DNS hijacking?
-
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious (different link to link text going to strange things like p.p0.com/ etc). Anyway what I was wondering is the following: there are also links to emails.kodak.com, which looks like a subdomain on kodak.com, but when I tried opening emails.kodak.com in my browser (don't worry, I didn't use their link or accept the certificate ;P ) it gave the same security certificate as the other weird addresses. Does this mean that someone else can "steal" a subdomain from you? :confused: Or what seems to be happening in this case? Just curiosity, which I know killed the cat :)
Paul
Paul van der Walt wrote:
Does this mean that someone else can "steal" a subdomain from you?
I seriously doubt they can do that. Unless they've hiojacked your DNS, in which case they can do as they please - the main domain, subdomains etc.
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
C++/CLI in Action (*E-Book is out, Print version April 6th*) -
Paul van der Walt wrote:
Does this mean that someone else can "steal" a subdomain from you?
I seriously doubt they can do that. Unless they've hiojacked your DNS, in which case they can do as they please - the main domain, subdomains etc.
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
C++/CLI in Action (*E-Book is out, Print version April 6th*)Nishant Sivakumar wrote:
I seriously doubt they can do that.
So do I. But in this case, emails.kodak.com[^] surely doesn't seem to go to anything Kodak-related.
Paul
-
Nishant Sivakumar wrote:
I seriously doubt they can do that.
So do I. But in this case, emails.kodak.com[^] surely doesn't seem to go to anything Kodak-related.
Paul
Paul van der Walt wrote:
But in this case, emails.kodak.com[^] surely doesn't seem to go to anything Kodak-related.
It looks like web-access for Kodak employees to send marketing mails out. See this link[^]. I am pretty sure it's Kodak related, but not meant for outsiders :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
C++/CLI in Action (*E-Book is out, Print version April 6th*) -
Paul van der Walt wrote:
But in this case, emails.kodak.com[^] surely doesn't seem to go to anything Kodak-related.
It looks like web-access for Kodak employees to send marketing mails out. See this link[^]. I am pretty sure it's Kodak related, but not meant for outsiders :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
C++/CLI in Action (*E-Book is out, Print version April 6th*)Hm, interesting :) My bad I guess - not a scam after all perhaps ;P * crawls under the couch again *
Paul
-
Paul van der Walt wrote:
But in this case, emails.kodak.com[^] surely doesn't seem to go to anything Kodak-related.
It looks like web-access for Kodak employees to send marketing mails out. See this link[^]. I am pretty sure it's Kodak related, but not meant for outsiders :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
C++/CLI in Action (*E-Book is out, Print version April 6th*)I would argue otherwise. This Yesmail thing looks like a big spamming site, not an internal system. Why do they have a certificate in the first place?
-
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious (different link to link text going to strange things like p.p0.com/ etc). Anyway what I was wondering is the following: there are also links to emails.kodak.com, which looks like a subdomain on kodak.com, but when I tried opening emails.kodak.com in my browser (don't worry, I didn't use their link or accept the certificate ;P ) it gave the same security certificate as the other weird addresses. Does this mean that someone else can "steal" a subdomain from you? :confused: Or what seems to be happening in this case? Just curiosity, which I know killed the cat :)
Paul
Looks like a marketing firm and product Kodak has contracted out. Goes to http://www.yesmail.com/
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
And with that, Paul closed his browser, sipped his herbal tea, fixed the flower in his hair, and smiled brightly at the multitude of cute, furry animals flocking around the grassy hillside where he sat coding Ruby on his Mac...
-
Looks like a marketing firm and product Kodak has contracted out. Goes to http://www.yesmail.com/
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
And with that, Paul closed his browser, sipped his herbal tea, fixed the flower in his hair, and smiled brightly at the multitude of cute, furry animals flocking around the grassy hillside where he sat coding Ruby on his Mac...
Indeed, Nish pointed that out. :) I think I mis-diagnosed the email.
Paul
-
Nishant Sivakumar wrote:
I seriously doubt they can do that.
So do I. But in this case, emails.kodak.com[^] surely doesn't seem to go to anything Kodak-related.
Paul
Why on earth wouldn't you trust a certificate issued by The USERTRUST Network? User trust is their domain name! :)
"I hope he can see this, because I'm doing it as hard as I can" - Ignignot
-
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious (different link to link text going to strange things like p.p0.com/ etc). Anyway what I was wondering is the following: there are also links to emails.kodak.com, which looks like a subdomain on kodak.com, but when I tried opening emails.kodak.com in my browser (don't worry, I didn't use their link or accept the certificate ;P ) it gave the same security certificate as the other weird addresses. Does this mean that someone else can "steal" a subdomain from you? :confused: Or what seems to be happening in this case? Just curiosity, which I know killed the cat :)
Paul
Paul van der Walt wrote:
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious
Anyone can send an email that claims to be from any domain they want, it's set by the mail client, not the server. It's exactly the same as sending snail mail. You can write any return address you want on the envelop but it doesn't mean that is where it really came from. Thunderbird marks this as a scam probably because that mail comes from an IP that doesn't match the IP of the MX record for the domain. Try looking into the headers to see where they actually came from if I were you.
-
Paul van der Walt wrote:
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious
Anyone can send an email that claims to be from any domain they want, it's set by the mail client, not the server. It's exactly the same as sending snail mail. You can write any return address you want on the envelop but it doesn't mean that is where it really came from. Thunderbird marks this as a scam probably because that mail comes from an IP that doesn't match the IP of the MX record for the domain. Try looking into the headers to see where they actually came from if I were you.
