What's new

Any Cox.net email users seeing security related problems?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.

Trikein

Guest
I am slightly hesitant posting since I don't know if it falls within scope of this site or forum, and I was also involved in some drama on another forum I don't wish to repeat. I don't want to cause a forum on forum flame war so I don't intend to be referencing that thread, and the only reason I mention it is for transparency reasons and in case there are any users here who were involved parties. Last, for full transparency, I was an employee of the ISP in question, but that was many years ago and AFAIK any email migration wasn't on the radar at that time. I have no inside knowledge on the email issue other than general knowledge on how their systems work. I also have no relations or contacts with the company at this time other than being a customer.

With all that said, I would like to discuss the probability that Cox Communication(US 3-Product ISP) outsourced its email platform to a 3rd party and the security implications of that. From what I can gather from superficial evidence is that they outsourced it to EasyDNS with their custom branded EasyMail product. EasyMail is a decently well known product and used by other ISP. Also, many other ISP have recently started to outsource their email service to 3rd party, with the most notably being Verizon FIOS outsourcing to AOL. However that transition was public and Verizon came right out and told customers they were moving to AOL email. Not only did Cox not send any notification to it's customers, or publish any support information, but it seems they didn't even tell their employees. I understand the need to outsource a product like email which is very maintance heavy and besides ads, produce very little income. If your going to cut corners though, the least you can do is be honest with the customer about it. Tell them where the ISP is moving their email and why. Inform them of how the change will cause technical fluctuation in the service. I think it's a poor move to try to hide such a large change as a entire email platform transition and then try to pass the problems off as "growing pains" of the "new" email.

If this post was only about a communication company not communicating with it's customers, I wouldn't bother posting. What makes it a security issue is when you start connecting the dots to why Cox outsourced to EasyDNS and how their default DNS redirect system works. If you use DHCP DNS while on a normal Cox connection, the DNS connection you get is routed through EasyDNS's search engine. The spin is this helps you find the site you were trying to go to but spelled the site domain wrong. However this also allows EasyDNS to install a cookie on your browser when you get redirected to their search engine(which is branded as Cox). This allows EasyDNS to track any searches done through their site, through direct addresses bar (except chrome), and any site they have ads on, like Cox.net. This isn't so much a issue in itself, as other ISP do this as well, and it's a way of paying for the service and the ISP gets some extra profit too. Google's Adsense is a example of how to do it right. However, now that EasyDNS does Cox email, they can start tracking outbound search and connecting it to inbound spam. There are many different ways this could be done, and I don't pretend to be a expert, all I know is it's like inviting the fox to guard the chicken coupe.

Besides the security implications of the same 3rd party controlling search and email, there are the security vulnerabilities of EasyMail itself. For one, it seems Cox isn't paying the premium for AES security for outbound on their SMTP servers. Not only is this a downgrade from the previous email service, by forcing everyone onto the same security type, they are bogging down the already bandwidth defined servers. The whole thing seems to be located in a Rackspace CoLo in central Texas. If you access Cox email servers from outside the 48 state US, you need to contact Cox and have them contact EasyMail to white list your IP to access their servers. When accessed in this way, the whole thing is done off Cox's systems. This says to me that the entire Cox email database, or atleast a copy, was transferred several states away. I assume they didn't use FedEx, and used some kind of online transfer. The reason I mention this is around the time of the transition, I noticed my Cox email was hacked. I had created the user myself personally when I was a employee for testing purposes and left it unassigned from any Cox service account. This protected it from being transitioned so I was able to compare and contrast the differences. This also told me the entire email database must have been moved and not just the active one connected to accounts because mine was hacked. I don't mean someone brute force the password or guessed it. It was a 16 digit RNG hash that I used to change monthly, so I doubt anyone could have gotten it with a dictionary hack and it wasn't in use on ANY platforms.

