Trikein
Guest
I am slightly hesitant posting since I don't know if it falls within scope of this site or forum, and I was also involved in some drama on another forum I don't wish to repeat. I don't want to cause a forum on forum flame war so I don't intend to be referencing that thread, and the only reason I mention it is for transparency reasons and in case there are any users here who were involved parties. Last, for full transparency, I was an employee of the ISP in question, but that was many years ago and AFAIK any email migration wasn't on the radar at that time. I have no inside knowledge on the email issue other than general knowledge on how their systems work. I also have no relations or contacts with the company at this time other than being a customer.
With all that said, I would like to discuss the probability that Cox Communication(US 3-Product ISP) outsourced its email platform to a 3rd party and the security implications of that. From what I can gather from superficial evidence is that they outsourced it to EasyDNS with their custom branded EasyMail product. EasyMail is a decently well known product and used by other ISP. Also, many other ISP have recently started to outsource their email service to 3rd party, with the most notably being Verizon FIOS outsourcing to AOL. However that transition was public and Verizon came right out and told customers they were moving to AOL email. Not only did Cox not send any notification to it's customers, or publish any support information, but it seems they didn't even tell their employees. I understand the need to outsource a product like email which is very maintance heavy and besides ads, produce very little income. If your going to cut corners though, the least you can do is be honest with the customer about it. Tell them where the ISP is moving their email and why. Inform them of how the change will cause technical fluctuation in the service. I think it's a poor move to try to hide such a large change as a entire email platform transition and then try to pass the problems off as "growing pains" of the "new" email.
If this post was only about a communication company not communicating with it's customers, I wouldn't bother posting. What makes it a security issue is when you start connecting the dots to why Cox outsourced to EasyDNS and how their default DNS redirect system works. If you use DHCP DNS while on a normal Cox connection, the DNS connection you get is routed through EasyDNS's search engine. The spin is this helps you find the site you were trying to go to but spelled the site domain wrong. However this also allows EasyDNS to install a cookie on your browser when you get redirected to their search engine(which is branded as Cox). This allows EasyDNS to track any searches done through their site, through direct addresses bar (except chrome), and any site they have ads on, like Cox.net. This isn't so much a issue in itself, as other ISP do this as well, and it's a way of paying for the service and the ISP gets some extra profit too. Google's Adsense is a example of how to do it right. However, now that EasyDNS does Cox email, they can start tracking outbound search and connecting it to inbound spam. There are many different ways this could be done, and I don't pretend to be a expert, all I know is it's like inviting the fox to guard the chicken coupe.
Besides the security implications of the same 3rd party controlling search and email, there are the security vulnerabilities of EasyMail itself. For one, it seems Cox isn't paying the premium for AES security for outbound on their SMTP servers. Not only is this a downgrade from the previous email service, by forcing everyone onto the same security type, they are bogging down the already bandwidth defined servers. The whole thing seems to be located in a Rackspace CoLo in central Texas. If you access Cox email servers from outside the 48 state US, you need to contact Cox and have them contact EasyMail to white list your IP to access their servers. When accessed in this way, the whole thing is done off Cox's systems. This says to me that the entire Cox email database, or atleast a copy, was transferred several states away. I assume they didn't use FedEx, and used some kind of online transfer. The reason I mention this is around the time of the transition, I noticed my Cox email was hacked. I had created the user myself personally when I was a employee for testing purposes and left it unassigned from any Cox service account. This protected it from being transitioned so I was able to compare and contrast the differences. This also told me the entire email database must have been moved and not just the active one connected to accounts because mine was hacked. I don't mean someone brute force the password or guessed it. It was a 16 digit RNG hash that I used to change monthly, so I doubt anyone could have gotten it with a dictionary hack and it wasn't in use on ANY platforms.
