From: "Matt Kettler" <[EMAIL PROTECTED]>
NW7US, Tomas wrote:
Ok, this one is new to me. Can someone guide me as to where my
security is broken, if I get these headers on a message?
Return-path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
helios.hfradio.org
X-Spam-Status: No, score=-0.8 required=1.0
tests=BAYES_05,FORGED_RCVD_HELO, TO_CC_NONE autolearn=no
version=3.1.0
Received: from [11.54.168.176] by mail.swbell.net; Fri, 10 Mar
2006 08:17:42
X-Originating-IP: [60.170.26.144] via HTTP from
webmail.swbell.net; Fri, 10 Mar 2006 08:17:42
Message-ID: <[EMAIL PROTECTED]>
From: "Aimee Belcher" <[EMAIL PROTECTED]>
Subject: Two Super Hot Picks, Get In Early! n23ui
Date: Fri, 10 Mar 2006 00:17:15 -0800
X-IMAPbase: 1135281538 18330
Status: O
X-UID: 18330
Content-Length: 743
X-Antivirus: AVG for E-mail 7.1.375 [268.2.1/277]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=us-ascii
the message has no To: header. If I read this right, my server is not
getting this via HTTP, right? The original was entered into the
stream via HTTP, but then that server sent it out... relaying it to my
server. Or, do I have a security issue via HTTP port??
I think your analysis might be correct.
HOWEVER, there is one thing that concerns me.. Where's the Received:
header generated by your server?? There doesn't appear to be one!
SA is running on helios.hfradio.org, but the only Received: header shows
it being delivered to mail.swbell.net. How'd it get from there to helios?
I'd suspect the message headers are corrupted, or the message was
inserted into your mail system WITHOUT going over SMTP.
What I am REALLY interested in, Matt, is the DoD network that was hacked
so that the Received: line could happen. And is that the normal format
for a mail.swbell.net header? If it is forged then it got into his machine
directly without his machine logging it in. That COULD mean an http
vulnerability.
Now, I notice that:
hfradio.org has address 66.152.65.67
mail.hfradio.org has address 66.152.66.10
www.hfradio.org has address 66.152.65.67
10.66.152.66.in-addr.arpa domain name pointer helios.hfradio.org.
It would appear that helios does have a working http on it with a simple
pointer to the .67 address. So I might be moved to investigate the server
at helios for a vulnerability. But at the same time I would review how
mail can get into helios without ever being logged. That is a "bad thing".
And I note that the .67 machine alias "prop.hfradio.org" includes a comments
page. That script could be vulnerable if updates to the OS are not fully
installed. (That is presuming a ham would be canny enough NOT to run Windows
for this sort of an operation. If he is using Windows then it's entirely up
for grabs.)
{^_^} Joanne, W6MKU