So there we have it. There are a lot of other things I would like to discuss, like how the DNS opt doesn't work anymore, and how you can't use static DNS on gateways, but this is a start. It looks like Cox outsourced their email to the same people who pay them for DNS data so they tried to hide it. Then when something happened during the transition that lead to the compromise of account data, they called it "moving day" and made everyone change their password. Now it seems certain parties are using that user data to certain real Cox accounts and use them to spam other people. If nothing else, and you are a casual Cox email user, I would highly suggest changing email providers. Putting aside all security issues, having your ISP do your email doesn't make sense in today's modern world. If you move or change ISP, your entire online life is possibly connected to that email address. I prefer Gmail, but no matter what, just DON'T USE COX EMAIL! I give it the official Yahoo stamp of death.

Here is some technical data showing the issue;
Tracing route to imap.east.rs.oxcs.net [146.20.147.246] <Imap.cox.net>
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms xxxxxxxxxxxx [192.168.1.1]
2 4 ms 4 ms 4 ms lo0-100.XXXXRI-VFTTP-315.verizon-gni.net [72.92.x.x]
3 6 ms 6 ms 7 ms B3315.xxxxRI-LCR-22.verizon-gni.net [100.41.0.144]
4 * * * Request timed out.
5 * * * Request timed out.
6 13 ms 14 ms 14 ms 0.ae12.GW10.EWR6.ALTER.NET [140.222.235.119]
7 13 ms 14 ms 17 ms 157.130.91.86
8 18 ms 17 ms 16 ms nyk-bb4-link.telia.net [62.115.137.98]
9 21 ms 21 ms 22 ms ash-bb4-link.telia.net [62.115.136.201]
10 19 ms 18 ms 19 ms ash-b1-link.telia.net [213.155.136.39]
11 19 ms 19 ms 19 ms rackspace-ic-302157-ash-b1.c.telia.net [62.115.32.122]
12 * * * Request timed out.
13 23 ms 21 ms 22 ms coreb-dcpe2.iad3.rackspace.net [69.20.2.173]
14 21 ms 19 ms 19 ms core9-coreb.iad3.rackspace.net [65.61.152.173]
15 21 ms 21 ms 22 ms aggr501a-65-core9.iad3.rackspace.net [146.20.80.21]
16 19 ms 19 ms 19 ms 146.20.147.246
Trace complete.

smtp.cox.net. A IN 300 37ms 68.1.17.8
8.17.1.68.in-addr.arpa. PTR IN 86400 38ms smtpmyemail.cox.net.
 
If you are concerned about privacy, search tracking, cookies and ads being tied to content, why are you using gmail?
 
That is not what the OP is about. Please no tin hats. I would like for this to be a technical discussion, and not opinionated. So is no one here a Cox customer? They are the 3rd biggest ISP in the US. Does this thread not get as many views?
 
Last edited:
Cox did transition their email from their own over to a hosted/managed service. For users using desktop/mobile clients, the major impact was that anti-spam all of a sudden stopped working. Interesting to note that IMAP is going to a cloud hosted service on rackspace, but the SMTP mta still resolves internally to a cox IP.

(I don't use cox for regular email, and rarely use the webmail interface, but I did notice the change when I recently logged into my account to check on other things (e.g. their recent implementation of BW caps in our market.))

I haven't noticed any DNS issues yet - and yes, I do statically map DNS, and I run my own DNS resolver/forwarder in house.

For the cox provided GW's, might be a different story perhaps.
 
What are you seeking as the outcome of your "technical discussion"?
 
First, allow me to apologize if my first response was curt.(YHPM) I didn't see that you were a staff member at first so took the question out of context. I thought you were implying that the possible lack of privacy for one service should excuse the possible lack of security AND privacy of another service. My post isn't to tell people to use Gmail, far from it, it was just to impose the possibility, almost likelihood, that Cox's email system was compromised so not to use Cox. In the thread I did not want to reference from the other forum, the OP(not me) included a screenshot from the official Cox chat program showing a employee casually admitting that the OP's account was hacked and implied that it was a common occurrence recently. That may not proof that hack had anything to do with Cox' change in email systems, but the timing and situation seem very coincidental. Even the rumors that Cox may no longer sell retail modems or routers, but only specific modem/router gateways, makes the timing even more fitting. If they push gateways, and then block using static DNS, even to use Cox's own DNS redirect opt-out servers, because they are now possibly making more money from DNS redirects from EasyDNS after the Cox>EasyMail transition.

