Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Local supplier - system possible "hacked" ?

  • 26-02-2015 10:05pm
    #1
    Ctrl Alt Del
    Registered Users Posts: 357 ✭✭


    Hi,

    This is a strange situation as i dunno what to do...this time !

    Again,some local supplier of mine i guess,got its systems compromised.
    I have emailed them asking for advice,i have evidence that they have read my emails but no reply or any kind of response from their side.

    This time,the spam email format replicated their internal database format.
    Same username and same email format associated with the registration.

    Options:

    -drive over to them and ask for advise
    -ask any other user here if they have received recently spam emails coming from "Apple" with AppleID expired.
    -ask other users if they have an account with supplier and if they have data compromised as well.

    What other option can i have here !?


    Received: from gmy2-mhxxx.smtproutes.com (94.186.x.x) by
    remote.mydomain.ie (10.x.x.x) with Microsoft SMTP Server id 8.1.240.5;
    Thu, 26 Feb 2015 20:31:32 +0000
    X-Katharion-ID: 1424982644.90609.gmy2-mh876 (unfiltered-unk)
    Return-Path: <unpdate_info@costumers.com>
    Received: from mail.hostdestock.com ([173.0.130.34]) by
    gmy2-mhxx.smtproutes.com [(94.186.x.x)] with ESMTP via TCP; 26 Feb
    2015 20:30:44 +0000
    Received: from [151.236.53.79] ([127.0.0.1]) by hostdestock.com with
    MailEnable ESMTP; Thu, 26 Feb 2015 14:30:58 -0600
    From: Apple <up_new_apple@costumers.com>
    To: "mylogin2011" <suppliername+year@mydomain.ie>
    Subject: Apple ID Expired =?UTF-8?Q?=E2=9C=94_?=
    Message-ID: <1b62cafa2940b1418d8bcef0028887b0@ID14567>
    Date: Thu, 26 Feb 2015 20:29:26 +0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0001_E8830402.6CE67B47"
    X-Priority: 3
    X-Mailer: Microsoft Office Outlook 12.0


Comments

  • #2
    shayno90
    Registered Users Posts: 547 ✭✭✭shayno90


    2 options:

    Recommended
    1. Contact them to alert them to this and check their mail server if they manage it themselves etc.

    Not recommended
    2. Check if there mail server is accessible via telnet/netcat on port 25, if so send a test email to yourself to see if you can spoof the sender email address


  • #3
    dbit
    Closed Accounts Posts: 1,322 ✭✭✭dbit


    shayno90 wrote: »
    2 options:

    Recommended
    1. Contact them to alert them to this and check their mail server if they manage it themselves etc.

    Not recommended
    2. Check if there mail server is accessible via telnet/netcat on port 25, if so send a test email to yourself to see if you can spoof the sender email address


    As in test for relay or open relay ?


  • #4
    shayno90
    Registered Users Posts: 547 ✭✭✭shayno90


    dbit wrote: »
    As in test for relay or open relay ?

    Yes, test for an open relay.

    Do you have something to add to the OP?


  • #5
    Khannie
    Moderators, Technology & Internet Moderators Posts: 37,485 Mod ✭✭✭✭Khannie


    shayno90 wrote: »
    Do you have something to add to the OP?

    I think he was asking if you're suggesting doing something illegal, in fairness. It's not exactly ruining the thread there, Ted.

    OP: Just give them a ring, maybe?


  • #6
    dbit
    Closed Accounts Posts: 1,322 ✭✭✭dbit


    Search his domain on mxtoolbox and see if its flagged for spamming , if not he is possibly infected in some way hidden mailer deamon or something. ?? Why such hostility ??


    Also check his IP on MX toolbox . use tabs to see blacklists and verify reverse IP in fqdn . validate SSL certs ???


  • Advertisement
  • #7
    shayno90
    Registered Users Posts: 547 ✭✭✭shayno90


    dbit wrote: »
    Search his domain on mxtoolbox and see if its flagged for spamming , if not he is possibly infected in some way hidden mailer deamon or something. ?? Why such hostility ??


    Also check his IP on MX toolbox . use tabs to see blacklists and verify reverse IP in fqdn . validate SSL certs ???

    The OP was looking for an answer which I highlighted was lacking in yours. (No hostility intended)

    The second option I said was not recommended due (to legal reasons).
    However, as the volume of spam alerts generated from the user mail server has not been reported or registered on a mail black list yet, best to inform them.


  • #8
    shayno90
    Registered Users Posts: 547 ✭✭✭shayno90


    Any update on this OP?


  • #9
    dbit
    Closed Accounts Posts: 1,322 ✭✭✭dbit


    shayno90 wrote: »
    Any update on this OP?

    Ye did you get to the bottom of it? was it island hopping or the customer him/her self ?


  • #10
    Ctrl Alt Del
    Registered Users Posts: 357 ✭✭Ctrl Alt Del


    Hi,

    Sorry for silence...
    Not sure yet...

    Called supplier and spoke with the staff that is looking after web site.
    Been directed to the web site designer chap.Spoke with him,explained my issue and been told that they will approach the ISP to check it from their end ,as well.

    Complete silence from their side,so far !
    As i dont have any financial data on their system,can't push it.
    Also,if i push it too much,i may leave signs of that i want to promote my business...

    After i re-analyzed the headers..

    The format of the header of the "To:" it replicates the database with "username:mylogin2011" and the email address with "supplier_year@mydomain.ie".
    IT looks like they have been hacked at the mySQL or SQL database level.I recognise it from past installations.Cannot confirm it as i cant get a test on their current hosting provider and/or systems to see what prior and current versions are they running.Too risky...

    I can go public and see if other users with them has same issue but if a normal end users will have registered with their general same email address...how will they differentiate what spam coming from where !??

    Please note that I dont think is "the email server" hacked AS that email address format is no where on my local PC and/or my server AND any email server does not store username and email address like above.
    The "Received from:" is my external antispam/antivirus provider's server and not the supplier's email server !

    I will follow up with an email later this week and see what is their response.

    Regards


Advertisement