Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Maybe nothing so shady; depends on the motive.
From: <Glenn.Everhart () chase com>
Date: Wed, 6 Jun 2007 15:33:57 -0400

There may be no impersonation going on. Could be that email for terminated
people is directed to a common mailbox which might be perused by security folks
to check whether anything wrong might have been going on and not noticed while
the person was there. In effect the mail has then gone to a wildcard name
at the company's machine. If you send to the machine, you should not be surprised
if someone representing the machine owner might read it.

Someone communicating exploits might attract interest, if nothing else just
to see that whoever was represented by the Maynor address did not appear to
be involved in some crime ring.

I seem to recall various stories of people being caught doing things they should
not by events that happened shortly after they left a company.

As for keeping old accounts or mailboxes in being, the advice used to be given
that disabling accounts but leaving them was better than deleting because an
attempted use of a disabled account would produce messages about "account foo login fail"
or the like, where unknown accounts would produce "account <unknown> login fail". Same
kind of thing works for mail. It can be better to know if a recently departed person's
account is being attempted. You can then ask that person if he/she was the one trying
it, and why, for example.

Glenn Everhart

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of John
Sent: Wednesday, June 06, 2007 2:49 PM
To: H D Moore
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] You shady bastards.

The only part I find legally questionable is
the impersonation of Mr. Maynor by someone at
his old company.  It certainly appears legal for
his company to read the email.  Acting on that
email under the guise of the addressee would
seem to tread pretty close to impersonation.

2 cents ...

On Jun 6, 2007, at 9:47 AM, H D Moore wrote:


Some friends and I were putting together a contact list for the folks
attending the Defcon conference this year in Las Vegas. My friend sent
out an email, with a large CC list, asking people to respond if they
planned on attending. The email was addressed to quite a few  
people, with
one of them being David Maynor. Unfortunately, his old SecureWorks
address was used, not his current address with ErrattaSec.

Since one of the messages sent to the group contained a URL to our  
numbers and names, I got paranoid and decided to determine whether
SecureWorks was still reading email addressed to David Maynor. I  
sent an
email to David's old SecureWorks address, with a subject line  
0-day, and a link to a non-public URL on the metasploit.com web server
(via SSL). Twelve hours later, someone from a Comcast cable modem in
Atlanta tried to access the link, and this someone was (confirmed) not
David. SecureWorks is based in Atlanta. All times are CDT.

I sent the following message last night at 7:02pm.

From: H D Moore <hdm[at]metasploit.com>
To: David Maynor <dmaynor[at]secureworks.com>
Subject: Zero-day I promised
Date: Tue, 5 Jun 2007 19:02:11 -0500
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200706051902.11544.hdm[at]metasploit.com>
Status: RO
X-Status: RSC


Approximately 12 hours later, the following request shows up in my  
log file. It looks like someone at SecureWorks is reading email  
to David and tried to access the link I sent: - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

This address resolves to:

The whois information is just the standard Comcast block boilerplate.


Is this illegal? I could see reading email addressed to him being  
the bounds of the law, but it seems like trying to download the "0day"
link crosses the line.

Illegal or not, this is still pretty damned shady.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Maybe nothing so shady; depends on the motive. Glenn.Everhart (Jun 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]