Brian Krebs, writing in his Security Fix column for the Washington Post, had this to say this morning:
Unknown hackers broke into George Mason University’s e-mail system and sent students a forged message from the school’s provost early this morning stating that Election Day had been moved to Nov. 5.
The messaged, dated 1:16 a.m., Nov. 4, with the subject line : Election Day Update, read:
To the Mason Community:
Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.
Peter N. Stearns
Seven hours later, students, faculty and staff received another message, this time from the real GMU provost, who blamed the e-mail hoax on a compromise of the school’s e-mail system.
How the story became that Mason’s email server was hacked when the trail of the message headers showed clearly that it came in through the mail slot like any other message is not what you’d expect to read in a security column.
Here are excerpts from the header:
Subject: Election Day Update
Date: November 4, 2008 1:16:42 AM EST
Received: from ironport2.gmu.edu (ironport2.gmu.edu [126.96.36.199]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Gg427221 for ; Tue, 04 Nov 2008 01:16:42 -0500 (EST)
Received: from m154.prod.democracyinaction.org ([188.8.131.52]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:16:42 -0500
Received: from [10.15.20.114] ([10.15.20.114:39637] helo=web4.mcl.wiredforchange.com) by mailer.mcl.wiredforchange.com (envelope-from ) (ecelerity 184.108.40.206 r(26825/26826)) with ESMTP id BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Content-Type: multipart/alternative; boundary="----=_Part_3017_30982749.1225779402108"
X_Dia_Originating_Ip: : 220.127.116.11
X_Dia_Source: : Host:web4.mcl.wiredforchange.com DB org
Oh, and if you do an nslookup on 18.104.22.168 you get:
22.214.171.124.in-addr.arpa name = mail24.anonymouse.org.