Network News

X My Profile
View More Activity

Election Hoax Sent Via D.C. Based E-Campaign Group

An e-mail hoax telling 35,000 George Mason University students, faculty and staff, that the election had been moved to Nov. 5, was sent through servers run by a D.C. based company that seeks to help political campaigns promote their messages online.

The fake e-mail, sent just after 1 a.m. this morning to a campus listserv, was crafted to appear as though it was sent from GMU's provost. In a follow-up e-mail sent this morning by the real GMU provost, the university said the hoax was perpetrated by someone who had apparently "hacked into" the school's e-mail system.

But information sent to washingtonpost.com by a GMU student indicates that the hoax succeeded because of a lack of proper filtering on the university's e-mail servers. In addition, it appears that the message was routed through e-mail servers at a local political advocacy group.

According to information contained in the e-mail header -- a portion of the message that could not be faked -- the bogus alert was routed to the university though servers at wiredforchange.com, a company in Washington, D.C., that provides e-mail and fund-raising services to Democratic and progressive candidates.

Among the group's clients are Va. Gov. Tim Kaine's Moving Virginia Forward campaign and Indiana Sen. Evan Bayh's AllAmerica Political Action Committee Web site.

Chris Lundberg, chief technology officer at wiredforchange.com, confirmed that the hoax e-mail was routed through its servers to GMU from a computer located in Germany. The message was sent via one of the group's "tell a friend" pages, which allows anyone to post messages to a recipient on behalf of campaigns working with or hosted at wiredforchange.com. An example of this feature can be seen here, at the campaign Web page of Paul Newell, a Democrat who recently ran for a seat in the New York assembly.

Lundberg said wiredforchange.com does have protections in place to block spammers from abusing the service, but that a single e-mail sent through the system from an Internet address that was not previously included on a spam blacklist would likely get through its servers most of the time.

"We are as pissed off as anyone about this incident, because our whole intention is to maximize turnout for election, not detract from it," Lundberg said.

Still, Lundberg said, the hoax e-mail probably would have failed if GMU's e-mail listserv -- the system set up at GMU to notify all students, faculty and staff simultaneously -- had been configured to ignore requests coming from outside of the university's network.

GMU spokesman Daniel Walsch, declined to comment on the technical aspects of the incident. But he said the university has been fielding calls all morning from students and parents upset or confused about the fraudulent missives.

"This is upsetting and embarrassing and has caused a lot of confusion and concern among people," Walsch said.

Walsch said the university is working with the FBI to identify the source of the messages.

Update, 4:27 p.m.: Corrected the home state of Paul Newell.

By Brian Krebs  |  November 4, 2008; 1:56 PM ET
Categories:  Fraud , U.S. Government , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: GMU E-Mail Hoax: Election Day Moved to Nov. 5
Next: Adobe Issues Critical Acrobat, Reader Updates

Comments

Actually the e-mail was sent through two organizations - wiredforchange.com and democracyinaction.org

The origin of the e-mail is supposed to be germany.

More strange is that the text of the e-mail used wording similar to those used in previous provost's e-mail. Identical salutation as an e-mail sent by provost 30 minutes before the fake one, and signature at the bottom.

The fake was perpetrated by someone who received the previous e-mail (shouldn't be that hard to find considering limited number of users would be online between 1:05 a.m. and 1:35 a.m.)

Posted by: FlipSidePolitics | November 4, 2008 3:29 PM | Report abuse

@Flipsidepolitics -- wiredforchange.com and democracyinaction.org are essentially the same organization, the latter being the 501C3 arm of wiredforchange, and the part that develops the technology used by wiredforchange.com.

Posted by: Brian Krebs | November 4, 2008 3:33 PM | Report abuse

Received at around 1:04 a.m. (genuine mail from provost's office)

----------
To the Mason Community:

I hear some troubling rumors, so here are a couple of facts: 1. The election is Nov. 4, for all political parties. The notion that one party votes Nov. 5 is UNTRUE. 2. It is also UNTRUE that any student jeopardizes financial aid by voting.

Peter N. Stearns
Provost
--------------

Fake e-mail (sent 1:17 a.m.)
--------------
To the Mason Community:

Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.

Peter N. Stearns
Provost
----------

How difficult would it be to find the perpetrator who received the first e-mail and sent the second one in a 12-13 minute window.