So there we have it. There are a lot of other things I would like to discuss, like how the DNS opt doesn't work anymore, and how you can't use static DNS on gateways, but this is a start. It looks like Cox outsourced their email to the same people who pay them for DNS data so they tried to hide it. Then when something happened during the transition that lead to the compromise of account data, they called it "moving day" and made everyone change their password. Now it seems certain parties are using that user data to certain real Cox accounts and use them to spam other people. If nothing else, and you are a casual Cox email user, I would highly suggest changing email providers. Putting aside all security issues, having your ISP do your email doesn't make sense in today's modern world. If you move or change ISP, your entire online life is possibly connected to that email address. I prefer Gmail, but no matter what, just DON'T USE COX EMAIL! I give it the official Yahoo stamp of death.
Here is some technical data showing the issue;
Tracing route to imap.east.rs.oxcs.net [146.20.147.246] <Imap.cox.net>
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms xxxxxxxxxxxx [192.168.1.1]
2 4 ms 4 ms 4 ms lo0-100.XXXXRI-VFTTP-315.verizon-gni.net [72.92.x.x]
3 6 ms 6 ms 7 ms B3315.xxxxRI-LCR-22.verizon-gni.net [100.41.0.144]
4 * * * Request timed out.
5 * * * Request timed out.
6 13 ms 14 ms 14 ms 0.ae12.GW10.EWR6.ALTER.NET [140.222.235.119]
7 13 ms 14 ms 17 ms 157.130.91.86
8 18 ms 17 ms 16 ms nyk-bb4-link.telia.net [62.115.137.98]
9 21 ms 21 ms 22 ms ash-bb4-link.telia.net [62.115.136.201]
10 19 ms 18 ms 19 ms ash-b1-link.telia.net [213.155.136.39]
11 19 ms 19 ms 19 ms rackspace-ic-302157-ash-b1.c.telia.net [62.115.32.122]
12 * * * Request timed out.
13 23 ms 21 ms 22 ms coreb-dcpe2.iad3.rackspace.net [69.20.2.173]
14 21 ms 19 ms 19 ms core9-coreb.iad3.rackspace.net [65.61.152.173]
15 21 ms 21 ms 22 ms aggr501a-65-core9.iad3.rackspace.net [146.20.80.21]
16 19 ms 19 ms 19 ms 146.20.147.246
Trace complete.
smtp.cox.net. A IN 300 37ms 68.1.17.8
8.17.1.68.in-addr.arpa. PTR IN 86400 38ms smtpmyemail.cox.net.
With all that said, I would like to discuss the probability that Cox Communication(US 3-Product ISP) outsourced its email platform to a 3rd party and the security implications of that. From what I can gather from superficial evidence is that they outsourced it to EasyDNS with their custom branded EasyMail product. EasyMail is a decently well known product and used by other ISP. Also, many other ISP have recently started to outsource their email service to 3rd party, with the most notably being Verizon FIOS outsourcing to AOL. However that transition was public and Verizon came right out and told customers they were moving to AOL email. Not only did Cox not send any notification to it's customers, or publish any support information, but it seems they didn't even tell their employees. I understand the need to outsource a product like email which is very maintance heavy and besides ads, produce very little income. If your going to cut corners though, the least you can do is be honest with the customer about it. Tell them where the ISP is moving their email and why. Inform them of how the change will cause technical fluctuation in the service. I think it's a poor move to try to hide such a large change as a entire email platform transition and then try to pass the problems off as "growing pains" of the "new" email.
If this post was only about a communication company not communicating with it's customers, I wouldn't bother posting. What makes it a security issue is when you start connecting the dots to why Cox outsourced to EasyDNS and how their default DNS redirect system works. If you use DHCP DNS while on a normal Cox connection, the DNS connection you get is routed through EasyDNS's search engine. The spin is this helps you find the site you were trying to go to but spelled the site domain wrong. However this also allows EasyDNS to install a cookie on your browser when you get redirected to their search engine(which is branded as Cox). This allows EasyDNS to track any searches done through their site, through direct addresses bar (except chrome), and any site they have ads on, like Cox.net. This isn't so much a issue in itself, as other ISP do this as well, and it's a way of paying for the service and the ISP gets some extra profit too. Google's Adsense is a example of how to do it right. However, now that EasyDNS does Cox email, they can start tracking outbound search and connecting it to inbound spam. There are many different ways this could be done, and I don't pretend to be a expert, all I know is it's like inviting the fox to guard the chicken coupe.
