a better way to solve mail problems...
For some reason an email was able to get through at some point and we haven't made any changes on our Postini account recently (unless Postini and Google Apps are making these changes related to the string of problems noted in my blogs since November on those Postini/Google Apps problems).
The thing I don't understand is that the IP address should have been blocked according to our mail configuration settings in the first place. This particular IP address that should have been blocked was coming through Microsoft's Hotmail service. The last IP in the email address was the Microsoft hotmail product. The originating IP address was in the UK in a range we had blocked.
Apparently, Postini must be only blocking the last mail server in the header but not the originating IP address, which could be problematic obviously. Hackers and spammers can simply go through a "good" mail server you don't want to block no matter what their particular originating IP address is and you cannot block them.
It would be better if Postini could somehow look at that originating IP address (if that's not what it's doing).
Maybe the issue here is that maybe different email headers have different formats and it can be tricky to parse out the originating IP. What if email headers had to conform to an XML standard with a schema to validate them. Would that help drill down to the correct IP address? Maybe backwards compatibility could be provided to parse out old headers and stuff them into XML - but if they don't work the mail gets rejected - with a message telling the person to upgrade their mail server to an XML header compliant system.
Additionally mail headers could have details encrypted in transit except for what is required to get the mail from end to end with some sort of hash to make sure the message was not altered in transit.
Just dreaming here on a better way to solve mail problems...
Microsoft Mail Problems
I've had a string of people lately complaining about problems with Microsoft "in the cloud" mail products and/or having problems sending messages to me from this service.
Someone trying to email me who uses one of their services somehow (not sure exactly how he's set up but there's a Microsoft IP of some kind in the set up) is having problems emailing me. I've checked all the IPs he's using and his mail server IP and they're not blocked.
A girlfriend of a friend was complaining that she was having problems with her Microsoft mail. Not sure the details there.
Then, strangely a customer complained that he could not get messages from someone. When a message finally did get through it came from a Microsoft mail product - from an IP that should have been blocked by Postini. The Microsoft IP was ok but it originated from a blocked IP.
Not sure what is going on here exactly, just been hearing about and having problems myself with mail related to Microsoft's online mail services in various ways.
Someone trying to email me who uses one of their services somehow (not sure exactly how he's set up but there's a Microsoft IP of some kind in the set up) is having problems emailing me. I've checked all the IPs he's using and his mail server IP and they're not blocked.
A girlfriend of a friend was complaining that she was having problems with her Microsoft mail. Not sure the details there.
Then, strangely a customer complained that he could not get messages from someone. When a message finally did get through it came from a Microsoft mail product - from an IP that should have been blocked by Postini. The Microsoft IP was ok but it originated from a blocked IP.
Not sure what is going on here exactly, just been hearing about and having problems myself with mail related to Microsoft's online mail services in various ways.
Friday, March 13, 2009
Phone Problems
Seriously having communication problems related to my business. Today a person with a potential large project called me. My phone rang once, on my end and dropped off. On his end he said the phone rang and rang and rang and then went to a fast busy signal.
What is going on? It is seriously disturbing when important customers are trying to reach you and they get all kinds of weird problems like those I have described with my email below and other types of phone problems.
So my question is - how do you know when a lot of potential customers are being redirected to some other third party or cannot reach you for some reason? If you got a call from someone you don't even know and they couldn't reach you - they would assume you were out of business or something like that...you'd never know you missed their call.
This is all very bothersome if you start wondering how many phone calls, emails, sales leads and other things your business may be missing due to problems like this.
What is going on? It is seriously disturbing when important customers are trying to reach you and they get all kinds of weird problems like those I have described with my email below and other types of phone problems.
So my question is - how do you know when a lot of potential customers are being redirected to some other third party or cannot reach you for some reason? If you got a call from someone you don't even know and they couldn't reach you - they would assume you were out of business or something like that...you'd never know you missed their call.
This is all very bothersome if you start wondering how many phone calls, emails, sales leads and other things your business may be missing due to problems like this.
Saturday, March 07, 2009
123People.com Posting Private Information
123People.com is posting personal and private information including email addresses on the web - easy for spammers to scrape. That's lovely. Additionally they are posting completely bogus information including addresses and phone numbers.
It is looks like they are probably scraping this information off social networks and possibly other sources based on the information I've seen so far.
It may also be somehow related to the Manta site which also displays completely bogus information about businesses, because I found some similar information on both sites. Could be a coincidence but at least these sites are related because they both post bogus information.
It is looks like they are probably scraping this information off social networks and possibly other sources based on the information I've seen so far.
It may also be somehow related to the Manta site which also displays completely bogus information about businesses, because I found some similar information on both sites. Could be a coincidence but at least these sites are related because they both post bogus information.
Thursday, March 05, 2009
How secure is Postini if your mail is hacked before it gets there?
I have been having problems with Postini lately. Or maybe it's not Postini - maybe it's before the mail ever gets to Postini.
Subscribe to:
Posts (Atom)