Focus on Microsoft
RE: MS broadening its efforts to warn customers Aug 06 2003 04:16PM
Hayes, Bill (Bill Hayes owh com) (1 replies)
Since I've been asked why I consider a bulk e-mail company to be
"legitimate" (and what did I mean by that, anyway?), here's my criteria:

1) Does the company actually use its own domain in in its e-mail traffic
(spam)?
2) Do their servers resolve under reverse DNS?
3) Is the company listed at places like SPAMHAUS ROKSO?

If 1 and 2 are yes and 3 is no, then I consider a company to be
"legitimate" in that they have a legal presence on the internet and
they're not working though open relays. I don't have to like what they
do, in fact, I do not. Actually, legitimate bulk e-mailers make
anti-spam efforts all the easier, because we can choose to easily block
their e-mail either through IP addresses or address masks like
*@*.m0.net, which we do.

What Thor has actually proved is his second theory, namely that MS is
working with a bulk e-mailer to widely reach as many of MS customers as
possible. They are apparently tracking which addresses are still active
and if any of the recipients are downloading the security patch when
notified. Although this is good to know, the collection method will work
against MS in the long run. The hidden tracking in the message also are
giving many who already distrust MS further ammo for their cases.

From Robert Smith, I learned that a security feature in Outlook 2003
actually prevents delivery of the MS/Digital Impact html-based message.
I think this builds a stronger case that sending out html-based
"security" messages is bad, bad, bad.

-----Original Message-----
From: Thor Larholm [mailto:thor (at) pivx (dot) com [email concealed]]
Sent: Tuesday, August 05, 2003 5:03 PM
To: Hayes, Bill; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: MS broadening its efforts to warn customers

Whatever happened to Microsoft wanting to combat spam? I thought Bill
Gates just recently sent a memo announcing that spam was their new enemy
and his personal Jihad. I could be disappointed, but honestly - I don't
believe this.

Keep in mind that it is the stated policy of Microsoft NOT to send
security patches in emails, and most definitely not unsolicited (
http://www.microsoft.com/technet/security/news/patch_hoax.asp ).

In fact, people are already debating this mail all over the place,
questioning its authenticity. So let's look at that authenticity, shall
we?

We have 2 possibilities:

1: Microsoft hired DigitalImpact.com / m0.net to send unsolicited bulk
email to whoever from the domain email.microsoft.com.

2: m0.net is scamming Microsoft, and has spoofed Microsofts DNS servers
to take over the subdomain email.microsoft.com.

Since m0.net is a longtime unrepentant spam operation and Bill Gates has
a personal Jihad against spam, I believe in the second possibility.

Now where do I recognize the HB9707218726X2612303X228387X webbug
identifiers? Why, in all of the previous unsolicited commercial from
m0.net - but wait, the full URL is actually
http://email.microsoft.com/m/s.asp?HB9707218726X2612303X228387X even
though the text part says
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

What shall we believe? Let's dig a bit:

------------- DIG OUTPUT --------------

$ dig email.microsoft.com

; <<>> DiG 9.2.1 <<>> email.microsoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;email.microsoft.com. IN A

;; ANSWER SECTION:
email.microsoft.com. 7200 IN A 209.11.136.150

;; AUTHORITY SECTION:
microsoft.com. 163382 IN NS dns1.cp.msft.net.
microsoft.com. 163382 IN NS dns1.dc.msft.net.
microsoft.com. 163382 IN NS dns1.sj.msft.net.
microsoft.com. 163382 IN NS dns1.tk.msft.net.
microsoft.com. 163382 IN NS dns3.uk.msft.net.

;; ADDITIONAL SECTION:
dns1.cp.msft.net. 466 IN A 207.46.138.20
dns1.dc.msft.net. 1322 IN A 64.4.25.30
dns1.sj.msft.net. 1668 IN A 65.54.248.222
dns1.tk.msft.net. 466 IN A 207.46.245.230
dns3.uk.msft.net. 1322 IN A 213.199.144.151

;; Query time: 111 msec
;; SERVER: 207.217.126.41#53(207.217.126.41)
;; WHEN: Tue Aug 5 16:19:23 2003
;; MSG SIZE rcvd: 251

------------- DIG OUTPUT --------------

How funny, email.microsoft.com has an A record of 209.11.136.150, which
is not even in Microsoft IP space. All the DNS servers are Microsoft,
all other domains from microsoft.com are in Microsoft IP space, but
email.microsoft.com is not.

So where is 209.11.136.150? Why, at Digital Impact (m0.net)

http://ripe.net/perl/whois?searchtext=-a+209.11.136.150

So it turns out that m0.net has been scamming Microsoft customers by
spoofing the Microsoft DNS servers to maliciously take control of
email.microsoft.com. Praying on the hype about the recent critical RPC
patches, m0.net decided to do a bit of email phishing and verification.

Each and every spammed customer who clicked on the link to get this
critical patch, which the media has been yelling about and the
Department of Homeland Security has issued an unprecedented 2 warnings
about, has simply verified that "HEY, I am a live person on this email
address - please spam me some more, m0.net".

Email verification by sleazeball spammers, not a security bulletin from
Microsoft.

Hayes, what is legitimate about Digital Impact? They are m0.net,
unrepentant longtime spammers and sleazeballs. Wade through
news.admin.net-abuse.* and have a blast.

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

-----Original Message-----
From: Hayes, Bill [mailto:Bill.Hayes (at) owh (dot) com [email concealed]]
Sent: Monday, August 04, 2003 8:45 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: MS broadening its efforts to warn customers

It may be that this is just a Monday morning and I haven't had enough
coffee yet.

