A reader writes:

Hello-I’m sending this as an email instead of a comment because, first of all I’m not positive I’m reading this right, and secondly, for God’s sake the last thing I want is to be misinterpreted as defending anything that Greenwald says. Please take this in the spirit of just looking at a good puzzle and wanting to know the truth.

Sure.

Parsing out the email headers, it looks like the path it shows from start to finish is:

INTZEXEVSIZN02.iraq.centcom.mil ([10.70.20.16])

INTZEXEBHIZN01.iraq.centcom.mil ([10.70.20.11])

02exbhizn02.iraq.centcom.mil [214.13.200.111]

rich.salon.com 8.12.11/8.12.11 (note that actually rich.salon.com = 206.80.4.124)

This is key, we’ll get back to it.

There countless ways to configure email servers and network multiple servers internally and externally as I’m sure you are aware. The DoD email network is certainly fairly complicated with a greater attention put into security than most simple private networks. Looking at that path, I see a couple things that could be normal, and a couple things that might be odd.

DoD may have it set to use internal relays before reaching a mail server with public access. That could explain the two internal IPs at the start. The first public address that shows up, 214.13.200.111, does appear to be allocated to DoD. That could be their external mail server that then sent the message to rich.salon.com.

Correct, it was. The trouble is, we don’t know, based on the header, that it actually came from a military computer to get to that military server.  Finding an open SMTP port on a forward facing server isn’t all that hard… particularly, as I say, a hastily set up Exchange server, which 214.13.200.111 readily ID’d itself as.

As far as a few things to question, it’s my experience that the details usually start with the computer that originates the message if they are using a client like Outlook. It could be that in this case the sender used a webmail program running on INTZEXEVSIZN02.iraq.centcom.mil ([10.70.20.16]) to compose the message. Or it could be we are not seeing the entire details. Hard to say. It looks like the public IP for rich.salon.com was obfuscated one way or another so who knows?

And why would THAT be, do you suppose?  If you figure that one out, you’ll better understand why I don’t trust a word of it. Add to that Greenwald’s history with this sort of thing and the conclusion to my mind is inescapable.

The architecture of the network drives some of this as well as security concerns. When I was in IT, a message from me would have shown a path with my computer name(using outlook) and showing the public IP used by the internal network to access the DMZ where the mail server was, the next hop being the mailserver and its public IP, the next hop being to the addressee mailserver. In its simplest form.

Anyway, I think it might just be possible that the header is accurate, but I’m not sure. I thought I’d just let you know.

Thanks much for taking the time. I’ve withheld your name, because I didn’t ask to forward your note… but I thought it worthwhile to the discussion to do so.

Let me be clear, here. The header shows signs of being hacked, to my eye. The line you spec as being out of kilter, is in fact out of kilter. So, not only was the thing hacked, but it was hacked by someone who doesn’t know thing one about how the stuff works.  Greenwaldian history gives us the rest.

Background here, here and Memeorandum

Tags: , , , , , , , , , , , , , , ,

11 Responses to “Greenwald, Yet Again… And Again”

  1. Ok

    Here is the weakness of the mail header issue.

    Anybody can set up a mail server on their network and as long as they match up the config file for their sendmail program to match the info in the suspect header they are gold for making the fake.  Then you set your public address on your gateway to look like the public address of anybody but you that your isp will allow to pass through to the net and not block as being non existent in their assigned netblock.  If they wanted to really dig through the logs they could really figure out which physical node on their net did the deed, but even better when you have the thing built just log onto a wifi hot spot in anonymous mode and do the deed from there and poof you are gone.

    Now unless the receiving server at salon totally validates the header of each incoming email (high security links sometimes do) and unless they have the log level for their server set high enough to capture the actual ip address you sent the email from if you hacked the headers to look the same they would never know the difference.

    The only way you could be assured that the email was from Joe Blow is if you had a totally encrypted end to end connection with a valid certificate for the encryption module.  Also an encrypted VPN tunnel would help to eliminate doubt.

    But when you are dealing with an unencrypted email over the public internet ip spoofing is a trick as old as the hills.  Any script kiddie hacker wannabe can find the available utility software for download at multiple places on the internet to do the deed.

    From near day one ip spoofing was the method of choice by spammers to send out their stuff so that if an angry person replied to the spam if would go to some poor smuck who’s ip they had spoofed or if multiple hops were used to someone along the way who had an open port that should have been shut especially weak until the news made it to most of the net were improperly configured sendmail programs which someone setup and left with the installation default account names and passwords that basically left an open door for bad guys to come riding through.

  2. Now the military end guy could use pgp or a similar program with a valid digital certificate and include his public key in the email body and salon’s mail server could ping any public key escrow server to validate it and decrypt the email with assurance it came from the sender of record.

    Since this is an in the clear email there is not any way you can 100% guarantee that the mail is valid from that source.

    The weakest point in the whole link is if someone has a high enough access to the public interface mail server and can get to the mail outbound section without leaving the fingerprint of a local login they could bogus up an email that would look to all the world like anything they wanted it to be.  However it is very doubtful that the military would leave that big of a security hole even on their side of the sendmail program.

