- The email server that Britam use is "titanium.netdns.net", which is run on an IP block belonging to "Webvisions" who are a relatively small ISP with 2 class C subnets.
- They don't offer MS exchange, so it is most likely a Linux box. Oddly the mighty nmap seems to think it is a Apple AirPort Extreme (lol) so I think it is a Linux box with beefed up network stack security (ie: it doesn't give away the OS).
- Device type: WAP|storage-misc|general purpose|printer
- Running (JUST GUESSING): Apple embedded (93%), NetBSD 4.X (89%), Ricoh embedded (85%)
- OS CPE: cpe:/o:netbsd:netbsd:4.0
- Aggressive OS guesses: Apple AirPort Extreme WAP v7.3.2 (93%), Apple AirPort Extreme WAP or Time Capsule NAS device (90%), Apple Airport Extreme WAP (89%), NetBSD 4.0 (89%), Apple AirPort Extreme WAP (86%), Ricoh Aficio MP C6000 or GX3050N printer (85%)
- So as an educated guess, the username/passwords in the archives look like they are active-directory credentials (Windows network logins), but the mailserver is a standard Unix mailserver and the ISP doesn't have fancy services like MS Exchange integration.
- Having said all this, there is still a chance that the front end mailserver ("titanium.netdns.net") just forwards on email to an exchange server in Britam's internal network.
- Anyway, bottom line - those emails sound fishy to me.
- EDIT: Holy fuck, it does seem from a cursory look that the email is indeed genuine, see below.
- OK, last post - the plot thickens!!!
- After looking at the email headers (see below), I have to admit that the email does indeed look genuine.
- • The email was sent from "126.96.36.199" which is a BT Wholesale ADSL IP address.
- • From there it was then relayed via "smtp.clients.netdns.net [188.8.131.52]"
- • Finally it was delivered to a local mailbox on that server.
- I hate to admit it, but all these facts check out. So with Mythbusters objectivity I have to call this one plausible.
- I just really hope I don't get a visit from the plods for this ill advised sleuthing. (Shameless plug - Freelance sysadmin/coder for hire) ;)
- The following are the email headers for those that are interested (read this from bottom to top):
- Received: (qmail 14074 invoked from network); 24 Dec 2012 23:57:29 +0800
- Received: from titanium.netdns.net (184.108.40.206) by neon.netdns.net with SMTP; 24 Dec 2012 23:57:29 +0800
- Received: from localhost (unknown [127.0.0.1]) by titanium.netdns.net (Postfix) with ESMTP id 82BB4523A84 for <email@example.com>; Mon, 24 Dec 2012 15:57:18 +0000 (UTC)
- X-Virus-Scanned: amavisd-new at S1AvWhNnLx31v.netdns.net
- Received: from titanium.netdns.net ([127.0.0.1]) by localhost (titanium.netdns.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWRHL2NRVdAP for <firstname.lastname@example.org>; Mon, 24 Dec 2012 23:57:18 +0800 (SGT)
- Received: from smtp.clients.netdns.net (smtp.clients.netdns.net [220.127.116.11]) by titanium.netdns.net (Postfix) with ESMTP id 27D5F523A0E for <email@example.com>; Mon, 24 Dec 2012 23:57:18 +0800 (SGT)
- Received: (qmail 18137 invoked from network); 24 Dec 2012 15:57:27 -0000
- Received: from unknown (HELO Britam00323) (firstname.lastname@example.org@18.104.22.168) by 0 with ESMTPA; 24 Dec 2012 15:57:27 -0000
- From: "David Goulding" <email@example.com>
- To: "'Phillip Doughty'" <firstname.lastname@example.org>
a guest Jan 26th, 2013 1,524 Never
RAW Paste Data