Posted by: FlipSidePolitics | November 4, 2008 3:35 PM | Report abuse


"Chris Lundberg, chief technology officer at wiredforchange.com, confirmed that the hoax e-mail was routed through its servers to GMU from a computer located in Germany."

Running a traceroute for the originating IP (85.195.123.24) shows that the IP is from anonymouse.org:

8 tnggbt.celsius.router.frankfurt.de.velia.net (85.195.113.2) 130.110 ms 143.120 ms 137.617 ms

9 mail24.anonymouse.org (85.195.123.24) 184.256 ms ! 185.758 ms ! 145.030 ms !


Anonymouse.org is an anonymizer service; the way Chris Lundberg describes it, it makes it sound like the computer of the person who sent the hoax was in Germany; more accurately, whoever sent the hoax used Anonymouse.org to mask wherever they were actually from. They could just as easily have been someone from Virginia who went through the anonymizer to submit the hoax.

Posted by: elektrix | November 4, 2008 4:04 PM | Report abuse

"More strange is that the text of the e-mail used wording similar to those used in previous provost's e-mail. Identical salutation as an e-mail sent by provost 30 minutes before the fake one, and signature at the bottom. The fake was perpetrated by someone who received the previous e-mail (shouldn't be that hard to find considering limited number of users would be online between 1:05 a.m. and 1:35 a.m.)"

Posted by: FlipSidePolitics | November 4, 2008 3:29 PM

Knowing GMU, I'd be more surprised it if WEREN'T an inside job than if it were (from someone inside the GMU community).

GMU is a trailer park among large public universities. It's is Virginia's old-boy-network's attempt to have a large public university be a conservative hotbed. The school (and therefore the state) overpays out the nose for star conservative professors to come there, but on the other hand most of the other professors are mediocre nowhere thinkers at best, and churn out lame conservative-skewed academic work. The professors are of poor intellectual and personal quality, and so are the academics.

A few years back their affirmative action/equal opportunity/sexual harassment guy was busted and sent to Lorton prison for being a pedophile and extortionist, and he had worked there for about 20 years, bullying and mistreating students who tried to file complaints against faculty and administrators there. The GMU faculty and administration, of course, knew all about how corrupt his office was and they were happy with it. That place is a white racist, sexist old boy network trailer park from one end of the campus to the other.

GMU is such a crummy, corrupt school it's about #8 on the list of colleges to go to if you can't get into any other 4-year college as an in-state student. Its best students are 3rd and 4th year transfers from community college, which should tell you something about how bad the students are who start there as freshmen. You can always tell when it's midterms or finals week, on account of all the fire alarms that go off because panicked students pull them because they can't pass tests. Half the cheaters on campus aren't even students, but married professors cheating on their wives by making sex deals for grades with students.

Not only is it unsurprising that this stupid hoax emerged from GMU's email system, but it wouldn't surprise me if it was one of the faculty or administrators who "compromised" the system.

Trash, trash, trash.

I hope their funding gets cut dramatically if VA turns blue.

Posted by: AsperGirl | November 4, 2008 4:08 PM | Report abuse

The email was sent by someone who knew the poor email filtering setup. The "vulnerability" that was exploited can't even really be called a "hack" because it would have been easy for an insider to figure out. It was an incompetent IT configuration slipup, for a large university with federally funded databases on campus. At GMU, that is unsurprising.

Posted by: AsperGirl | November 4, 2008 4:11 PM | Report abuse

Minor correction: Paul Newell ran for the 64th AD in New York in the Democratic primary in September, losing to incumbent Assembly Speaker Sheldon Silver.

Posted by: epcostello | November 4, 2008 4:15 PM | Report abuse

AsperGirl, there's a lot of people who go to George Mason University for all sorts of reasons. Do you really find it necessary to insult the entire student body with statements like "GMU is such a crummy, corrupt school it's about #8 on the list of colleges to go to if you can't get into any other 4-year college as an in-state student. Its best students are 3rd and 4th year transfers from community college, which should tell you something about how bad the students are who start there as freshmen."?

I've been in plenty of classes with incredibly intelligent and thoughtful students, and I find your post offensive not only to me but to them and all other students at the university.

Personally I'm pursuing a double-major in English and History (GMU is convenient to me since I work in Northern Virginia), and have been impressed with many of the students I've studied with as well as many of my professors.

I couldn't find your characterization more insulting or off-the-mark.

