Subject: More info about mail delivery
Date: Mon, Jan 17 2005 -- 6:27 AM
Posted by: Alexis Rosen
While my last message already felt too long, it didn't answer some very
pressing questions about email.
Please note that everything that follows applies ONLY to mail send to
addresses at panix.com. If you use Panix for email service but the mail
comes to your own domain, YOU WERE NOT AFFECTED AT ALL and you can safely
ignore the rest of this message.
During a number of hours starting at the beginning of the hijacking- the
precise duration depends on the particular system mail was sent from-
mail sent to panix.com addresses worked normally, because it took a while
for the change from correct server address to bogus server address to
be "noticed" by systems on the Internet. Once the change was noticed, for
a number of hours, mail sent to panix.com *WAS* diverted to the bogus mail
servers. From there it was bounced as undeliverable. After that time,
no mail sent to panix.com was delivered at all. It was either bounced
immediately by the system attempting to send it, without ever reaching
the bogus mail servers, or it was held for future delivery. Once the
domain was restored to us, that held mail could be delivered correctly.
Of course, just as it took time for system to "notice" the hijacking, it
takes time for them to notice the return to normalcy, and some systems
won't notice until as late as 6PM or so Monday. Most (including those that
send the most email to Panix) will have noticed by 9AM Monday, however.
Some customers have expressed concern that the email that was delivered
to (and then bounced by) the bogus server might have been read before being
bounced. Based on a significant amount of investigation, we've concluded
that this is *probably* not the case. We think that the bogus server that
was accepting mail and then bouncing it was actually a nominee- an
innocent third party that didn't have any relationship with the hijacker.
We have a moderate level of confidence in that assessment at this time.
That means that most people should not be concerned, but if you had or
suspect you may have had mail sent to you that contained sensitive data,
it may be prudent to consider that data compromised. Each individual user
will need to make their own assessment of the dangers of exposure of their
email, and based on that, decide whether or not they need to change
passwords or take other corrective actions.
Over the next days and weeks, we will reevaluate this based on our own
research, the results of the forensic analysis of the hijacking by the
registrars and Verisign, and information from law enforcement. As we
become certain of this, or if new information comes to light that suggests
it was incorrect, we'll inform you.
| |
