In the news

Brian Krebs, writing in his Security Fix column for the Washington Post, had this to say this morning:

Unknown hackers broke into George Mason University’s e-mail system and sent students a forged message from the school’s provost early this morning stating that Election Day had been moved to Nov. 5.

The messaged, dated 1:16 a.m., Nov. 4, with the subject line : Election Day Update, read:

To the Mason Community:

Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.

Peter N. Stearns

Seven hours later, students, faculty and staff received another message, this time from the real GMU provost, who blamed the e-mail hoax on a compromise of the school’s e-mail system.

How the story became that Mason’s email server was hacked when the trail of the message headers showed clearly that it came in through the mail slot like any other message is not what you’d expect to read in a security column.

Here are excerpts from the header:

Subject: Election Day Update
Date: November 4, 2008 1:16:42 AM EST
Received: from ( []) by (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Gg427221 for ; Tue, 04 Nov 2008 01:16:42 -0500 (EST)
Received: from ([]) by with ESMTP; Tue, 04 Nov 2008 01:16:42 -0500
Received: from [] ([] by (envelope-from ) (ecelerity r(26825/26826)) with ESMTP id BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Sender: ANNOUNCE04-L
Message-Id: <>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3017_30982749.1225779402108"
Precedence: list
X_Dia_Originating_Ip: :
X_Dia_Source: : DB org

Oh, and if you do an nslookup on you get:

Non-authoritative answer: name =

This entry was posted in Security. Bookmark the permalink.