Here is how I routed myself a block of IPv6 to my laptop, wherever I am in the world! Note that I deliberately route myself an entire /64, but only allow a /128 through tinc (to reduce the amount of junk I might drown in). It should be relatively trivial to swap addresses if necessary in future.
Name = laptop ConnectTo = server DeviceType = tun Mode = router
#!/bin/sh ifconfig $INTERFACE up ifconfig $INTERFACE inet6 add 2001:0db8:1234:5678:cafe:babe:feed:face prefixlen 64 route add -inet6 2001:0db8:1234:5600::1 -prefixlen 56 -iface $INTERFACE route add -inet6 :: -prefixlen 0 2001:0db8:1234:5600::1
#!/bin/sh route delete -inet6 :: -prefixlen 0 route delete -inet6 2001:0db8:1234:5678:: -prefixlen 64 route delete -inet6 2001:0db8:1234:5678:cafe:babe:feed:face ifconfig $INTERFACE inet6 delete 2001:0db8:1234:5678:cafe:babe:feed:face prefixlen 64 ifconfig $INTERFACE down
#!/bin/sh sudo /opt/local/sbin/tincd -D -c ~/.tinc
tunnel-5600
Name = server DeviceType = tun Mode = router Subnet = 0:0:0:0:0:0:0:0/0
#!/bin/sh ip addr add 2001:0db8:1234:5600::1/56 dev $INTERFACE ip link set $INTERFACE up
#!/bin/sh ip addr del 2001:0db8:1234:5600::1/56 dev $INTERFACE ip link set $INTERFACE down
Subnet = 2001:0db8:1234:5678:cafe:babe:feed:face/128 -----BEGIN RSA PUBLIC KEY----- SNIP -----END RSA PUBLIC KEY-----
Address = 192.168.1.1 Subnet = 0:0:0:0:0:0:0:0/0 -----BEGIN RSA PUBLIC KEY----- SNIP -----END RSA PUBLIC KEY-----
On the day I posted Suspected Data Security Breach at iContact.com I was contacted via Facebook by someone with an email address @icontact.com. I forwarded them the same information that I sent to their abuse team. I’ve not heard anything back since.
Others have picked up on this likely breach at iContact.com:
iContact have answered some concerns: they are looking into the problem.
I have been contacted by one of the sites/services whose address-list has been breached, simply to ask to be kept in the loop with iContact.com’s response.
I have done some further research into my mail folders. I have found one address which iContact.com have on record which has not yet received any spam. As a result, this address hasn’t been compromised and has been replaced by HIDDEN on this public website. iContact’s abuse team has been provided with the full details, however:
Received: from smtp7.icpbounce.com ([::ffff:216.27.93.119])
by faelix.net with esmtp; Tue, 01 Jan 2008 01:12:36 +0000
id 000013C1.47799384.00003B72
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp7.icpbounce.com (Postfix) with ESMTP id 43D6197750
for <HIDDEN>; Mon, 31 Dec 2007 19:54:34 -0500 (EST)
Date: Mon, 31 Dec 2007 19:54:34 -0500
This address hasn’t received any emails this month:
mail:~# ls -l /var/log/mail.log* -rw-r----- 1 root adm 9351785 2010-01-28 11:45 /var/log/mail.log -rw-r----- 1 root adm 13870643 2010-01-24 06:23 /var/log/mail.log.1 -rw-r----- 1 root adm 1451508 2010-01-17 06:24 /var/log/mail.log.2.gz -rw-r----- 1 root adm 1257403 2010-01-10 06:24 /var/log/mail.log.3.gz -rw-r----- 1 root adm 1828195 2010-01-03 06:25 /var/log/mail.log.4.gz mail:~# zgrep HIDDEN /var/log/mail.log* mail:~#
The last email sent to this address was via iContact.com on 17th July 2009:
Received: from smtp15.icpbounce.com ([::ffff:216.27.93.111])
by faelix.net with esmtp; Fri, 17 Jul 2009 23:30:51 +0100
id 000010FE.4A60FB9D.000039C9
Received: from localhost.localdomain (localhost [127.0.0.1])
by smtp15.icpbounce.com (Postfix) with ESMTP id D37AA6A0C98
for <HIDDEN>; Fri, 17 Jul 2009 18:01:58 -0400 (EDT)
Date: Fri, 17 Jul 2009 18:01:58 -0400
At first I wondered if the anomalous address, HIDDEN, was an indicator that perhaps only addresses recently sent a newsletter by iContact.com had been breached (i.e. those contacted after 17th July 2009). The counter-example is macheist.com@maz.nu which has been receiving emails only via Google’s mailers since April 1st 2009, so that theory doesn’t hold water. However, it would appear that not all of my addresses on file at iContact have been spammed yet, so perhaps this isn’t a total breach… or perhaps I’m still waiting for HIDDEN to be hit!
