Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Domain Hijacked

1 view
Skip to first unread message

Geoff Bleau

unread,
Mar 29, 2000, 3:00:00 AM3/29/00
to
One of my DOMAIN names was just 'hijacked'.

I received a message from Internic this evening that my
'Change had been completed'

I didn't submit a change.

The change involved assigning a new Technical Contact
and changing the Nameservers.

The header of the message sent to Internic had my
e-mail address - but also the IP of a system in
Idaho.

For this to have taken place - the hijacker must have
been able to spoof my sender name - but also intercepted
the return from Internic.

How is this possible ????

And how do I prevent it in the future ???


Timothy J. Lee

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to
Geoff Bleau <geo...@bellsouth.net> writes:
|One of my DOMAIN names was just 'hijacked'.
|
|The header of the message sent to Internic had my
|e-mail address - but also the IP of a system in
|Idaho.
|
|For this to have taken place - the hijacker must have
|been able to spoof my sender name - but also intercepted
|the return from Internic.
|
|How is this possible ????

Faking email From: lines is trivial.

|And how do I prevent it in the future ???

Check the registrars for more secure authentication methods
than just the email From: line. Network Solutions, for example,
offers password (CRYPT-PW) and PGP authentication options.

--
------------------------------------------------------------------------
Timothy J. Lee timlee@
Unsolicited bulk or commercial email is not welcome. netcom.com
No warranty of any kind is provided with this message.

Geoff Bleau

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to

"Timothy J. Lee" wrote:

> Geoff Bleau <geo...@bellsouth.net> writes:
> |One of my DOMAIN names was just 'hijacked'.
> |

> |For this to have taken place - the hijacker must have
> |been able to spoof my sender name - but also intercepted
> |the return from Internic.
>

> Faking email From: lines is trivial.
>
> |And how do I prevent it in the future ???
>
> Check the registrars for more secure authentication methods
> than just the email From: line. Network Solutions, for example,
> offers password (CRYPT-PW) and PGP authentication options.
>
>

Thanks - I'll certainly contact Network Solutions and change
the 'auth' procedure for all our domains.

But -

I understand that faking From: lines is easy ( ie: all that spam )

But that would mean that Network Solutions is simply replying
to the mail headers - and not looking up my REAL e-mail
from their database ???

Wouldn't that be a simple security procedure on their end ???

Geof

Barry Margolin

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to
In article <8c0m06$1dat$1...@spider.asl.ca>, Brian Hampson <br...@ASL.CA> wrote:
>Barry Margolin (bar...@bbnplanet.com) wrote:
>
>: In article <38E2E095...@bellsouth.net>,
>: Geoff Bleau <geo...@bellsouth.net> wrote:
>: >But that would mean that Network Solutions is simply replying

>: >to the mail headers - and not looking up my REAL e-mail
>: >from their database ???
>:
>: They should be the same -- the change should only take place if the address
>: in the header matches what's in their database. But unless you specify
>: CRYPT-PW or PGP authentication, you're susceptible to spoofing like this.
>:
>: And they apparently did look up your address in their database when they
>: sent the message saying that the change was completed.
>
>But he's saying that he NEVER recieved the message regarding the change.

No, reread his original message. He realized his domain had been hijacked
because he received a message from NSI saying his change had been
completed.

What he presumably didn't receive was an acknowledgement of the original
change request (perhaps the hijacker used Reply-to: in his email) or a
request for confirmation of the change (NSI only sends those when the
change request didn't come from an authorized contact address).

--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

WB3KUM/9

unread,
Mar 31, 2000, 3:00:00 AM3/31/00
to
Handle everything the way I do. In writing, on letterhead, with an
original signature. You don't have that, it is fraud.


Marc Slemko

unread,
Apr 2, 2000, 4:00:00 AM4/2/00
to
In article <1xQE4.33$YN6.1733@burlma1-snr2>, Barry Margolin wrote:
>In article <38E2E095...@bellsouth.net>,
>Geoff Bleau <geo...@bellsouth.net> wrote:
>>But that would mean that Network Solutions is simply replying
>>to the mail headers - and not looking up my REAL e-mail
>>from their database ???
>
>They should be the same -- the change should only take place if the address
>in the header matches what's in their database. But unless you specify
>CRYPT-PW or PGP authentication, you're susceptible to spoofing like this.

Why should you be vulnerable to spoofing, aside from NSI being silly?

I just can't figure out any reason for NSI to allow this sort of
crap. They must spend far more time dealing with the results of
it than it would take to fix it so it didn't happen.

It doesn't take much of a clue to require the user to reply to the
mail, to a request specific address, or with something specific in
the subject line, or a specific URL that the user has to go to,
etc. that is unique and unguessable. Decent mailing lists have
been requiring that for years. Best of all, it doesn't require
everyone with a domain to wade through NSI's maze of half-functioning
authentication methods.

Why doesn't NSI do this properly? I presume it is because they
don't care, because they have little (but growing...) reason to.

Clyde Nishimura

unread,
Apr 2, 2000, 4:00:00 AM4/2/00
to
Geoff Bleau wrote:
>
> One of my DOMAIN names was just 'hijacked'.
>
> I received a message from Internic this evening that my
> 'Change had been completed'
>
> I didn't submit a change.
>
> The change involved assigning a new Technical Contact
> and changing the Nameservers.
>
> The header of the message sent to Internic had my
> e-mail address - but also the IP of a system in
> Idaho.
>
> For this to have taken place - the hijacker must have
> been able to spoof my sender name - but also intercepted
> the return from Internic.
>
> How is this possible ????
>
> And how do I prevent it in the future ???

