[Coco] List member account compromised:

[John E. Malmberg]

On 10/22/2012 10:17 AM, John Musbach wrote:
> It should be noted that the fact that a email appeared to have been
> sent by Paul does not necessarily mean his account was compromised. It
> is very easy for malware to simply relay email with a legitimate email
> address specified in the header's "From" field and that's all mailman
> verifies before accepting email to the list.

I am quite familiar with how e-mail can be spoofed.

However I also received the same spam directly to one of my e-mail 
addresses from the same sender, so was able to analyze it in detail.

1. It was relayed through the AOL server, so it must have been sent by 
an authenticated AOL user, or AOL got hacked.  AOL getting hacked that 
badly would have set off an e-mail storm on other forums that I monitor, 
and they are quiet.

2. The sender has one of my personal e-mail address, and this mailing 
list address.  The number of non-list subscribers that are AOL 
subscribers that meet this criteria is probably far less than 5.


AOL should have detected this account compromise as the spammer 
connected to AOL from an IP address with no rDNS.  In the majority of 
cases, a password authenticated connection from an IP address with no 
rDNS indicates that a criminal has taken over the account.

AOL customers can ask AOL why they are not doing this trivial security 
check, especially since AOL has been rejecting external SMTP e-mail from 
sites with no rDNS for at least the last 10 years because the only 
traffic seen from those sites were spam or viruses.

This is a test that all network servers should be doing for password 
authenticated connections.

Remote e-mail should be using certificates and VPNs instead of password 
authentication.

Regards,
-John
wb8tyw(at)qsl.network
Personal Opinion Only