Did someone get into comcast e-mail?

[BKLounger]

I am trying to figure out how this is possible but i just can't grasp it. Yesterday at 3:34pm i got an e-mail from MYSELF. Please keep in mind i was no where near my e-mail . I was at work. I get an e-mail from myself with a subject of 1545453 and a body of 5556. I have checked over my machine. I ran avg and mcafee and they both return nothing. I checked spybot and adaware and there is absolutely no spyware. also my zone alarm returned no incoming ip's. Also my computer is wireless but i have it set up with wpa encryption. Also my e-mail has an extremely secure password that must be entered every time. Also no one had physcial access to the machine. I am wondering if something happened on my side of the network or if anything happened maybe higher up. Any suggestions on how this could happen would be appreciated. below i have included the headers from the e-mail. btw the ip address in there belongs to a company called mpower communications in new york. A company i have never heard of. I replaced my e-mail address with those x's in case you were wondering.

Subject:
1545453
From:
"John" <XXXXXXXXXXX@comcast.net>
Date:
Mon, 05 Jun 2006 11:34:56 -0800
To:
"John" <xxxxxxxxxxxxxx@comcast.net>
X-Account-Key:
account2
X-UIDL:
20060605185745r2000ieuvee00amtk
X-Mozilla-Status:
1001
X-Mozilla-Status2:
00000000
Received:
from madeline.net (ont-cust-208.57.99.201.mpowercom.net[208.57.99.201](untrusted sender)) by rwcrmxc20.comcast.net (rwcrmxc20) with SMTP id <20060605185745r20008ongfe>; Mon, 5 Jun 2006 18:57:45 +0000
X-Originating-IP:
[208.57.99.201]
Message-ID:
<oogxamjtvdhkfigukhc@comcast.net>
MIME-Version:
1.0
Content-Type:
text/html; charset="us-ascii"
Content-Transfer-Encoding:
7bit

5556

 

[DaiShan]

You can easily spoof the from field. You do not have to own the account, nor do you even need to have an account on the originating domain. For instance in my php scripts I send emails from a server 1000 miles away from the server that hosts the domain, and they all come from sales@<clientdomain>.com

 

[Atheus]

You may not believe this, but I got the exact same message in my gmail yesterday...


Subject: 1545453
Recieved: from nat.org (nat.pans.mlc.edu.tw [163.19.164.253]) by mx.gmail.com with SMTP id z52si881112pyg.2006.06.05.11.41.27; Mon, 05 Jun 2006 11:41:29 -0700 (PDT)

 

[Atheus]

We're through the looking glass now people...

 

[BKLounger]

<daishan>
Thanks for the help

<atheus>
ok so i'm not the only one. I thought that this might be an individual case, but i guess it is just a larger case of spam.

 

[Atheus]

Originally posted by: BKLounger
<atheus>
ok so i'm not the only one. I thought that this might be an individual case, but i guess it is just a larger case of spam.

That's the thing - it's not spam, it's not trying to sell me anything. And they can't be harvesting email addresses as there's no way to reply to a forged 'from' field...

 

[BKLounger]

i have been unable to find out if that number has any kind of relevance to anything but have not come back with anything. Also you are right this e-mail does nothing but send a bunch of numbers. What could it possibly be trying to do?

 

[spidey07]

gathering e-mails addresses.

 

[Genx87]

Ahh this is verry interesting, I got the same email but from my cable account to my gmail account. I forward everything now and was wonder wtf, how did an email originating from myself get sent to my gmail account?

 

[Joony]

I've been getting those number e-mails too, what's going on!?

 

[BKLounger]

for genx87 and joony?

where they the exact same numbers 1545453 and then 5556.

I got this in from my comcast account to my comcast account.

 

[Joemonkey]

oops i didn't see this in networking and posted this in off topic. Seems to be happening to lots of folks

 

[Atheus]

Spidey: how?

 

[spidey07]

Originally posted by: Atheus
Spidey: how?

if it is a valid address then the SMTP server won't send the message back or send an undeliverable.

 

[Atheus]

Originally posted by: spidey07

Originally posted by: Atheus
Spidey: how?

if it is a valid address then the SMTP server won't send the message back or send an undeliverable.

Oh yea, good thinking

Just shows you should always configure your servers to block such obvious forgeries - you'd think google would have better filtering.

 

[spidey07]

I don't know much about e-mail. But you'll recall that SMTP is a very unsecure protocol.

It's real simple to forge a from. You can even do it by telneting into port 25 and typing in raw SMTP commands.

I had a lot of fun with this in college. Sent one of my housemates and e-mail from the dean saying he was being investigated for paying for cheatsheets (which he did actually do). Loads of fun seeing him sweat for a few days before coming clean with our little "prank"

Not to give anybody else any ideas or anything.
:evil:

 

[Genx87]

Originally posted by: BKLounger
for genx87 and joony?

where they the exact same numbers 1545453 and then 5556.

I got this in from my comcast account to my comcast account.

Yes, except my account was a mediacom account @mchsi.com

It sent an email to itself, which then forwarded it to my gmail account automatically.

 

[boomerang]

I got one too but reported it as spam through Comcast's webmail without opening it.

A co-worker got one at work. Very large corporation.

 

[Nothinman]

Just shows you should always configure your servers to block such obvious forgeries - you'd think google would have better filtering.

And what if you want to have a cron job that sends you email from yourself whenever it fails? It's up to the first mail server to determine if the to/from headers are allowable, if you filter after that you run a very high risk of dropping valid mail without the source having any idea that it happened.