Posted by: elektrix | November 4, 2008 4:30 PM | Report abuse

Reader Justin from GMU e-mailed me this comment, which echoes that of another reader above re: the traceback to Anonymouse.org

Running a traceroute for the originating IP (85.195.123.24) shows that the IP is from anonymouse.org:

8 tnggbt.celsius.router.frankfurt.de.velia.net (85.195.113.2) 130.110 ms 143.120 ms 137.617 ms

9 mail24.anonymouse.org (85.195.123.24) 184.256 ms ! 185.758 ms ! 145.030 ms !


Anonymouse.org is an anonymizer service; the way Chris Lundberg describes it, it makes it sound like the computer of the person who sent the e accurately, whoever sent the hoax used Anonymouse.org to mask wherever they were actually from. They could just as easily have been someone from Virginia who went through the anonymizer to submit the hoax.

Anyway, just wanted to clarify that.

Posted by: Brian Krebs | November 4, 2008 4:31 PM | Report abuse

It's time for jail terms or public executions for the "hoaxers".

Period.

Posted by: WillSeattle | November 4, 2008 4:46 PM | Report abuse

"AsperGirl, there's a lot of people who go to George Mason University for all sorts of reasons. Personally I'm pursuing a double-major in English and History (GMU is convenient to me since I work in Northern Virginia), and have been impressed with many of the students I've studied with as well as many of my professors. I couldn't find your characterization more insulting or off-the-mark."

Posted by: elektrix | November 4, 2008 4:30 PM

I really feel for your tender narcissism and school chauvinism. How do you feel about the sexual predator that GMU harbored in their EEO/sexual harassment office for 20 years, who did hatchet jobs on students to stifle their complaints of discrimination, and acted abusively toward students?

Why don't you Google his name: Ronald Sinacore of GMU.

It's not my fault you don't go to a real school. If you don't like to hear the truth about your crummy school full of racists and sexual abusers, go to a school you can be proud of.

Posted by: AsperGirl | November 4, 2008 4:50 PM | Report abuse

Hey AsperGirl--I'm betting you didn't get accepted at George Mason. In fact, it is a terrific school, outstanding faculty, cutting-edge thinktanks and research labs in science,humanities and technology, and one of the most diverse (and interesting) student bodies in the nation. Too bad for you.

Posted by: student41 | November 4, 2008 4:59 PM | Report abuse

AsperGirl, did you have some sort of personal experience with Sinacore? I do remember the story when it occurred (and it is of course appalling), but your details about him doing hatchet jobs on students to stifle their complaints makes me wonder if he rejected a complaint from you? Or I guess I'm asking where that comes from - when that story happened, I don't recall reading about what he did regarding student complaints, so I can only assume you have some first or second-hand knowledge.

Either way, I don't think I ever said anything to defend the guy or that I didn't want to hear "the truth". I take issue with your characterization of the student body, the faculty and the university itself.

I don't get the feeling you want to specifically have a serious discussion about GMU; all I can say is that I don't find it to be the "crummy" school you characterize it as.

If all you can resort to is saying I don't go to a "real school" or that I can't be proud of it, I don't really see how there's anything I could say that would specifically alter your viewpoint. I just think you're being incredibly unfair to the large majority of students and faculty at GMU, and I don't think that requires "tender narcissism" or "school chauvinism" on my part to say.

Posted by: elektrix | November 4, 2008 5:02 PM | Report abuse

It sounds like Aspengirl was banging Sinacore and he dumped her. LOL I don't know what's worse. The email scam or Aspengirl. With the info she posted I would guess she makes a good suspect. She probably goes to Radford now. A much better school if you’re majoring in alcoholism or stupidity.

Posted by: askgees | November 4, 2008 5:04 PM | Report abuse

Aspengirl posts the dumbest things on every board I've ever been to. Look it up.

Posted by: askgees | November 4, 2008 5:06 PM | Report abuse

I am a student at GMU, currently pursuing my master's in professional writing and editing there. I did receive the hoax email referenced in this article, and was pleasantly impressed by how quickly the GMU provost dealt with the issue. At 1:21 a.m. the hoax email came throught, and at 8:21 a.m. the correction was sent through. I am sure that GMU will do the right thing to tighten email security now that they know what the security flaw is.

As far as the other comments about GMU, they were off-topic, weren't they? This is a place for posting comments about the article, not your own personal rants. The fact that you can't stay on topic speaks volumes about you - not GMU.