  3. The header information provided in the example email is a short form header that doesn’t tell the whole story.

    Go to you email program and open any email you have received and then do whatever the equivalent of view headers all and a whole bunch of hidden normally from view information will show up with all sorts of technical details like sending agents DKIM signatures Domain Key Signatures Mime Types and a whole bunch more, but with a public email all of those details just about can be faked with only one semi trustworthy thing being the Domain Key-Signature which is a new protocol used between high volume email places like google and yahoo and such that validate the ip address of the incoming email to be a known ip address for for an outbound mail server as a group method to try to weed out ip spoofing spam mail.

  4. Also an important point is that there is absolutely no way that email went from the military public email server directly to the salon email server.  I had at least one hop on the net up to likely the NAP at MaeEast or whatever they call it now to put the message on the tier one internet backbone and then it had to probably hit a couple of hops or more on the way back down to the Salon mail server.  Any place along the way if you had a buddy in the it department who owed you one you could get him to do a man in the middle attack and send bogus email to either end of the chain and totally fake everyone out and they would be none the wiser without a whole bunch of log checking for any place that mail touched when getting from point a to point b.

    Just open a dos window if you can and do a traceroute to 214.13.200.111 and see how many hops your computer has to go through to get to the email server for the military.

  5. newer versions of Windows xp and beyond dont support the traceroute command but you can do it with readily available freeware programs available on the net for download.

  6. I just looked it up and here is a snip of info on that public side mail server referenced in the email.

    TraceRoute to 214.13.200.111 [02exbhizn02.iraq.centcom.mil]

    So that server is physcially located in Iraq…lord knows there had to be a bunch of hops to get to the Salon mail server.

  7. The mail server for Salon is physically located in the NYC area.

    You can locate it yourself by plugging 206.80.4.124 into the ip address box at this geo location server

    http://www.geobytes.com/IpLocator.htm?GetLocation

  8. Plugging in the ip for the Military end 214.13.200.111 give you Washington DC but that is the last location it will be able to show when it runs into the milnet gateway which protects the whole military infrastructure behind that from being probed.

  9. I forgot it’s no longer called milnet its niprnet or something like that now.

  10. I had to create a profile just to dispute this drivel:

    “It looks like the public IP for rich.salon.com was obfuscated one way or another so who knows?”

    It’s not obfuscated. 8.12.11 is the sendmail server version. This is how the SendMail server works. Anyone with access to Google can find that out.  Not knowing that immediately makes me suspect your “reader’s” technical skill level.

    smtp3.salon.com is the primary SMTP server for the SALON.com domain (ALIAS for rich.salom.com) both share the same external IP address of 206.80.4.124. Telnet to port 25 confirms that it’s a sendmail server

    220 mailer.salon.com ESMTP Sendmail

    “DoD may have it set to use internal relays before reaching a mail server with public access. That could explain the two internal IPs at the start”

    They are not using relays. This is how a normal large exchange org is configured. You have the web client (Col. Boyer) home server (INTZEXEBHIZN01 – Exchange 2003 with service pack 2) You can tell by SMTPSVC version 6.0.3790.3959. His home server will forward to the outbound mail transfer agent…INTZEXEBHIZN01.

    Then, the mail finally makes it to the DMZ mail server where it’s probably scanned for viruses, and that’s where we get 02exbhizn02.iraq.centcom.mil [214.13.200.111].

    “Finding an open SMTP port on a forward facing server isn’t all that hard… particularly, as I say, a hastily set up Exchange server, which 214.13.200.111 readily ID’d itself as.”

    This is not accurate, unless you’re talking about a mail server set by a first year college student. I challenge Mr. Bithead, or his reader, to try to relay through 214.13.200.111.

    Well, I did, via http://www.abuse.net/relay.html. I’ll save the real estate for everyone, but none of the 17 various relay tests were successful. If you think the military hastily sets up their Exchange servers and allows open relays, you sir, are a moron.

    So, I submit to you, Mr. Bithead, your reader was partially incorrect, technically. However, your interpretation is completely wrong. If you would like to debate any of these facts, I can be reached at [email protected]. I will be happy to clarify any of the technical information for you.

    So what is more likely? Col. Boyer’s sent the email to Mr. Greenwald?
    There is some l33t [email protected] out there breaking into the military email servers to send a spoofed email to Mr. Greenwald?

    I look forward to a response.

  11. It’s not obfuscated. 8.12.11 is the sendmail server version.

    Reasonable. Trouble is, other version of the program add the IP of the SENDMAIL server to the header. Now, SENDMAIL is pretty flexible, so it’s possible that Salon removed the IP from the header line as a programmatic thing, but why would they?

    I challenge Mr. Bithead, or his reader, to try to relay through 214.13.200.111. Well, I did, via http://www.abuse.net/relay.html. I’ll save the real estate for everyone, but none of the 17 various relay tests were successful. If you think the military hastily sets up their Exchange servers and allows open relays, you sir, are a moron.

    After all the publicity, you think that it wouldn’t have been closed by now? Com’on….

    But would they set it up that way in practice? It’s possible… particularly if they were focused more on getting email from the troops in the field home to the families, and not so much on security per se. Except for a Greenwald scenario, there’s no reason to clamp it down and every reason to leave it open.

    Plugging in the ip for the Military end 214.13.200.111 give you Washington DC but that is the last location it will be able to show when it runs into the milnet gateway which protects the whole military infrastructure behind that from being probed.

    Quite correct.

    And neither of you address the history of Greenwald, who has a history of sock puppetry, and loads of motivation to pull something like I described.