Britam Defense

a guest Jan 26th, 2013 1,525 Never
  1. The email server that Britam use is "", which is run on an IP block belonging to "Webvisions" who are a relatively small ISP with 2 class C subnets.
  3. They don't offer MS exchange, so it is most likely a Linux box. Oddly the mighty nmap seems to think it is a Apple AirPort Extreme (lol) so I think it is a Linux box with beefed up network stack security (ie: it doesn't give away the OS).
  5. Device type: WAP|storage-misc|general purpose|printer
  6. Running (JUST GUESSING): Apple embedded (93%), NetBSD 4.X (89%), Ricoh embedded (85%)
  7. OS CPE: cpe:/o:netbsd:netbsd:4.0
  8. Aggressive OS guesses: Apple AirPort Extreme WAP v7.3.2 (93%), Apple AirPort Extreme WAP or Time Capsule NAS device (90%), Apple Airport Extreme WAP (89%), NetBSD 4.0 (89%), Apple AirPort Extreme WAP (86%), Ricoh Aficio MP C6000 or GX3050N printer (85%)
  9. So as an educated guess, the username/passwords in the archives look like they are active-directory credentials (Windows network logins), but the mailserver is a standard Unix mailserver and the ISP doesn't have fancy services like MS Exchange integration.
  10. Having said all this, there is still a chance that the front end mailserver ("") just forwards on email to an exchange server in Britam's internal network.
  11. Anyway, bottom line - those emails sound fishy to me.
  12. EDIT: Holy fuck, it does seem from a cursory look that the email is indeed genuine, see below.
  14. OK, last post - the plot thickens!!!
  15. After looking at the email headers (see below), I have to admit that the email does indeed look genuine.
  18.         •     The email was sent from "" which is a BT Wholesale ADSL IP address.
  19.         •     From there it was then relayed via " []"
  20.         •     Finally it was delivered to a local mailbox on that server.
  21. I hate to admit it, but all these facts check out. So with Mythbusters objectivity I have to call this one plausible.
  23. I just really hope I don't get a visit from the plods for this ill advised sleuthing. (Shameless plug - Freelance sysadmin/coder for hire) ;)
  24. The following are the email headers for those that are interested (read this from bottom to top):
  25. Received: (qmail 14074 invoked from network); 24 Dec 2012 23:57:29 +0800
  26. Received: from ( by with SMTP; 24 Dec 2012 23:57:29 +0800
  27. Received: from localhost (unknown []) by (Postfix) with ESMTP id 82BB4523A84 for <>; Mon,  24 Dec 2012 15:57:18 +0000 (UTC)
  28. X-Virus-Scanned: amavisd-new at
  29. Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nWRHL2NRVdAP for <>; Mon,  24 Dec 2012 23:57:18 +0800 (SGT)
  30. Received: from ( []) by (Postfix) with ESMTP id 27D5F523A0E for <>; Mon,  24 Dec 2012 23:57:18 +0800 (SGT)
  31. Received: (qmail 18137 invoked from network); 24 Dec 2012 15:57:27 -0000
  32. Received: from unknown (HELO Britam00323) ( by 0 with ESMTPA; 24 Dec 2012 15:57:27 -0000
  33. From: "David Goulding" <>
  34. To: "'Phillip Doughty'" <>
RAW Paste Data