The email server that Britam use is "titanium.netdns.net", which is run on an IP block belonging to "Webvisions" who are a relatively small ISP with 2 class C subnets. They don't offer MS exchange, so it is most likely a Linux box. Oddly the mighty nmap seems to think it is a Apple AirPort Extreme (lol) so I think it is a Linux box with beefed up network stack security (ie: it doesn't give away the OS). Device type: WAP|storage-misc|general purpose|printer Running (JUST GUESSING): Apple embedded (93%), NetBSD 4.X (89%), Ricoh embedded (85%) OS CPE: cpe:/o:netbsd:netbsd:4.0 Aggressive OS guesses: Apple AirPort Extreme WAP v7.3.2 (93%), Apple AirPort Extreme WAP or Time Capsule NAS device (90%), Apple Airport Extreme WAP (89%), NetBSD 4.0 (89%), Apple AirPort Extreme WAP (86%), Ricoh Aficio MP C6000 or GX3050N printer (85%) So as an educated guess, the username/passwords in the archives look like they are active-directory credentials (Windows network logins), but the mailserver is a standard Unix mailserver and the ISP doesn't have fancy services like MS Exchange integration. Having said all this, there is still a chance that the front end mailserver ("titanium.netdns.net") just forwards on email to an exchange server in Britam's internal network. Anyway, bottom line - those emails sound fishy to me. EDIT: Holy fuck, it does seem from a cursory look that the email is indeed genuine, see below. OK, last post - the plot thickens!!! After looking at the email headers (see below), I have to admit that the email does indeed look genuine. • The email was sent from "81.156.163.12" which is a BT Wholesale ADSL IP address. • From there it was then relayed via "smtp.clients.netdns.net [202.157.148.149]" • Finally it was delivered to a local mailbox on that server. I hate to admit it, but all these facts check out. So with Mythbusters objectivity I have to call this one plausible. I just really hope I don't get a visit from the plods for this ill advised sleuthing. (Shameless plug - Freelance sysadmin/coder for hire) ;) The following are the email headers for those that are interested (read this from bottom to top): Received: (qmail 14074 invoked from network); 24 Dec 2012 23:57:29 +0800 Received: from titanium.netdns.net (123.100.248.206) by neon.netdns.net with SMTP; 24 Dec 2012 23:57:29 +0800 Received: from localhost (unknown [127.0.0.1]) by titanium.netdns.net (Postfix) with ESMTP id 82BB4523A84 for ; Mon, 24 Dec 2012 15:57:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at S1AvWhNnLx31v.netdns.net Received: from titanium.netdns.net ([127.0.0.1]) by localhost (titanium.netdns.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWRHL2NRVdAP for ; Mon, 24 Dec 2012 23:57:18 +0800 (SGT) Received: from smtp.clients.netdns.net (smtp.clients.netdns.net [202.157.148.149]) by titanium.netdns.net (Postfix) with ESMTP id 27D5F523A0E for ; Mon, 24 Dec 2012 23:57:18 +0800 (SGT) Received: (qmail 18137 invoked from network); 24 Dec 2012 15:57:27 -0000 Received: from unknown (HELO Britam00323) (smtpbritam@britamdefence.com@81.156.163.12) by 0 with ESMTPA; 24 Dec 2012 15:57:27 -0000 From: "David Goulding" To: "'Phillip Doughty'"