Want more features on Pastebin? Sign Up, it's FREE!
Guest

Britam Defense

By: a guest on Jan 26th, 2013  |  syntax: None  |  size: 3.28 KB  |  views: 1,514  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. The email server that Britam use is "titanium.netdns.net", which is run on an IP block belonging to "Webvisions" who are a relatively small ISP with 2 class C subnets.
  2.  
  3. They don't offer MS exchange, so it is most likely a Linux box. Oddly the mighty nmap seems to think it is a Apple AirPort Extreme (lol) so I think it is a Linux box with beefed up network stack security (ie: it doesn't give away the OS).
  4.  
  5. Device type: WAP|storage-misc|general purpose|printer
  6. Running (JUST GUESSING): Apple embedded (93%), NetBSD 4.X (89%), Ricoh embedded (85%)
  7. OS CPE: cpe:/o:netbsd:netbsd:4.0
  8. Aggressive OS guesses: Apple AirPort Extreme WAP v7.3.2 (93%), Apple AirPort Extreme WAP or Time Capsule NAS device (90%), Apple Airport Extreme WAP (89%), NetBSD 4.0 (89%), Apple AirPort Extreme WAP (86%), Ricoh Aficio MP C6000 or GX3050N printer (85%)
  9. So as an educated guess, the username/passwords in the archives look like they are active-directory credentials (Windows network logins), but the mailserver is a standard Unix mailserver and the ISP doesn't have fancy services like MS Exchange integration.
  10. Having said all this, there is still a chance that the front end mailserver ("titanium.netdns.net") just forwards on email to an exchange server in Britam's internal network.
  11. Anyway, bottom line - those emails sound fishy to me.
  12. EDIT: Holy fuck, it does seem from a cursory look that the email is indeed genuine, see below.
  13.  
  14. OK, last post - the plot thickens!!!
  15. After looking at the email headers (see below), I have to admit that the email does indeed look genuine.
  16.  
  17.  
  18.         •     The email was sent from "81.156.163.12" which is a BT Wholesale ADSL IP address.
  19.         •     From there it was then relayed via "smtp.clients.netdns.net [202.157.148.149]"
  20.         •     Finally it was delivered to a local mailbox on that server.
  21. I hate to admit it, but all these facts check out. So with Mythbusters objectivity I have to call this one plausible.
  22.  
  23. I just really hope I don't get a visit from the plods for this ill advised sleuthing. (Shameless plug - Freelance sysadmin/coder for hire) ;)
  24. The following are the email headers for those that are interested (read this from bottom to top):
  25. Received: (qmail 14074 invoked from network); 24 Dec 2012 23:57:29 +0800
  26. Received: from titanium.netdns.net (123.100.248.206) by neon.netdns.net with SMTP; 24 Dec 2012 23:57:29 +0800
  27. Received: from localhost (unknown [127.0.0.1]) by titanium.netdns.net (Postfix) with ESMTP id 82BB4523A84 for <pdoughty@britamdefence.com>; Mon,  24 Dec 2012 15:57:18 +0000 (UTC)
  28. X-Virus-Scanned: amavisd-new at S1AvWhNnLx31v.netdns.net
  29. Received: from titanium.netdns.net ([127.0.0.1]) by localhost (titanium.netdns.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWRHL2NRVdAP for <pdoughty@britamdefence.com>; Mon,  24 Dec 2012 23:57:18 +0800 (SGT)
  30. Received: from smtp.clients.netdns.net (smtp.clients.netdns.net [202.157.148.149]) by titanium.netdns.net (Postfix) with ESMTP id 27D5F523A0E for <pdoughty@britamdefence.com>; Mon,  24 Dec 2012 23:57:18 +0800 (SGT)
  31. Received: (qmail 18137 invoked from network); 24 Dec 2012 15:57:27 -0000
  32. Received: from unknown (HELO Britam00323) (smtpbritam@britamdefence.com@81.156.163.12) by 0 with ESMTPA; 24 Dec 2012 15:57:27 -0000
  33. From: "David Goulding" <dgoulding@britamdefence.com>
  34. To: "'Phillip Doughty'" <pdoughty@britamdefence.com>
clone this paste RAW Paste Data