Go Patriots!

Posted by: joyrenee1956 | November 4, 2008 7:17 PM | Report abuse

Shenanigans almost worthy of the administration itself... I certainly hope that the polling centers are being carefully monitored.

Posted by: TerrifiedAmerican | November 4, 2008 7:38 PM | Report abuse

Hey Aspergirl: try thinking instead of supporting your opinions based on anecdotal evidence.

Posted by: ryanu | November 5, 2008 2:53 AM | Report abuse

In defense of the IT staff at GMU who are tasked with configuring and administering the email systems, the gapping hole, i.e. the lack of filtering on the SMTP header fields, is something that was forced upon them by senior IT management. When the new system was put in place several years ago the vulnerability caused by not filtering was raised and repeatedly communicated by the systems engineers. People at the Director and VP level made the call to not have filtering implemented in order to allow off-campus users who may be affected by network protocol filtering mechanisms to send email via SMTP using their @GMU.EDU address in the FROM field. For example, Cox Communications requires all residential users to configure their email clients with "smtp.*.cox.net" because they filter port 25 outbound. So that messages from GMU users would be easily identifiable by their "real" GMU account name, the filtering was not put into place. It is not an open relay in that it will only accept messages with a GMU recipient but the source is not filtered.

As far as this being an "inside job", I agree that someone within the greater GMU community is the most likely culprit. Not only because knowledge of this vulnerability wouldn't be very widespread, or interesting, outside of GMU but, also because this message was sent very shortly after a legitimate email from the Provost in which information about the election was conveyed.

Mason's ITU executive management is almost certain to react to this in a knee-jerk and overreaching manner even though it's a case of the chickens coming home to roost. I truly hope that the technologists involved will be spared the ire and ridicule of others. Start asking questions at the top.

Posted by: Cackalacky1 | November 5, 2008 1:54 PM | Report abuse

Do I understand correctly that wiredforchange.com basically runs an open relay, that will allow essentially anyone in the world to send email through their systems and have it relayed to any destination? If so, shame on them.

(No, blacklisting does not excuse creation of such an open relay. As shown here, blacklisting does not work very well. Their blacklist didn't even include anonymouse.org, which is available to anyone.)

Posted by: goaway41 | November 5, 2008 2:42 PM | Report abuse

The story is wrong. The e-mail headers can, and often are, faked, including the "Received by" headers. In fact, the "From" header is the one in this story that was compromised.

What cannot be faked is the connection address (the IP address and port of the mail server connecting to deliver the mail) and the envelope information concerning to whom the mail is to be delivered.

The hack occurred because a boundary inbound mailserver for the GMU community failed to catch the falsified "From" header containing an internal e-mail address form "noreply@gmu.edu", and instead permitted its delivery.

Such identity spoofing is common under SMTP, which is a protocol written in the days when the senders and recipients of e-mail trusted each others' veracity. Most anti-spam software, including the ironport/sophos appliance apparently used by GMU, if properly configured, would have caught this, since it is a common spamming technique. I receive dozens of e-mails each day of this type from spammers; my filter rejects them all.

Posted by: unclesmrgol | November 5, 2008 5:59 PM | Report abuse

See my previous post. That explains why the external/inbound email server and anti-SPAM system did not block this.

Posted by: Cackalacky1 | November 5, 2008 11:43 PM | Report abuse

@Unclesmrgol - The story is not wrong. I pointed out early on that the information in the "From" field had been forged, but that other information in the e-mail headers -- "a portion of the message that could not be faked" -- can in fact not be forged, and therefore left a trail of where this message was before it arrived at GMU.

What good is an email security appliance that simply accepts on faith the information contained in the portion of the e-mail header that can be faked? If the e-mail system is designed to tell whether a sender is valid -- or not a known spammer -- just by the information in the "from" field and not by any deeper analysis of the IP addresses or anything else, then the whole system has no integrity at all.

Posted by: Brian Krebs | November 6, 2008 3:54 AM | Report abuse

Here's another example of Election Eve online trickery. Flash ads @ the real estate meltdown blog CALCULATED RISK were hijacked by YES ON 8 ads('Defense of Traditional Marriage' in California).

CR killed the ads for the evening, eventually, for those readers who aren't Firefox Ad-Block users.

Posted by: featheredge9 | November 6, 2008 3:33 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company