Link2006 wrote:
Anyone can send an email that claims to be from any domain they want
That's pretty obvious, I was referring to the fact that it seemed as though another website than the owners' was on a subdomain. The email bit wasn't the confusing part. On closer inspection the headers look reasonable. All comes from aforementioned subdomain.
Paul
-
Why on earth wouldn't you trust a certificate issued by The USERTRUST Network? User trust is their domain name! :)
"I hope he can see this, because I'm doing it as hard as I can" - Ignignot
-
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious (different link to link text going to strange things like p.p0.com/ etc). Anyway what I was wondering is the following: there are also links to emails.kodak.com, which looks like a subdomain on kodak.com, but when I tried opening emails.kodak.com in my browser (don't worry, I didn't use their link or accept the certificate ;P ) it gave the same security certificate as the other weird addresses. Does this mean that someone else can "steal" a subdomain from you? :confused: Or what seems to be happening in this case? Just curiosity, which I know killed the cat :)
Paul
I still doubt it should be an extent or variant of Phishing only.
Vasudevan Deepak Kumar Personal Homepage Tech Gossips
-
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious (different link to link text going to strange things like p.p0.com/ etc). Anyway what I was wondering is the following: there are also links to emails.kodak.com, which looks like a subdomain on kodak.com, but when I tried opening emails.kodak.com in my browser (don't worry, I didn't use their link or accept the certificate ;P ) it gave the same security certificate as the other weird addresses. Does this mean that someone else can "steal" a subdomain from you? :confused: Or what seems to be happening in this case? Just curiosity, which I know killed the cat :)
Paul
Hi, Paul. I can answer this one definitively, because I just started working for the outfit in question last week. :) Kodak has hired Yesmail (an InfoUSA company) to do their customer mailings. Our standard operating procedure is to encourage any client who has sufficient staff and resources to allocate a subdomain to us, while they retain complete control of the parent domain. That doesn't always work, and our smaller clients have to make do with a shared domain which we control (that's where p0.com comes into it); but in this case, Kodak should be big enough to do it right. So, they're kodak.com; they point the subdomain emails.kodak.com to one of our dedicated mail server boxes (well, a blade in a blade server, anyway). We also try to make sure that we have SPF, reverse DNS, DKIM, you name it -- we're interested in any standard that will help prove this is a legitimate mailing covered by a real business relationship. (On a personal note: I met my wife through an Internet mailing list over ten years aqo. I'm a *fanatic* about keeping email useful for the good guys. I wouldn't work for this outfit if I thought they were spammers.) Glad to see people are paying attention to these details. Hope I was able to help!
-
Hi, Paul. I can answer this one definitively, because I just started working for the outfit in question last week. :) Kodak has hired Yesmail (an InfoUSA company) to do their customer mailings. Our standard operating procedure is to encourage any client who has sufficient staff and resources to allocate a subdomain to us, while they retain complete control of the parent domain. That doesn't always work, and our smaller clients have to make do with a shared domain which we control (that's where p0.com comes into it); but in this case, Kodak should be big enough to do it right. So, they're kodak.com; they point the subdomain emails.kodak.com to one of our dedicated mail server boxes (well, a blade in a blade server, anyway). We also try to make sure that we have SPF, reverse DNS, DKIM, you name it -- we're interested in any standard that will help prove this is a legitimate mailing covered by a real business relationship. (On a personal note: I met my wife through an Internet mailing list over ten years aqo. I'm a *fanatic* about keeping email useful for the good guys. I wouldn't work for this outfit if I thought they were spammers.) Glad to see people are paying attention to these details. Hope I was able to help!
OfficialYesMan wrote:
Glad to see people are paying attention to these details. Hope I was able to help!
Most certainly you were :) Thanks for the explanation, I'll try to jump to confusions less fast in the future!
Paul
-
I just received an email supposedly from Kodak in this case, which was marked by Thunderbird as a scam and looked pretty suspicious (different link to link text going to strange things like p.p0.com/ etc). Anyway what I was wondering is the following: there are also links to emails.kodak.com, which looks like a subdomain on kodak.com, but when I tried opening emails.kodak.com in my browser (don't worry, I didn't use their link or accept the certificate ;P ) it gave the same security certificate as the other weird addresses. Does this mean that someone else can "steal" a subdomain from you? :confused: Or what seems to be happening in this case? Just curiosity, which I know killed the cat :)
Paul
I emailed Kodak about it, and it is legit. They use yesmail for some of their mailings, as several posters have sugested. They have the yesmail server listed in their domain because a message from kodak.com looks better than one from yesmail.com (hey, whadda ya know ;) ) So there's no phishing there... feel free to continue buying film from this good company :-D .... if they still make film. Does film still exist? All I have are digital cameras now
-
I emailed Kodak about it, and it is legit. They use yesmail for some of their mailings, as several posters have sugested. They have the yesmail server listed in their domain because a message from kodak.com looks better than one from yesmail.com (hey, whadda ya know ;) ) So there's no phishing there... feel free to continue buying film from this good company :-D .... if they still make film. Does film still exist? All I have are digital cameras now
cmdrrickhunter wrote:
Does film still exist? All I have are digital cameras now
Yes, actually :-P I for one enjoy playing around with a fully manual Canon FTb, from about 1978 (my dad's camera).
Paul
Pauliastan in The Code Project, password:
byalmightybob
How much time is left?[^]