I sit here wondering how valuable (or legitimate) the certifications Mr Swafford sites in his sig really are when he scanned some company server because he was too [lazy|ignorant|distracted] to read the mail headers or perform some simple whois queries, nslookups or a traceroute (all fairly benign and non-intrusive).
"Owning" a uri does not mean they own or host the server. Lumbermax is listed as an Austin, TX, USA company, and is hosted on an "ironhosting" server - the company mentioned coincidentally in the second spam purportedly from Mr Stanley. www.lumbermax.com resolves to 66.185.124.10 which is IP space residing in Illinois. So, you nmap scanned a company residing in Austin TX, which is really a website hosted on a server in Illinois, because of a spam sent originally from a system in Austria. I would have thought a CEH/CCNA/Network+/Security+ could (or would) have done better. -bp >>From the original header: > Received: from [194.24.158.16] by web58409.mail.re3.yahoo.com via HTTP; > Tue, 14 Nov 2006 00:46:24 PST > Date: Tue, 14 Nov 2006 00:46:24 -0800 (PST) > From: William Stanley <[EMAIL PROTECTED]> > To: [email protected] > > 194.24.158.16 is not lumbermax.com, its a box in Austria. > > If I was a spammer, it would be easy to sub a known blacklisted spammer to > try and hide my point of origin. > > "William Stanley" is the real spammer and he used a box in Austria or > "William Stanley" has nothing to do with this and someone else used a box > in > Austria. > > Always look for the source. Since the 194.24.158.16 address is recorded in > the header by the webmail yahoo box, I would probably say the > 194.24.158.16 > address is not forged. That is the originating address of this email. > > Dont believe anything else below it unless you actually sent it. It can > be > forged. > > And did you scan lumbermax.org from inside archbishop alter high school? > If > so, be very careful about doing that. The high school administration may > not > appreciate you scanning a legit company from inside their domain. And > dont > explore any of the open ports from inside the high school. > > But then again, you are listed as the high schools network engineer, so I > guess you would be the point of contact if lumbermax.com has an issue, > correct? > > ________________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David > Swafford > Sent: Tuesday, November 14, 2006 9:07 AM > To: [email protected]; William Stanley > Subject: Re: [Full-disclosure] Austin Decking 512-385-5334 Austindecking > wholesale > > Golden....... > > NMAP shows the following (lumbermax.com): > 21/TCP - OPEN - FTP > 22/TCP - OPEN - SSH > 25/TCP - OPEN - SMTP > 53/TCP - OPEN - DOMAIN > 80/TCP - OPEN - HTTP > 110/TCP - OPEN - POP3 > 111/TCP - OPEN - RPCBIND > 135/TCP - FILTERED - MSRPC > 137/TCP - FILTERED - NETBIOS-NS > 138/TCP - FILTERED - NETBIOS-DGM > 139/TCP - FILTERED - NETBIOS-SSN > 143/TCP - OPEN - IMAP > 443/TCP - OPEN - HTTPS > 445/TCP - FILTERED - MICROSOFT-DS > 593/TCP - FILTERED - HTTP-RPC-EPMAP > 631/TCP - OPEN - IPP > 3306/TCP - OPEN - MYSQL > > > - Running Apache 2.052 (so there's some exploitable flaws here as current > ver is 2.059). Its running on a CENTOS box and the apache error says the > domain is LYFE-CARD.com > - The SMTP services are Sendmail 8.13.1 > > > ____________________________________________________ > > David A. Swafford, Network Engineer > Information Technology Team > Archbishop Alter High School > > EC-Council Certified Ethical Hacker > > A Cisco Systems, Inc., Certified Network Associate (CCNA) > and a CompTIA Network+ and Security+ Certified Professional > > > <snip> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