I suspect iContact.com has suffered a data security compromise.
I have received four nearly-identical spams to four different addresses known only to myself and four distinct websites. These four websites all use iContact.com for newsletter mailing. I have also received this spam to a spam-trap address, but importantly, to no other unique addresses that I use with other websites. The evidence points strongly to a data breach at iContact.com.
Four addresses known only to four websites and myself have begun receiving spam today. Each address below links through to the spam in question.
All four websites in question (photonlight, slimelight, macheist and bloomsbury) have sent me emails via iContact. Extracts of the beginning headers of legitimate emails are as follows:
Received: from drone15.ral.icpbounce.com ([::ffff:66.192.165.135]) by mx10.faelix.net with esmtp; Wed, 30 Dec 2009 19:16:37 +0000 id 0000C014.4B3BA715.00001A1E Received: from localhost.localdomain (localhost [127.0.0.1]) by drone15.ral.icpbounce.com (Postfix) with ESMTP id CA9D776C0CC for <photonlight@maz.nu>; Wed, 30 Dec 2009 14:16:36 -0500 (EST) Date: Wed, 30 Dec 2009 14:16:36 -0500 To: photonlight@maz.nu
Received: from drone5.rtp.icpbounce.com ([::ffff:74.202.227.45]) by mx10.faelix.net with esmtp; Mon, 27 Jul 2009 10:17:55 +0000 id 00006005.4A6D7ED3.000023ED Received: from localhost.localdomain (localhost [127.0.0.1]) by drone5.rtp.icpbounce.com (Postfix) with ESMTP id A13E6438A76 for <bloomsbury.com@maz.nu>; Mon, 27 Jul 2009 06:17:50 -0400 (EDT) Date: Mon, 27 Jul 2009 06:17:50 -0400 To: bloomsbury.com@maz.nu
Received: from smtp8.icpbounce.com ([::ffff:216.27.93.118]) by faelix.net with esmtp; Sun, 15 Mar 2009 01:02:05 +0000 id 000013D9.49BC538D.0000767F Received: from localhost.localdomain (localhost [127.0.0.1]) by smtp8.icpbounce.com (Postfix) with ESMTP id 6E1AF97161 for <macheist.com@maz.nu>; Sat, 14 Mar 2009 21:01:44 -0400 (EDT) Date: Sat, 14 Mar 2009 21:01:44 -0400 To: macheist.com@maz.nu
Received: from smtp3.icpbounce.com ([::ffff:216.27.93.123]) by mx10.faelix.net with esmtp; Thu, 14 Jan 2010 17:59:02 +0000 id 0000C00A.4B4F5B66.0000129A Received: from localhost.localdomain (localhost [127.0.0.1]) by smtp3.icpbounce.com (Postfix) with ESMTP id 4124C596396 for <slimes@maz.nu>; Thu, 14 Jan 2010 12:58:58 -0500 (EST) Date: Thu, 14 Jan 2010 12:58:58 -0500 To: slimes@maz.nu
The only other addresses to receive the junk-mail in question are spam-traps, known to receive large amounts of spam: my Debian consultant email address. No other addresses I use (there are several hundred) has received this spam today. Therefore I do not feel that a virus on my laptop or a compromise of my mail servers has leaked these addresses.
I feel it is highly unlikely that four different websites would all have their mailing list databases separately compromised. Applying Occam’s Razor, the simplest explanation is that the common element — iContact.com — is the source of these email addresses of mine.
