Tuesday, 4 August 2015

“I’ve Given Up.” Is TalkTalk’s X-IronPort “Protection” Really This Vulnerable?

CaptureHERE’S A TRICK. If you ever need to inform all your contacts that you are discarding an old email address in favour of another: just enter your new address in the ‘Reply to’ field of your old account before you spam them. It permits your contacts to reply to your new address and quickly update their records (which is a particularly nice feature – if you use it).

Of course, you’re not a spammer – and neither am I; but my primary e-mail address is now receiving that onerous reputation as a result of someone using a similar method…

Don’t get me wrong, I’m not angry – as I write this post I’m trying my best not to laugh. It seems that a Russian University has come across an old post of mine (since removed) regarding David Cameron’s Porn Filter and TalkTalk’s X-IronPort sniffer that accompanied it. I was furious that it was sniffing incoming and outgoing emails of all TalkTalk and old Tiscali customers, without providing them the ability to turn it off – and, to prove my point, I included a great deal of personal information in the form of email headers…

When I first saw the bounce-notifications arriving in my inbox, I thought that some porn spammers had revised an old method of grabbing my attention by spoofing a server’s reply to suggest I had been trying to contact lovelylucy@hotmail.com (the world’s hottest lesbian) – along with numerous others whom were, apparently, no longer residing at their address. I smiled, anticipating the receipt of a future email that would guide me towards the site that would answer ‘my’ attempts at contacting them – and duly forwarded the message to the Met’s Fraud and Phishing Dept. to aid their intelligence gathering.

It thought no more about it, until I was inundated by numerous bounces in a single stream the next day. ‘Idiots!’ I thought, and duly tweeted how nice it was to have my email address apparently confirmed to the spammers by a follow-up from the Met’s partners. Then I attached all the messages to another email, sent that to the Met as a means of expressing my disgust, and tagged them as spam to train my Norton installation. As the days developed, I just forwarded those messages that Norton was not catching to the Met for their information.

Perhaps I had been wrong…

What if those servers were genuine?…

Of course, the problem with upstream bounce notifications is that you can only discover the reason why delivery has been aborted at the responding server – and at that level. You have to wait until the error propagates back down the stream to the issuing server to see where the message originated – and I was sure that final notification would be intercepted by the spammer before it could be redirected to me. After all, it is quite easy to write your own server these days – and what spammer would allow me to see full details of the network he/she was using to distribute their wares?

‘It must be a kid,’ I tweeted, when that final bounce arrived. ‘PHP Fail!,’ I cried. It had originated from a Russian University, and when I finally made the connection and removed my post, I tweeted to Cyberspace in Russian.

A couple of days passed and I heard nothing more; then it began all over again. ‘What the f**k?’ I exclaimed.

I responded as I had earlier: Met Intelligence and Norton.

‘Now what?’ I was then forced to ask. The Met’s email was still in my outbox.

‘More server maintenance,’ I guessed; but, 24 hours later, it and other emails I was trying to send, stubbornly refused to move.

I reviewed the original message. It contained no links. For all that ‘spamming,’ not a single click-bait had been offered.

My ‘kid’ was no spammer. Was he (or she) trying to tell me something by conducting an X-IronPort probe – and cleverly using the internet’s backbone to copy me in? If all those servers were genuine, they were just doing what they were designed to do: forward a message, and inform THE PROVIDED EMAIL ADDRESS of any failures.

I was finally beginning to wake-up…

All those people that had received ‘my’ emails that had got through, and reported them as spam; all those sniffs that X-IronPort had undertaken when alerted by those message’s apparent porn content. All that Web-based anti-spam and anti-virus activity (that TalkTalk customers cannot turn-off)...

I checked Outlook’s error messages…

Without any notification, or warning: TalkTalk had shut my email service down!

It was beautiful!..

My distant Russian friend was apparently testing a theory – and had been proved correct

X-IronPort, that evil sniffer on the internet backbone, can be utilised by anyone to deny all those it is apparently protecting with the ability to send (and receive) emails. In effect: a simple PHP script, running on an Apache (or any other freeware server) can effectively turn that protection against the very customers it is designed to protect – and a brute force attack upon *@tiscali.co.uk and *@talktalk.net could effectively take their smtp services down. All you have to do is spoof those addresses on a suitable message to attract X-IronPort’s interest – and all internet users will unwittingly assist in their demise.

Any kid could do it…

OMG! I couldn’t sleep! It was delicious – made even more so by the following conversation with TalkTalk’s Care Dept. on Twitter.

Oh yeah: you IT guys are going to love this…



It’s a bug, of course. A bug born of the same stupidity that our current Prime Minister exhibits whenever he mentions the Internet and how he will legislate to control it.

The fact is that you can’t. Just as you cannot legislate how a book must be written; or how language must be used to communicate. Human intelligence cannot be controlled (unless you kill all those exhibiting that quality and deny them the right to breed).

The particular stupidity, which has given rise to my inability to send or receive emails from my home broadband, is for others to believe that I am an email address – whereas it is just a box that a third party has permitted me to use for others wishing to communicate with me.

It is designed to RECEIVE communications. It CANNOT SEND.

It’s a POP; not an SMTP.

Cameron has confessed to spending most of his leisure time watching US TV dramas, like CSI and NCIS – that I also have a penchant for; but they are fantasies, born of the Hollywood culture that seeks to entertain. They bear as much resemblance to reality as Doctor Who and other programs shown on the Horror Channel (where I spend most of my leisure time watching the old Hammer productions).

Cameron, and whoever wrote the code that assumed email addresses can send, do not possess the basic intelligence required to distinguish fact from fiction. To err is human; but to actually believe an obvious falsehood places everyone connected with it in jeopardy.

An old colleague of mine, Prof. Igor Shagaev (a specialist in system redundancy and the designer of fail-safe systems used in the Russian space program) once told me that it is always the obvious which is overlooked – and that he and his team had ‘built their admirable reputation upon the shoulders of idiots’.

If you are reading this, Igor, hi

I’m still using the chess-set. Smile

[9/08/2015 16:29 – I am unreliably informed that this bug is receiving attention ‘at the highest IT level,’ but I am also reliably informed that it is not just humdrum email that utilises those 25, 587 and 2525 ports. Many modern systems implementing a remote alert or diagnosis log apparently use them.

2525, of course, is the port generally used by businesses to email their customers, so a false-positive provided by buggy ISP systems leading to its blocking could be particularly costly.

To check your own services go here: ping.eu/nslookup/ and select the 'Port Check' option. Click your IP at the top, and then enter each port number to check it is not blocked.

Keep an eye on your junk email and be on the look-out for any server bounce notifications concerning messages you did not originate.

If you have an elderly relative, or know anyone immobile that has not responded to your email: they may not be able to. Please give them a call to check that they are OK.

If you are mobile, you can circumvent the problem by using a public hotspot or joining a friendly neighbour’s Wi-Fi service that is not blocked (like any good spammer) – or you can use Web mail for the time being (like utilising the Mail App that comes with Windows 10). The only problem with the latter solutions, of course, is that you cannot see your inbox email headers to verify their source.

Your cell phones should not be affected.

If you are a journalist pursuing this story, please feel free to plagiarise. I am being significantly hampered in my own attempts.

This exploit is now in the wild.]

No comments:

Post a Comment