What are you seeking as the outcome of your "technical discussion"?

Good question! I think the discussion can happen on several different possible directions. First, if there happen to be any Cox employees here that can give a inside scoop of what is really going on, with technical data proofing it or disproving it, that would be optimal. I think that is unlikely to happen though. The next thing I would like is for other Cox customers to discuss any weird problems they have been having with Cox email, either accessing it or what emails they get. I deleted my Cox email accounts when one was hacked, so I don't have anything to test with. Most of my research has been at looking at other people's email headers and tracert and comparing them to my own. The whole thing started when I was trying to help another Cox customer set up TLS(STARTTLS) on their outbound email to work with a Apple email client. I was confused why I could get it work on my Cox email account, but not theirs, using the exact same settings, each of us connected direct to a modem. Through researching that I found Cox had been slowly transitioning users to the new email platform and that platform didn't have a SSL certificate so couldn't establish the TLS connection. This can be used as a test to see if your username is on the old or new platform.

Interesting to note that IMAP is going to a cloud hosted service on rackspace, but the SMTP mta still resolves internally to a cox IP.

I think the email access from the new servers can happen no matter if you're on the old or new servers. However to use the new cloud "Appsuite" you need to be on the new servers. What interest me is it seems most people's IMAP folders transitioned over, which means they moved the actual email data, and not just the usernames. This is why I specifically asked for my Cox usernames to be deleted, and not de-activated, so the inbox wouldn't copy to the new system. Odd enough, even when the username was manually deleted from Cox email server, I could still send email using that Cox username while on the Cox network. This tells me the system connection is only one way. I am not just saying this off the top of my head. As a previous employee, I used to troubleshoot the different Cox email systems and platforms between Residential and Cox Business. I think I even know the program they would have used for the transfer and the possible security leak. I don't want to go too much into that though, since it is a possible active security vulnerability.
 
Last edited:
Ok wow, seems your not just a staff member, but the President of the whole site and company. ::cough:: Woops. I went ahead and deleted my first reply. Sorry! :oops:

PS. I LOVE your site. <3 Please don't ban me.
 
@Trikein - word to the wise - be careful of the odor of burnt bridges... there are a couple of channels that industry folks tend to gather in - from Corp to Craft to Retail, from business to engineering - this is not one of them.

In our little community are members of the industry - I'm ex-ATT, ex-QCOM as an example, and there are many others like me.

It's a small group in our industry - I appreciate your comments and concerns - this might not be the right forum for them.

Best...

sfx
 
Interesting to note that IMAP is going to a cloud hosted service on rackspace, but the SMTP mta still resolves internally to a cox IP.

It's possible that they still run MTAs (outbound), but MDA (inbound) and mailboxes are outsourced.

Mail outsourcing isn't new BTW. A long time ago, Bell Canada outsourced their mail services to Microsoft/Hotmail, both SMTP and IMAP/POP3. It lasted for a few years, and Bell eventually got it back.

No idea if they're outsourcing it to someone else now, or if they do it internally. Aside from having left Bell a few years ago, I never really used their email platform either, having always had my email hosted either on a friend's own server, or on another hosting service once I got my own domain. Aside from the obvious fact that you will lose your email address the day you leave the ISP, most ISPs are rather clueless in managing their mail servers (one of the reasons probably why so many simply outsource it nowadays). Both main local ISPs would frequently get on numerous blacklists, and one of the two was also using rather silly queue expiration values (while the most common norm is 4h/5days for warning/failure, they were using 1h/1day values for many years, meaning if someone's mail server went down early on a weekend, that ISP's emails would bounce back after only 24 hours.
 
Ok then. I am out. Later peeps. I am not going to bend over backwards trying to protect other foolish users anymore. Have fun getting hacked!
 
Status
Not open for further replies.
Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top