It is my belief, having read their website and spoken to customer services, that iContact do abide by their strict privacy and anti-spam policies. I do not believe they have sold their address database to spammers. I fear they have been victims of an attack against their database servers, or possibly an disgruntled insider has leaked their database.
Their abuse team has been notified, and I await their feedback.
Photonlight Email Leak
I bought a product from Photonlight in 2002, and have been on their mailing list ever since. I last received something from them on 30th December 2009. Alas, now I’m also receiving spam to the address previously only known to them.
Both Photonlight and Slimelight use iContact.com as mailing list providers. I spoke to iContact customer services via web-chat, and was told their privacy policy is to not share addresses with anybody.
Slimelight Spam
Another private address bites the dust. Slimelight’s webserver has MySQL open to the Internet.
Identical Spam (including headers)
This email was sent to an address I know the spammers have (it is listed on the Debian Consultants page). It is almost identical to several other spams I have been receiving to what I had considered to be private, unique addresses.
I give out different email addresses to different providers, mailing-lists and websites to see how what gets leaked. It’s partly a check on privacy policies, and partly a way to ensure I can blacklist emails efficiently. I’ve run various schemes with email addresses on my domain maz.nu over the last eleven years. Here is what I have found.
Registered with IANA for a private enterprise number for OIDs, iana is listed on a public website. It gets a lot of junk. There are a number of variations, however, which also receive spam:
3aiana 3eiana iana ianan ianann ianar
I see the appending of “n” and “nn” and prepending of “3a”, “3e”, et cetera for other addresses in my block list. “3a” and “3e” might correspond to ASCII characters “:” and “>”. The “n”s and “r” might be C-style “\n” and “\r”.
Listed somewhere on SourceForge, kinterbasdb was an address I used for a software project I contributed to back in 2001/2002.
kinterbasdb kinterbasdbd kinterbasdbdd kinterbasdbi
I’m not sure how these corruptions could have occurred, but they’re clearly on some spammers’ databases now.
And here are a list which don’t fit any of my schemes for addressing but have received a huge amount of spam in their time:
4m3yseg 5ln amymc-rus begoxo cuoya hy953j0tr ln4kc6xvpt nuxero-geoy pmb wmware2003
A million monkeys must have generated these and had them included into the spammers’ lists.
![Macheist Privacy Failure
Sorry, macheist.com, but if you can’t keep my email address private, I don’t want to hear from you any more.
Received: from zulaa ([::ffff:124.158.125.66])
by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:54:44 +0000
id 0000C007.4B5D9494.00004E67
Received: from localhost (127.0.0.1) by mail.zulaa
(124.158.125.66) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 21:08:09 -0800
From: "Percocet.Vicodin.Adderall"](http://24.media.tumblr.com/tumblr_kwt062wSbM1qzt4cso1_500.png)
Macheist Privacy Failure
Sorry, macheist.com, but if you can’t keep my email address private, I don’t want to hear from you any more.
Received: from zulaa ([::ffff:124.158.125.66]) by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:54:44 +0000 id 0000C007.4B5D9494.00004E67 Received: from localhost (127.0.0.1) by mail.zulaa (124.158.125.66) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 21:08:09 -0800 From: "Percocet.Vicodin.Adderall"
![Bloomsbury Privacy Failure
I give unique addresses to each web site or service I sign up to. Bloomsbury became the latest in a long string to pass on or leak my email address to spammers:
a local bathrooms/plumbing supplies business
an old alternative scene website (now defunct)
a South Manchester estate agent
Received: from pc-233-137-45-190.cm.vtr.net ([::ffff:190.45.137.233])
by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:19:04 +0000
id 0000C007.4B5D8C39.00004B4D
Received: from localhost (127.0.0.1) by mail.pc-233-137-45-190.cm.vtr.net
(190.45.137.233) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 09:22:20 +0100
From: "Percocet.Vicodin.Adderall"](http://27.media.tumblr.com/tumblr_kwt00pL8dB1qzt4cso1_500.png)
Bloomsbury Privacy Failure
I give unique addresses to each web site or service I sign up to. Bloomsbury became the latest in a long string to pass on or leak my email address to spammers:
Received: from pc-233-137-45-190.cm.vtr.net ([::ffff:190.45.137.233]) by mx10.faelix.net with esmtp; Mon, 25 Jan 2010 12:19:04 +0000 id 0000C007.4B5D8C39.00004B4D Received: from localhost (127.0.0.1) by mail.pc-233-137-45-190.cm.vtr.net (190.45.137.233) with Microsoft SMTP Server id 8.0.685.24; Mon, 25 Jan 2010 09:22:20 +0100 From: "Percocet.Vicodin.Adderall"
Holiday Season
During holiday season the number of hits to websites is down… except my personal blog where I have holiday pictures!
