SmartFeedSmartFeed          

Porsche Hangout


WELCOME - YOU ARE CURRENTLY VIEWING 419EATER AS A GUEST

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

ScamWarners.com - Internet Anti-Fraud Center - now open!


 Hacked Server?

View next topic
View previous topic
 
Post new topicReply to topic
Author Message
Amigwyn
Master Baiter


Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...


PostPosted: Fri Sep 17, 2010 10:01 pm Reply with quoteBack to top

I am very new at this bait stuff and even more new at e-mail headers and how scammers can get into your PC and/or websites... so I have a question.

I recently received an e-mail from a loan lad which I posted in Surplus because I haven't read up enough on that type of bait. When I did I noticed the funky headers. Or at least I think they're funky? I'm attempting to wade my way through them and found something odd...

Quote:
Delivered-To: [email protected]
Received: by xxxx
Fri, 17 Sep 2010 03:52:08 -0700 (PDT)
Received: by xxxx
Fri, 17 Sep 2010 03:52:07 -0700 (PDT)
Return-Path: <[email protected]>
Received: from exchange.bavfc.org (mail.bavfc.org [67.62.41.238])
by mx.google.com with ESMTP id l6si7014616qca.37.2010.09.17.03.51.51;
Fri, 17 Sep 2010 03:52:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) client-ip67.62.41.238;
Authentication-Results: mx.google.com; spfpass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) [email protected]
MIME-Version: 1.0
Content-Type: text/plain;
charset"iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Ensure you send your response to this email address: [email protected]
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 17 Sep 2010 06:49:04 -0400
Message-ID: <[email protected]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Ensure you send your response to this email address: [email protected]
Thread-Index: ActWVemlNkR4C/xcRuCc/VoAkBYdag
From: "Tom Zecha" <[email protected]>


If I'm reading it right (which is highly possible I'm not), this is coming from a volunteer fire department site in Maryland (www.bavfc.org). Does this mean they were hacked? If so, what can be done to warn them? I noticed in the original mail the sender was very clear to reply to a different e-mail, I assume because they were using a hijacked server.

Mods: I did post these headers with the e-mail in the surplus forums as well as a question about the website/server but wasn't sure how much traffic it would get there. I apologize if this is considered a duplication and this thread needs to be locked.
View user's profileSend private message
Master
fooliest baboom


Joined: 29 Jan 2008
Posts: 2531
Location: AU


PostPosted: Fri Sep 17, 2010 10:18 pm Reply with quoteBack to top

I believe this is called spoofing.
I don't know exactly how it is done but they somehow make it appear it has come from that address. You will get them from all sorts of different legit companies and organisations. It is the reply to address which the scammer is really using.
I don't think there is any hacking into the website involved.
Someone else might come along shortly with more knowledge

_________________
Safari 2,633 miles:"i am coming to safari myself"
Safari All you did is a bunches of fucked-up!FIRE burn the G0mers!
Safari Shorty & Hectard escape from guantanamo
Safari it was all a big fuck of disappointed
you are the fooliest baboom!
Closed lad accountsMortarSand TimerSand TimerSand TimerTattooVcamera
You are dead MUMU!!!!
View user's profileSend private message
Amigwyn
Master Baiter


Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...


PostPosted: Fri Sep 17, 2010 10:39 pm Reply with quoteBack to top

^^ I understand about spoofing. At least I think. That is where they send it from their own account but the e-mail looks like it's legit like from Microsoft or something. Then you hit reply and it is the real e-mail address.

But does that effect the headers? Just saying an e-mail is from Microsoft doesn't automatically use their servers to send an e-mail, does it? Or is that not what the info in the headers indicates? Confused I'm just so noob at this stuff. Wink
View user's profileSend private message
foo
Elite Baiter


Joined: 12 Nov 2009
Posts: 1271
Location: Itteh Bitteh Kitteh Citteh


PostPosted: Fri Sep 17, 2010 10:52 pm Reply with quoteBack to top

Code:
Received-SPF: pass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) client-ip67.62.41.238;
Code:
mail.bavfc.org.         14316   IN      A       67.62.41.238

It was sent via their mail server, probably with their webmail. It's not Gmail (which would prepend a Sender: header) and that's the only IP there. I suspect a phished account.

