SHARE
TWEET

Britam Defense

a guest Jan 26th, 2013 1,528 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The email server that Britam use is "titanium.netdns.net", which is run on an IP block belonging to "Webvisions" who are a relatively small ISP with 2 class C subnets.
  2.  
  3. They don't offer MS exchange, so it is most likely a Linux box. Oddly the mighty nmap seems to think it is a Apple AirPort Extreme (lol) so I think it is a Linux box with beefed up network stack security (ie: it doesn't give away the OS).
  4.  
  5. Device type: WAP|storage-misc|general purpose|printer
  6. Running (JUST GUESSING): Apple embedded (93%), NetBSD 4.X (89%), Ricoh embedded (85%)
  7. OS CPE: cpe:/o:netbsd:netbsd:4.0
  8. Aggressive OS guesses: Apple AirPort Extreme WAP v7.3.2 (93%), Apple AirPort Extreme WAP or Time Capsule NAS device (90%), Apple Airport Extreme WAP (89%), NetBSD 4.0 (89%), Apple AirPort Extreme WAP (86%), Ricoh Aficio MP C6000 or GX3050N printer (85%)
  9. So as an educated guess, the username/passwords in the archives look like they are active-directory credentials (Windows network logins), but the mailserver is a standard Unix mailserver and the ISP doesn't have fancy services like MS Exchange integration.
  10. Having said all this, there is still a chance that the front end mailserver ("titanium.netdns.net") just forwards on email to an exchange server in Britam's internal network.
  11. Anyway, bottom line - those emails sound fishy to me.
  12. EDIT: Holy fuck, it does seem from a cursory look that the email is indeed genuine, see below.
  13.  
  14. OK, last post - the plot thickens!!!
  15. After looking at the email headers (see below), I have to admit that the email does indeed look genuine.
  16.  
  17.  
  18.         •     The email was sent from "81.156.163.12" which is a BT Wholesale ADSL IP address.
  19.         •     From there it was then relayed via "smtp.clients.netdns.net [202.157.148.149]"
  20.         •     Finally it was delivered to a local mailbox on that server.
  21. I hate to admit it, but all these facts check out. So with Mythbusters objectivity I have to call this one plausible.
  22.  
  23. I just really hope I don't get a visit from the plods for this ill advised sleuthing. (Shameless plug - Freelance sysadmin/coder for hire) ;)
  24. The following are the email headers for those that are interested (read this from bottom to top):
  25. Received: (qmail 14074 invoked from network); 24 Dec 2012 23:57:29 +0800
  26. Received: from titanium.netdns.net (123.100.248.206) by neon.netdns.net with SMTP; 24 Dec 2012 23:57:29 +0800
  27. Received: from localhost (unknown [127.0.0.1]) by titanium.netdns.net (Postfix) with ESMTP id 82BB4523A84 for <pdoughty@britamdefence.com>; Mon,  24 Dec 2012 15:57:18 +0000 (UTC)
  28. X-Virus-Scanned: amavisd-new at S1AvWhNnLx31v.netdns.net
  29. Received: from titanium.netdns.net ([127.0.0.1]) by localhost (titanium.netdns.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWRHL2NRVdAP for <pdoughty@britamdefence.com>; Mon,  24 Dec 2012 23:57:18 +0800 (SGT)
  30. Received: from smtp.clients.netdns.net (smtp.clients.netdns.net [202.157.148.149]) by titanium.netdns.net (Postfix) with ESMTP id 27D5F523A0E for <pdoughty@britamdefence.com>; Mon,  24 Dec 2012 23:57:18 +0800 (SGT)
  31. Received: (qmail 18137 invoked from network); 24 Dec 2012 15:57:27 -0000
  32. Received: from unknown (HELO Britam00323) (smtpbritam@britamdefence.com@81.156.163.12) by 0 with ESMTPA; 24 Dec 2012 15:57:27 -0000
  33. From: "David Goulding" <dgoulding@britamdefence.com>
  34. To: "'Phillip Doughty'" <pdoughty@britamdefence.com>
RAW Paste Data
Top