I am an avid user of MacPorts, but it seems some things are broken with Snow Leopard. In particular it seems one cannot build SSHKeychain:
[~]% sudo port install SSHKeychain ---> Computing dependencies for SSHKeychain ---> Fetching SSHKeychain ---> Verifying checksum(s) for SSHKeychain ---> Extracting SSHKeychain ---> Applying patches to SSHKeychain ---> Configuring SSHKeychain ---> Building SSHKeychain Error: Target org.macports.build returned: shell command "cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_aqua_SSHKeychain/work/0.8.2" && xcodebuild -target "SSHKeychain" -configuration Deployment build OBJROOT=build/ SYMROOT=build/ MACOSX_DEPLOYMENT_TARGET=10.6 ARCHS=x86_64 SDKROOT= ARCHS=i386" returned error 1 Command output: === BUILD NATIVE TARGET TunnelRunner OF PROJECT SSHKeychain WITH CONFIGURATION Deployment === Check dependencies GCC 4.2 is not compatible with the Mac OS X 10.4 SDK (file TunnelRunner.c) GCC 4.2 is not compatible with the Mac OS X 10.4 SDK (file TunnelRunner.c) ** BUILD FAILED ** Error: Status 1 encountered during processing. Before reporting a bug, first run the command again with the -d flag to get complete output.
To fix this, I simply changed “10.4u” and “10.4” on lines 922 and 924 to “10.5” in the xcodeproj file:
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_aqua_SSHKeychain/work/0.8.2/SSHKeychain.xcodeproj/project.pbxproj
CC39D6380921118A00FE3BC5 /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
ppc,
i386,
);
MACOSX_DEPLOYMENT_TARGET_i386 = 10.5;
MACOSX_DEPLOYMENT_TARGET_ppc = 10.3;
SDKROOT_i386 = /Developer/SDKs/MacOSX10.5.sdk;
SDKROOT_ppc = /Developer/SDKs/MacOSX10.3.9.sdk;
};
name = Development;
};
Also further down on lines 936 and 938:
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_aqua_SSHKeychain/work/0.8.2/SSHKeychain.xcodeproj/project.pbxproj
CC39D6390921118A00FE3BC5 /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
ARCHS = (
ppc,
i386,
);
MACOSX_DEPLOYMENT_TARGET_i386 = 10.5;
MACOSX_DEPLOYMENT_TARGET_ppc = 10.3;
SDKROOT_i386 = /Developer/SDKs/MacOSX10.5.sdk;
SDKROOT_ppc = /Developer/SDKs/MacOSX10.3.9.sdk;
};
name = Deployment;
};
…and then…
[~]% sudo port install SSHKeychain ---> Computing dependencies for SSHKeychain ---> Building SSHKeychain ---> Staging SSHKeychain into destroot ---> Installing SSHKeychain @0.8.2_0 ---> Activating SSHKeychain @0.8.2_0 ---> Cleaning SSHKeychain
Alternatively, if you wish to just download it, it is available at http://fs.maz.nu/sshkeychain-0.8.2-sl.app.zip.
Behold the power of BGP!
64 bytes from 193.142.245.198: icmp_seq=5 ttl=49 time=59.927 ms 92 bytes from mort.m.faelix.net (193.142.245.108): Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 4a31 0 0000 36 01 5e84 10.26.26.133 193.142.245.198 Request timeout for icmp_seq 6 92 bytes from mort.m.faelix.net (193.142.245.108): Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3942 0 0000 36 01 6f73 10.26.26.133 193.142.245.198 Request timeout for icmp_seq 7 64 bytes from 193.142.245.198: icmp_seq=8 ttl=49 time=56.130 ms
Under three seconds of down-time.