Full Disclosure mailing list archives

RE: MS Security Bulletin doing email harvesting?

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 4 Aug 2003 16:16:17 -0500

-----Original Message-----
From: Kyp Durron [mailto:kdurron () hotmail com] 
Sent: Monday, August 04, 2003 1:17 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] MS Security Bulletin doing email 
harvesting?

I get this email today that says it's from 
windowssecurity () email microsoft com.  It looks legit so I go 
to forward it 
to someone I know and Outlook 2003 pops an error message that 
I attached.  I 
look at the HTML and it's trying to pull the following URL.

Do you all think it's a spammer trying to harvest emails by 
impersonating a 
MS security bulletin?  If it is, how funny is THAT?!?!?

It's so funny that I'm laughing my a$$ off.  You can't seriously mean
that you actually thought this was legitimate?  Is so, you probably
think the Good Times Virus is real and so is the Easter Bunny.

Here's a hint.

08/04/03 16:01:47 dns email.microsoft.com
Canonical name: email.microsoft.com
Addresses:
  209.11.136.150

08/04/03 16:02:18 whois !NET-209-11-136-0-1 () whois arin net

whois -h whois.arin.net !net-209-11-136-0-1 ...

OrgName:    Digital Impact 
OrgID:      DIGITA-374
Address:    177 Bovet Road Suite 200
City:       San Mateo
StateProv:  CA
PostalCode: 94402
Country:    US

NetRange:   209.11.136.0 - 209.11.136.255 
CIDR:       209.11.136.0/24 
NetName:    DIGTIMPAC-209-11-136
NetHandle:  NET-209-11-136-0-1
Parent:     NET-209-11-0-0-2
NetType:    Reassigned
Comment:    
RegDate:    2002-07-12
Updated:    2002-12-05

Dig microsoft.com@129.110.31.7 ...
Non-authoritative answer
Recursive queries supported by this server
 Query for microsoft.com type=255 class=1
  microsoft.com MX (Mail Exchanger) Priority: 10 mailb.microsoft.com
  microsoft.com MX (Mail Exchanger) Priority: 10 mailc.microsoft.com
  microsoft.com MX (Mail Exchanger) Priority: 10 maila.microsoft.com 

[pauls@utd49554 pauls]$ telnet mailb.microsoft.com 25
Trying 131.107.3.122...
Connected to mailb.microsoft.com.
Escape character is '^]'.
220 inet-imc-04.redmond.corp.microsoft.com Microsoft.com ESMTP Server
Mon, 
4 Aug 2003 14:10:31 -0700
HELO utd49554.utdallas.edu
250 inet-imc-04.redmond.corp.microsoft.com Hello [129.110.3.85
MAIL TO: windowssecurity () microsoft com
501 5.5.4 Invalid Address
QUIT
221 2.0.0 inet-imc-04.redmond.corp.microsoft.com Service closing 
transmission channel
Connection closed by foreign host.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

MS Security Bulletin doing email harvesting? Kyp Durron (Aug 04)
- RE: MS Security Bulletin doing email harvesting? Richard M. Smith (Aug 04)
- <Possible follow-ups>
- RE: MS Security Bulletin doing email harvesting? Schmehl, Paul L (Aug 04)