Brian Krebs, writing in his Security Fix column for the Washington Post, had this to say this morning:
Unknown hackers broke into George Mason University’s e-mail system and sent students a forged message from the school’s provost early this morning stating that Election Day had been moved to Nov. 5.
The messaged, dated 1:16 a.m., Nov. 4, with the subject line : Election Day Update, read:
To the Mason Community:
Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.
Peter N. Stearns
Provost
Seven hours later, students, faculty and staff received another message, this time from the real GMU provost, who blamed the e-mail hoax on a compromise of the school’s e-mail system.
How the story became that Mason’s email server was hacked when the trail of the message headers showed clearly that it came in through the mail slot like any other message is not what you’d expect to read in a security column.
Here are excerpts from the header:
From: noreply@gmu.edu
Subject: Election Day Update
Date: November 4, 2008 1:16:42 AM EST
To: ANNOUNCE04-L@mail04.gmu.edu
Reply-To: noreply@gmu.edu
Return-Path:
...
Received: from ironport2.gmu.edu (ironport2.gmu.edu [129.174.0.125]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Gg427221 for ; Tue, 04 Nov 2008 01:16:42 -0500 (EST)
Received: from m154.prod.democracyinaction.org ([8.15.20.154]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:16:42 -0500
Received: from [10.15.20.114] ([10.15.20.114:39637] helo=web4.mcl.wiredforchange.com) by mailer.mcl.wiredforchange.com (envelope-from ) (ecelerity 2.2.2.35 r(26825/26826)) with ESMTP id BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Sender: ANNOUNCE04-L
Message-Id: <23911171.1225779402109.JavaMail.root@web4.mcl.wiredforchange.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3017_30982749.1225779402108"
Precedence: list
X-Sender-Ip: 129.174.0.116
X-Sender-Ip: 8.15.20.154
X_Dia_Originating_Ip: : 85.195.123.24
X_Dia_Source: : Host:web4.mcl.wiredforchange.com DB org
Oh, and if you do an nslookup on 85.195.123.24 you get:
Non-authoritative answer:
24.123.195.85.in-addr.arpa name = mail24.anonymouse.org.