CERT issued a warning about this last June. They just
recently reissued this warning as they are getting
more reports about this.

http://www.cert.org/vul_notes/VN-99-01.html

To quote CERT:

Reports indicate forged email headers are being used to
bypass weak registry transaction authentication mechanisms.

Michael Erskine

unread,
Apr 3, 2000, 3:00:00 AM4/3/00
to

Geoff Bleau wrote:
>
> One of my DOMAIN names was just 'hijacked'.
>
> I received a message from Internic this evening that my
> 'Change had been completed'
>
> I didn't submit a change.
>
> The change involved assigning a new Technical Contact
> and changing the Nameservers.
>
> The header of the message sent to Internic had my
> e-mail address - but also the IP of a system in
> Idaho.
>
> For this to have taken place - the hijacker must have
> been able to spoof my sender name - but also intercepted
> the return from Internic.

Which means that your system has been cracked... I can't believe all
these folks responded and failed to pick up on that.

He USED YOUR SYSTEM AND YOUR EMAIL ACCOUNT to make the change AND THEN
CAUGHT the first return mail to make sure you did not see it. He
expected the second confirmation to go to his changed domain... oops...
made a mistake... didn't change the contact information. He is screwed.

So... DO SOMETHING ABOUT IT.

Start by contacting the FBI couputer crime unit. They will appreciate
the lead. Then start looking the system over for a root kit. You will
most likely find one.

Welcome to security work... you will find it challenging, time
consuming, frustrating, and only VERY rarely rewarding.

Villy Kruse

unread,
Apr 3, 2000, 3:00:00 AM4/3/00
to
On Sun, 02 Apr 2000 15:23:44 -0400,
Clyde Nishimura <cl...@qur.nrl.navy.mil> wrote:

>
>CERT issued a warning about this last June. They just
>recently reissued this warning as they are getting
>more reports about this.
>
>http://www.cert.org/vul_notes/VN-99-01.html
>
>To quote CERT:
>
>Reports indicate forged email headers are being used to
>bypass weak registry transaction authentication mechanisms.

When joining a mailing list you often have to re-confirm the request
with a password you would only know if you can intercept the mail
sent to the address that is being joined to the list. Thus it is
futile to forge a From: address in this situation, unless the forgerer
can also intercept return messages.


Villy

Geoff Bleau

unread,
Apr 3, 2000, 3:00:00 AM4/3/00
to

Michael Erskine wrote:

A little update on this.

The DOMAIN change was initiated by a staff member at an ISP in
Idaho. They CLAIMED that they were only responding to a request
from one of their users !!

No explanation yet as to WHY they would make this change for
someone who had nothing to do with my domain.

Nor any explanation as to why they would 'spoof' my e-mail
address to accomplish it.

As best as I can determine from Network Solutions ( simply
from reading their blurbs on the Webpage - they don't seem to
answer phone calls or respond to support e-mails )

when they receive a request - where the DOMAIN record is
marked as : MAIL-FROM - they do a lookup into the domain
record - and if the e-mail address matches - they simply REPLY
to the sender - instead of doing the lookup and sending a fresh
message to the address indicated in the domain record.

This makes spoofing easy.

At the root of this - it is my fault. I must have missed a mailing from
them indicating that I should change my method of authentication.

I have done that now.

When I spoke to the owner of the ISP in Idaho last Thursday, he
indicated he would research the issue - and find out why one of his
staff members would participate in a fraud of this type - but as of
Monday AM - have not heard back from him.

Geoff


--
" Bigamy is having one wife too many.
Monogamy is the same "

Geoff Bleau geo...@bellsouth.net

http://www.flsoft.com

Barry Margolin

unread,
Apr 3, 2000, 3:00:00 AM4/3/00
to
In article <slrn8edf3i...@alive.znep.com>,

Marc Slemko <ma...@znep.com> wrote:
>Why doesn't NSI do this properly? I presume it is because they
>don't care, because they have little (but growing...) reason to.

The CRYPT-PW and PGP authentication schemes were created to address the
forgeability of From: lines. Anyone who cares can make use of these
mechanisms.

Marc Slemko

unread,
Apr 3, 2000, 3:00:00 AM4/3/00
to
In article <064G4.19$nR.328@burlma1-snr2>, Barry Margolin wrote:
>In article <slrn8edf3i...@alive.znep.com>,
>Marc Slemko <ma...@znep.com> wrote:
>>Why doesn't NSI do this properly? I presume it is because they
>>don't care, because they have little (but growing...) reason to.
>
>The CRYPT-PW and PGP authentication schemes were created to address the
>forgeability of From: lines. Anyone who cares can make use of these
>mechanisms.

That is no excuse for not properly validating changes for domains without
such authentication schemes set. There is a trivial mechanism available
for authenticating that a request really did come from someone with
access to a particular email address. So why not use it?

PGP? Ha. Last time I tried using NSI's PGP option it was screwed
up so badly that it was completely unusable. I don't dare try it
again for fear that NSI will hold domains hostage again when their PGP
setup breaks.

0 new messages