Hacked Server?

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Posted: Fri Sep 17, 2010 10:01 pm

I am very new at this bait stuff and even more new at e-mail headers and how scammers can get into your PC and/or websites... so I have a question.

I recently received an e-mail from a loan lad which I posted in Surplus because I haven't read up enough on that type of bait. When I did I noticed the funky headers. Or at least I think they're funky? I'm attempting to wade my way through them and found something odd...

Quote:

Delivered-To: [email protected]
Received: by xxxx
Fri, 17 Sep 2010 03:52:08 -0700 (PDT)
Received: by xxxx
Fri, 17 Sep 2010 03:52:07 -0700 (PDT)
Return-Path: <[email protected]>
Received: from exchange.bavfc.org (mail.bavfc.org [67.62.41.238])
by mx.google.com with ESMTP id l6si7014616qca.37.2010.09.17.03.51.51;
Fri, 17 Sep 2010 03:52:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) client-ip67.62.41.238;
Authentication-Results: mx.google.com; spfpass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) [email protected]
MIME-Version: 1.0
Content-Type: text/plain;
charset"iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Ensure you send your response to this email address: [email protected]
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 17 Sep 2010 06:49:04 -0400
Message-ID: <[email protected]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Ensure you send your response to this email address: [email protected]
Thread-Index: ActWVemlNkR4C/xcRuCc/VoAkBYdag
From: "Tom Zecha" <[email protected]>

If I'm reading it right (which is highly possible I'm not), this is coming from a volunteer fire department site in Maryland (www.bavfc.org). Does this mean they were hacked? If so, what can be done to warn them? I noticed in the original mail the sender was very clear to reply to a different e-mail, I assume because they were using a hijacked server.

Mods: I did post these headers with the e-mail in the surplus forums as well as a question about the website/server but wasn't sure how much traffic it would get there. I apologize if this is considered a duplication and this thread needs to be locked.

Baiting Guru Joined: 29 Jan 2008 Posts: 2531 Location: AU

I believe this is called spoofing.
I don't know exactly how it is done but they somehow make it appear it has come from that address. You will get them from all sorts of different legit companies and organisations. It is the reply to address which the scammer is really using.
I don't think there is any hacking into the website involved.
Someone else might come along shortly with more knowledge

Posted: Fri Sep 17, 2010 10:39 pm

^^ I understand about spoofing. At least I think. That is where they send it from their own account but the e-mail looks like it's legit like from Microsoft or something. Then you hit reply and it is the real e-mail address.

But does that effect the headers? Just saying an e-mail is from Microsoft doesn't automatically use their servers to send an e-mail, does it? Or is that not what the info in the headers indicates? Confused

I'm just so noob at this stuff. Wink

Posted: Fri Sep 17, 2010 10:52 pm

Code:

Received-SPF: pass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) client-ip67.62.41.238;

Code:

mail.bavfc.org. 14316 IN A 67.62.41.238

It was sent via their mail server, probably with their webmail. It's not Gmail (which would prepend a Sender: header) and that's the only IP there. I suspect a phished account.

Posted: Sat Sep 18, 2010 3:55 pm

Quote:

I suspect a phished account.

Can anything be done about it?

Posted: Sat Sep 18, 2010 8:58 pm

I'd report it to this guy:

Code:

Admin Email:[email protected]

Posted: Sat Sep 18, 2010 9:43 pm

I expect it is a google apps service for the bavfc.org domain (sorrry, on my phone, can't do MX record lookup, but I'd be surprised if it doesn't point to a google mail server), so a phished account.

Small companies can pay google a fee to get a branded version of gmail, and that may reflect in the headers as we see above. It may also be a gmail account associated with multiple addresses and sent from the @bavfc address, but I'd guess the former first, then the latter in terms of likelihood.

Email the admin contact for bavfc.org, or find some number from their website to give them a quick call. This is not a spoofed header, but a legit google mail (or badged google mail) header

Posted: Sat Sep 18, 2010 10:35 pm

I suspect MS live is more likely the Email provider.

Anyway, it's a phished account.

Hello I'm New here! Joined: 28 Jun 2010 Posts: 1

In this case, Google is receiving the mail. I suspect the OP is using gmail. That's why you see Google checking the SPF record of the domain from which the email originates.

The mail likely coming from an exchange server running on 67.62.41.238. I'd say they forgot to change a defualt pw, or perhaps even just left their SMTP wide open, and their SPF, to allow anyone to send from through their server.

Someone might want to drop a note to the sysadmin of the originating domain.