Wednesday, January 21, 2009

NASA list server compromised?

As a space geek, I am subscribed to NASA's HSFNEWS mailing list. When I looked at my mailbox this morning, a spam message that claimed to have been posted via the Nasa list server caught my attention. Obviously, it is quite easy to forge email and so I thought that this may be a fake, too. However, closer examination reveals headers that makes me think this could be a real thing.

Of course, HSFNEWS is just one of the many mailing lists NASA offers and also of course it is run on an auxiliary system, invalid messages slipping through can have quite bad effects. Of course, a message with subject

"[HSFNEWS] She'll always want to give head now"

will hopefully immediately classified as spam by anyone (or do you think the message is about alien encounters? ;)). But what if the message would be much more carefully crafted to carry out something evil? After all, the message could look much like it comes from an official NASA source. Just think about the various Obama hoaxes and scams that we have seen lately?

I am still not 100% convinced that the mail actually originated from the NASA list server (I have tried to contact someone in charge over there and hope to get some results). To help you get an idea yourself, here is the complete message source, except a few things on my local delivery record as well as valid mail addresses that do not need to be posted here.

If someone has an opinion if the mail was run over NASA's server, please post a comment or drop me a mail.


MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C97B42.7A7F7080"
Received: from jsc-listserv-01.jsc.nasa.gov (jsc-listserv-01.jsc.nasa.gov
[128.157.5.25]) by mailin.adiscon.com (Postfix) with ESMTP id 06205241C002
for ; Tue, 20 Jan 2009 21:52:51 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from jsc-listserv-01.jsc.nasa.gov (jsc-listserv-01
[128.157.5.25]) by jsc-listserv-01.jsc.nasa.gov (8.13.1/8.13.1) with ESMTP
id n0K7cgeV024815; Tue, 20 Jan 2009 15:01:22 -0600
Received: by JSC-LISTSERV-01.JSC.NASA.GOV (LISTSERV-TCP/IP release 15.0)
with spool id 553828 for HSFNEWS@JSC-LISTSERV-01.JSC.NASA.GOV;
Tue, 20 Jan 2009 15:01:20 -0600
Received: from 200-127-202-12.cab.prima.net.ar
(200-127-202-12.cab.prima.net.ar [200.127.202.12]) by
jsc-listserv-01.jsc.nasa.gov (8.13.1/8.13.1) with ESMTP id
n0KKPY2D029413 for ; Tue, 20 Jan
2009 14:25:35 -0600
Return-Path:
X-OriginalArrivalTime: 20 Jan 2009 21:03:01.0983 (UTC)
FILETIME=[7B156EF0:01C97B42]
List-Owner:
Approved-By: {removed}@NASA.GOV
Content-class: urn:content-classes:message
Subject: [HSFNEWS] She'll always want to give head now
Date: Tue, 20 Jan 2009 21:25:34 +0100
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [HSFNEWS] She'll always want to give head now
Thread-Index: Acl7Qns+aZRN9mnKS56dl4osL2myOw==
List-Help: ,

List-Subscribe:

List-Unsubscribe:

From: "joynt"
To:
Reply-To: "hsfnews"


------_=_NextPart_001_01C97B42.7A7F7080
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Can't see images?
To view this email as a web page, go here =
{actual spam removed}

4 comments:

Andrew Yourtchenko said...

The first "Received:" header points to the host originating the message being somewhere in Argentina - or you think it was also spoofed ?

Rainer said...

Hi Andrew, it may be spoofed, I've actually not tried to check this (hard these days with all the botnets...). In any case, that would be the server where the mail was submitted from. If you follow the receive header, it talked to jsc-listserv-01.jsc.nasa.gov and my reception server got the mail from that very same name and the IP address we got it from (128.157.5.25) is the one that is present in DNS for jsc-listserv-01.jsc.nasa.gov - so it looks like the mail was indeed relayed via the NASA listserv.

Andrew Yourtchenko said...

hi Rainer - yes, the path according to the headers was:

200.127.202.12 -- 128.157.5.25 [spooled and resent - presumably to the list of subscribers -- mailin.adiscon.com

So from the headers it looks like any other mail message sent to a maillist - I've a few maillists that do not restrict the senders to be subscribers-only, and there I'm getting quite a few of spams of this kind. For the "posts from subscribers only" it becomes a bit more difficult as the sender address would need to be spoofed to be one of the legitimate subscribers.

The only thing that makes me wonder a little bit is the "Approved-By" header, which implies someone did approve this mail - can be still a human mistake of doing "Approve All", but in any case it might make sense to verify with the maillist owners - have you tried contacting them ?

(Btw, usually the best thing to do in case of a suspected security incident would be of course to contact the respective organization's incident response team - if someone's server was indeed compromised, they'd be most surely thankful for the alert, in case they did not know about it).

Rainer said...

Yes, I tried to notify them, even held the posting for some time. Maybe I'll give it another try today. At least, the issues has not been reoccuring, so I guess it is already fixed.