Britam Defense

1. The email server that Britam use is "titanium.netdns.net", which is run on an IP block belonging to "Webvisions" who are a relatively small ISP with 2 class C subnets.
2.  
3. They don't offer MS exchange, so it is most likely a Linux box. Oddly the mighty nmap seems to think it is a Apple AirPort Extreme (lol) so I think it is a Linux box with beefed up network stack security (ie: it doesn't give away the OS).
4.  
5. Device type: WAP|storage-misc|general purpose|printer
6. Running (JUST GUESSING): Apple embedded (93%), NetBSD 4.X (89%), Ricoh embedded (85%)
7. OS CPE: cpe:/o:netbsd:netbsd:4.0
8. Aggressive OS guesses: Apple AirPort Extreme WAP v7.3.2 (93%), Apple AirPort Extreme WAP or Time Capsule NAS device (90%), Apple Airport Extreme WAP (89%), NetBSD 4.0 (89%), Apple AirPort Extreme WAP (86%), Ricoh Aficio MP C6000 or GX3050N printer (85%)
9. So as an educated guess, the username/passwords in the archives look like they are active-directory credentials (Windows network logins), but the mailserver is a standard Unix mailserver and the ISP doesn't have fancy services like MS Exchange integration.
10. Having said all this, there is still a chance that the front end mailserver ("titanium.netdns.net") just forwards on email to an exchange server in Britam's internal network.
11. Anyway, bottom line - those emails sound fishy to me.
12. EDIT: Holy fuck, it does seem from a cursory look that the email is indeed genuine, see below.
13.  
14. OK, last post - the plot thickens!!!
15. After looking at the email headers (see below), I have to admit that the email does indeed look genuine.
16.  
17.  
18. • The email was sent from "81.156.163.12" which is a BT Wholesale ADSL IP address.
19. • From there it was then relayed via "smtp.clients.netdns.net [202.157.148.149]"
20. • Finally it was delivered to a local mailbox on that server.
21. I hate to admit it, but all these facts check out. So with Mythbusters objectivity I have to call this one plausible.
22.  
23. I just really hope I don't get a visit from the plods for this ill advised sleuthing. (Shameless plug - Freelance sysadmin/coder for hire) ;)
24. The following are the email headers for those that are interested (read this from bottom to top):
25. Received: (qmail 14074 invoked from network); 24 Dec 2012 23:57:29 +0800
26. Received: from titanium.netdns.net (123.100.248.206) by neon.netdns.net with SMTP; 24 Dec 2012 23:57:29 +0800
27. Received: from localhost (unknown [127.0.0.1]) by titanium.netdns.net (Postfix) with ESMTP id 82BB4523A84 for <pdoughty@britamdefence.com>; Mon, 24 Dec 2012 15:57:18 +0000 (UTC)
28. X-Virus-Scanned: amavisd-new at S1AvWhNnLx31v.netdns.net
29. Received: from titanium.netdns.net ([127.0.0.1]) by localhost (titanium.netdns.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWRHL2NRVdAP for <pdoughty@britamdefence.com>; Mon, 24 Dec 2012 23:57:18 +0800 (SGT)
30. Received: from smtp.clients.netdns.net (smtp.clients.netdns.net [202.157.148.149]) by titanium.netdns.net (Postfix) with ESMTP id 27D5F523A0E for <pdoughty@britamdefence.com>; Mon, 24 Dec 2012 23:57:18 +0800 (SGT)
31. Received: (qmail 18137 invoked from network); 24 Dec 2012 15:57:27 -0000
32. Received: from unknown (HELO Britam00323) (smtpbritam@britamdefence.com@81.156.163.12) by 0 with ESMTPA; 24 Dec 2012 15:57:27 -0000
33. From: "David Goulding" <dgoulding@britamdefence.com>
34. To: "'Phillip Doughty'" <pdoughty@britamdefence.com>