_________________
Closed lad accounts*15 [United StatesNigeriaDenmarkGhanaUnited KingdomThailandGermanyMalaysiaSwitzerlandFilipino flagBahamas, TheBenin]*244 Easter Egg 2011

Unopenable image file | mtcntool | IBMP

"Having acknowledge your email with the content well noted and understood,see we have had enough off this shit from you." --Lamido Sanusi
"i want to scam you ! please understand . i am scamer !" --a scamer
"shit happens. but there's always a silver lining" --Slightly
View user's profileSend private message
Amigwyn
Master Baiter


Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...


PostPosted: Sat Sep 18, 2010 3:55 pm Reply with quoteBack to top

Quote:
I suspect a phished account.


Can anything be done about it?
View user's profileSend private message
foo
Elite Baiter


Joined: 12 Nov 2009
Posts: 1271
Location: Itteh Bitteh Kitteh Citteh


PostPosted: Sat Sep 18, 2010 8:58 pm Reply with quoteBack to top

I'd report it to this guy:
Code:
Admin Email:[email protected]

_________________
Closed lad accounts*15 [United StatesNigeriaDenmarkGhanaUnited KingdomThailandGermanyMalaysiaSwitzerlandFilipino flagBahamas, TheBenin]*244 Easter Egg 2011

Unopenable image file | mtcntool | IBMP

"Having acknowledge your email with the content well noted and understood,see we have had enough off this shit from you." --Lamido Sanusi
"i want to scam you ! please understand . i am scamer !" --a scamer
"shit happens. but there's always a silver lining" --Slightly
View user's profileSend private message
manbiteslion
Baiting Guru


Joined: 12 Dec 2007
Posts: 4816
Location: Connecting my chair and keyboard


PostPosted: Sat Sep 18, 2010 9:43 pm Reply with quoteBack to top

I expect it is a google apps service for the bavfc.org domain (sorrry, on my phone, can't do MX record lookup, but I'd be surprised if it doesn't point to a google mail server), so a phished account.

Small companies can pay google a fee to get a branded version of gmail, and that may reflect in the headers as we see above. It may also be a gmail account associated with multiple addresses and sent from the @bavfc address, but I'd guess the former first, then the latter in terms of likelihood.

Email the admin contact for bavfc.org, or find some number from their website to give them a quick call. This is not a spoofed header, but a legit google mail (or badged google mail) header

_________________
Premium Wimp Convincer - Click Me!
View user's profileSend private message
Ghost
419Eater Admin


Joined: 26 Jun 2004
Posts: 5715
Location: In the cellar rattling chains


PostPosted: Sat Sep 18, 2010 10:35 pm Reply with quoteBack to top

I suspect MS live is more likely the Email provider.

Anyway, it's a phished account.

_________________
Easter Egg 2012 Star pony pony Santa pony pony Closed lad accounts Mortar
View user's profileSend private messageSkype Name
wangching
Hello I'm New here!


Joined: 28 Jun 2010
Posts: 1


PostPosted: Sun Sep 19, 2010 5:19 am Reply with quoteBack to top

In this case, Google is receiving the mail. I suspect the OP is using gmail. That's why you see Google checking the SPF record of the domain from which the email originates.

The mail likely coming from an exchange server running on 67.62.41.238. I'd say they forgot to change a defualt pw, or perhaps even just left their SMTP wide open, and their SPF, to allow anyone to send from through their server.

Someone might want to drop a note to the sysadmin of the originating domain.
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



** Find out information about your IP address **


All Content © 2003 - 419Eater.com
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT