Putting Network Plus to Real Use

mgmguy1

Team,
I decided to put some of my network plus training to use.
I got a E-mail cliaming to be from E-bay telling me....
"During our regularly schedule account maintenance and verification we have detected a slight error in your billing information on file with eBay"

Since i have never used E-bay I looked at the internet headers of this e-mail and saw it came from student@msi-121.bloomer.k12.wi.us. So I did an
NSLOOKUP and found it's ip address. Then I did a "ARIN WHOIS" search and found out what ISP Bloomer.k12.wi.us uses.

I have two questions.
1st Could I have found out all this infromation a better way ?
2nd is it worth E-mailing the ISP who's user sent the E-mail ?

Please advise.

seuss_ssues

Well from past work experience (school disrticts) i know off the top of my head the .k12.wi.us is the kindergarten - 12 grade domains for WI (wisconsin..???).

If i read your account correctly you had someone impersonating ebay through their domain. If i were the admin of that school i would very much like to know that either one of my students was trying to use my system for illegal reasons or a third party is trying to use my systems via either compromised machine or using our mail system as a remailer.

So definately send the admin an email, on a side note in order to get the correct address as to who to send it to you might just try the default admin@blah.blah.blah, but if you send the email to the registrar of the domain (technical contact shown in a whois) then you will most likely be emailing the people that run the state wide school networks (they run the routers and so forth) and not that particular schools admin.

Either way good use of the network tools....i personally like samspade.org when i go to lookup and address or fqdn

mgmguy1

Thanks for the Info.
I have added samspade.org to my bookmark list.

I sent an E-mail to this guy- bkamrath@bloomer.k12.wi.us. Since the souce message and this guys E-mail adress are almost exactly alike. This is where i sent my E-mail about my concern.

If you or anyone else has any tips for this kind of stuff please let me know.

mgmguy1

bighusker

Are you sure the e-mail actually originated from those servers? Spammers (or anyone) can put *any* address in the "From:" field of an e-mail.

Starter

mgmguy1 wrote:

Team,
is it worth E-mailing the ISP who's user sent the E-mail ?

There is no way the ISP would give you any info about their customer.

Ten9t6

starter wrote:

mgmguy1 wrote:

Team,
is it worth E-mailing the ISP who's user sent the E-mail ?

There is no way the ISP would give you any info about their customer.

The ISP will not give you any information...but you can report suspicious actions by one of their customers. They may or may not do anything about it. But, at least you let them know.

Sounds like someone was phishing. They do crap like this to gain account information. They will even setup sites that look exactly like the real site...hoping that you will login, so they can capture the information.

There are tools that others have mentioned that will give you all of this information in one console. ...It was a good catch though. There is a reason why these types of attacks are popular...They work. People do not pay that much attention before slinging usernames and passwords around.

Drakonblayde

Yeah, you can't always trust the email address, you have to look at the IP's in the headers, and trace that instead. Smart spammers will make the headers look totally legit, except when you go to trace the headers you find out it didn't originate from where you think it did.

I'd email the admin of the network first and give him the chance to chase it down. If he blows you off, then email the abuse department of their ISP.

Since it appears to have come from a school, it may or may not have been a student. Since most schools have EXTREMELY lax security, it's entirely possible that someone from the outside compromised the network and has been using it to cover their tracks. If I were going to do something illegal, I sure as hell wouldn't be doing it from a location I had to use and visit everyday, and given that most counties don't pay their sysadmins crap (yeah, personal experience), those admins may not care enough to harden the networks or may simply not know enough. Public school systems are a perfect recruiting ground for the black hats to add to their zombie army.

qsub

A tactic people use to highjack ebay accounts.
Not worth reporting because like mentioned above it's a spoofed address.

You did put apply your knowledge though. Good job on that.

mgmguy1

Thanks everybody....
it's nice to see what I have learned has paid off and my message was well recieved.

Thanks again for all the posts