Anyway,

<rant>

I just received a message from Microsoft that did not originate from MS,
but instead with a legitimate third party bulk e-mailer Digital Impact
(see http://www.digitalimpact.com/v2/). This is not a slam against
Digital Impact, but I am questioning the decision by MS to have a
security alert handled by a bulk e-mailer.

In what appears to be an honest effort to alert MS customers of the
MS03-026 security advisory, Microsoft has enlisted the aid of bulk
e-mailers at Digital Impact. Unfortunately the message may not get the
wide dissemination that Microsoft wants. The mail server used by Digital
Impact has the reverse DNS address of mh.microsoft.m0.net. It's IP
address is 209.11.164.116.

Mail servers at the M0.net domain are known for sending unsolicted
e-mail (see http://openrbl.org/ and enter the IP address
209.11.164.116). A few RBLs show m0.net as the originator of unsolicited
e-mail. The majority do not. Therefore, the well intentioned message
may well be blocked by organizations with stringent anti-spam controls.

Perhaps this move is intended to reach the more difuse home PC customer.
If so, I hope they succeed. I do applaud their decision to reach out to
as many folks as possible. However, the bottom line for me is if you
have something important to tell me Microsoft, please use your owh
e-mail servers.

</rant>

Here are the headers for the message I received:

Microsoft Mail Internet Headers Version 2.0
Received: from xxxxxxxxxxx ([xxx.xxx.xxx.xxxx]) by xxx.xxx.xxx.xxxx with
xxxxxxxxxxx;
Mon, 4 Aug 2003 09:12:18 -0500
Received: from xxxxxxxxxxx([xxxxxxxxxxx]) by xxxxxxxxxxx with
xxxxxxxxxxx;
Mon, 4 Aug 2003 09:12:17 -0500
Received: from xxxxxxx by xxxxxxxxxxx
via smtpd (for xxxxxxxxxxx [xxx.xxx.xxx.xxxx]) with SMTP; 4
Aug 2003 14:12:17 UT
Received: from xxxxxxxxxxx (mh.microsoft.m0.net) by xxxxxxxxxxx
(xxxxxxxxxx) with SMTP id <T63d8a2e64e0a28021446c@xxxxxxxxxxxxxxxx> for
<bhayes (at) owh (dot) com [email concealed]>; Mon, 4 Aug 2003 09:11:56 -0500
Received: from mh.microsoft.m0.net ([209.11.164.116]) by xxxxxxxxxxx
via smtpd (for xxxxxxxxxxx [xxx.xxx.xxx.xxxx]) with SMTP; 4
Aug 2003 14:11:56 UT
Received: from [209.11.138.126]
by 10.203.1.116 (mh.microsoft.m0.net) with SMTP; 04 Aug 2003
07:35:38 +0000
Message-ID: <9707218726.1060006307040 (at) m0 (dot) net [email concealed]>
Date: Mon, 4 Aug 2003 07:11:47 -0700 (PDT)
From: Microsoft <windowssecurity (at) email.microsoft (dot) com [email concealed]>
Reply-to: windowssecurity (at) email.microsoft (dot) com [email concealed]
To: bhayes (at) owh (dot) com [email concealed]
Subject: Security Update for Microsoft Windows
Errors-to: windowssecurity (at) email.microsoft (dot) com [email concealed]
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="---=_NEXT_f6cd4ca4db"
X-cid: 9707218726
X-pid: 228387
Return-Path: windowssecurity (at) email.microsoft (dot) com [email concealed]
X-OriginalArrivalTime: 04 Aug 2003 14:12:17.0964 (UTC)
FILETIME=[69958EC0:01C35A92]

Here's the message body:

*** PLEASE NOTE: Due to the critical importance of this message,
this communication is being sent to all of our Microsoft customers
to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web
site, that on July 16th we released a critical security bulletin
(MS03-026) and a patch regarding a vulnerability in the Windows
operating system. We wanted to make sure that if you were not aware
of this bulletin and corresponding patch that you take a moment to
go to
http://www.microsoft.com/security/ security_bulletins/ ms03-026.asp
<http://email.microsoft.com/m/s.asp?HB9707218726X2612303X228387X> to
find out if you are running an affected version of
the Windows operating system and get the specific information as to
what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins
and to deploy patches in a timely manner we wanted to call special
attention to this particular instance as we have become aware of
some activity on the internet that we believe increases the
likelihood of the exploitation of this vulnerability. Specifically,
code has been published on several web sites that would allow
someone to spread a worm/virus that takes advantage of the
vulnerability in question thereby impacting your
computing environment.

Although it is our goal to produce the most secure and dependable
products possible, we do become aware of these types of
vulnerabilities. In order to minimize the risks of such
vulnerabilities to your computing environment, we encourage you to
subscribe to the Windows Update service by going to
http://www.windowsupdate.com
<http://email.microsoft.com/m/s.asp?HB9707218726X2612304X228387X> and
also subscribe to Microsoft's
security notification service at
http://register.microsoft.com/ subscription/subscribeme.asp?ID=135
<http://email.microsoft.com/m/s.asp?HB9707218726X2612305X228387X> if you
have not already. By
subscribing to these two services you will automatically receive
information on the latest software updates and the latest security
notifications thereby improving the likelihood that your computing
environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch
might cause and appreciate you taking the time to update
your system.

Thank you,
Microsoft Corporation

------------------------------------------------------------------------

---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------

---

------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---

[ reply ]
RE: MS broadening its efforts to warn customers Aug 06 2003 05:50PM
Thor Larholm (thor pivx com)


 

Privacy Statement
Copyright 2010, SecurityFocus