[outages] eBay password changes -- were they attacked?

Jeremy Chadwick jdc at koitsu.org
Thu Apr 7 12:00:23 EDT 2016 

On Thu, Apr 07, 2016 at 03:33:12PM +0000, Jay R. Ashworth via Outages wrote:
> ----- Original Message -----
> > From: "Joe Abley via Outages" <outages at outages.org>
> 
> > On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages at outages.org> wrote:
> > 
> >> I received a very similar message from Amazon on 3/7/16.  Discussion boards
> >> seemed to indicate it was legit, however my password was never actually changed
> >> by Amazon as the e-mail indicated, nor did I ever change it manually as a
> >> result.
> >>  
> >> The e-mail also appeared legit on the headers, but now that I look at a little
> >> more closely it originated from amazonses.com <http://amazonses.com/> which is
> >> seems like it might be an e-mail service you can subscribe to?
> > 
> > My assumption would have been that it was a phishing attempt, and that any
> > credentials I had shared in response to the e-mail ought to be assumed
> > compromised immediately.
> > 
> > I'm not familiar with this "discussion board" approach to trusting unexpected
> > requests for login details.
> 
> Well, in fairness, none of these things require you to trust anything more
> than that your browser has you where the URL and certificate badge say it is.
> 
> "Amazon SES" is, of course the AWS Simple Email Service, but I don't know
> if that's a valid domain for it.

Yes, amazonses.com is the valid domain for AWS SES.  What this means is
the Email Joe received was actually sent via Amazon's SES service
(possibly via SMTP, possibly via API), regardless of whatever other
domains/hostnames/etc. were involved or shown in the mail.

Amazon's documentation doesn't make this readily apparent, but you can
find definitive mentions of it here:

https://sesblog.amazon.com/blog/category/Announcements
https://sesblog.amazon.com/post/TxEH4YOF3YJG0L/Amazon-SES-IP-addresses
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/received-email-problems.html

The most notable is the first link, quoting: "By default, SES uses its
own MAIL FROM domain (amazonses.com or a subdomain of that) when it
sends your emails."

AWS SES runs an *incredibly* tight ship (I cannot stress this point hard
enough), so if you're receiving Emails of a suspicious or nefarious
nature which are truly coming via AWS SES, and your own review of the
details shows that it's nefarious and did in fact come via AWS SES, you
should report it.  They absolutely can and will look into it -- because
all outbound SMTP via SES, as well as API calls, are authenticated with
a key which ties to an account/user/customer.  Abuse form:
https://aws.amazon.com/forms/report-abuse

The easiest way to tell where an Email actually came from is to read all
of the Received: headers one at a time.  (Sometimes they're in
most-recent-first order, other times they're not and you get to piece
them together by paying very close attention).

-- 
| Jeremy Chadwick                                   jdc at koitsu.org |
| UNIX Systems Administrator                http://jdc.koitsu.org/ |
| Making life hard for others since 1977.             PGP 4BD6C0CB |

More information about the Outages mailing list