On Fri, 2010-09-24 at 22:16 -0500, Chris wrote:
> On Sat, 2010-09-25 at 03:31 +0200, Karsten Bräckelmann wrote:
> > Begs the question why the phish that started this thread has been DKIM
> > signed by your ISP, too. Seriously.
> >
> > Hmm, from your original pastebin:
> >
> > Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees;
> > auth=pass (LOGIN)
> > Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by
> > mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>)
> > (ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4;
> > Thu, 23 Sep 2010 05:54:58 -0400
> >
> > So, this ALSO was an authenticated submission? And that's why your ISP
> > signed it. Which would explain why it got whitelisted, no?
> >
> > Yup, *that* is how you do targeted phishing! Don't send from an outside
> > machine, but crack an account or otherwise send from internal, trusted
> > sources. It will make your phish look much more legit.
>
> Question I have, and I'll have to ask in the embarq forum at DSLReports
> (though I'll probably not get an answer, or the one I want) is how/why
> did my ISP dkim sign a message with a sender IP of 201.216.4.186 which
> is in Bogota, Columbia.
Because it was authenticated.
If you're on holidays (or on a business trip), you want your ISP to
accept your outgoing mail, no? That's what the AUTH is for. No matter
where you are, no matter what region your IP is allocated.
The real question is, why they sign messages submitted over unencrypted
channels, using a plain text password.
The problem is, that your ISP accepts plain text authentication over
plain text, un-encrypted channels. One of them must be encrypted, at the
very least if you gonna sign it. Otherwise it's too easy to eavesdrop
and get the credentials.
Well, unless you trick your victim to otherwise tell you, or can guess a
weak password. Encryption doesn't help in that case. A rather common
source for 419 scammers and some general spam. I've seen spam sent by
cracked accounts, personally [1]. It does happen. And it seems to be the
source of your sample.
Anyway, your ISP should enforce either a secure connection, or a secure
method to provide the password.
[1] Accounts I know the owner of. The first reaction to a phone call in
the middle of the night, to please change the f***ing password
because their account is being abused can be summarized by "What!?".
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