Besides the security implications of the same 3rd party controlling search and email, there are the security vulnerabilities of EasyMail itself. For one, it seems Cox isn't paying the premium for AES security for outbound on their SMTP servers. Not only is this a downgrade from the previous email service, by forcing everyone onto the same security type, they are bogging down the already bandwidth defined servers. The whole thing seems to be located in a Rackspace CoLo in central Texas. If you access Cox email servers from outside the 48 state US, you need to contact Cox and have them contact EasyMail to white list your IP to access their servers. When accessed in this way, the whole thing is done off Cox's systems. This says to me that the entire Cox email database, or atleast a copy, was transferred several states away. I assume they didn't use FedEx, and used some kind of online transfer. The reason I mention this is around the time of the transition, I noticed my Cox email was hacked. I had created the user myself personally when I was a employee for testing purposes and left it unassigned from any Cox service account. This protected it from being transitioned so I was able to compare and contrast the differences. This also told me the entire email database must have been moved and not just the active one connected to accounts because mine was hacked. I don't mean someone brute force the password or guessed it. It was a 16 digit RNG hash that I used to change monthly, so I doubt anyone could have gotten it with a dictionary hack and it wasn't in use on ANY platforms.
So there we have it. There are a lot of other things I would like to discuss, like how the DNS opt doesn't work anymore, and how you can't use static DNS on gateways, but this is a start. It looks like Cox outsourced their email to the same people who pay them for DNS data so they tried to hide it. Then when something happened during the transition that lead to the compromise of account data, they called it "moving day" and made everyone change their password. Now it seems certain parties are using that user data to certain real Cox accounts and use them to spam other people. If nothing else, and you are a casual Cox email user, I would highly suggest changing email providers. Putting aside all security issues, having your ISP do your email doesn't make sense in today's modern world. If you move or change ISP, your entire online life is possibly connected to that email address. I prefer Gmail, but no matter what, just DON'T USE COX EMAIL! I give it the official Yahoo stamp of death.
Here is some technical data showing the issue;
Tracing route to imap.east.rs.oxcs.net [146.20.147.246] <Imap.cox.net>
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms xxxxxxxxxxxx [192.168.1.1]
2 4 ms 4 ms 4 ms lo0-100.XXXXRI-VFTTP-315.verizon-gni.net [72.92.x.x]
3 6 ms 6 ms 7 ms B3315.xxxxRI-LCR-22.verizon-gni.net [100.41.0.144]
4 * * * Request timed out.
5 * * * Request timed out.
6 13 ms 14 ms 14 ms 0.ae12.GW10.EWR6.ALTER.NET [140.222.235.119]
7 13 ms 14 ms 17 ms 157.130.91.86
8 18 ms 17 ms 16 ms nyk-bb4-link.telia.net [62.115.137.98]
9 21 ms 21 ms 22 ms ash-bb4-link.telia.net [62.115.136.201]
10 19 ms 18 ms 19 ms ash-b1-link.telia.net [213.155.136.39]
11 19 ms 19 ms 19 ms rackspace-ic-302157-ash-b1.c.telia.net [62.115.32.122]
12 * * * Request timed out.
13 23 ms 21 ms 22 ms coreb-dcpe2.iad3.rackspace.net [69.20.2.173]
14 21 ms 19 ms 19 ms core9-coreb.iad3.rackspace.net [65.61.152.173]
15 21 ms 21 ms 22 ms aggr501a-65-core9.iad3.rackspace.net [146.20.80.21]
16 19 ms 19 ms 19 ms 146.20.147.246
Trace complete.
smtp.cox.net. A IN 300 37ms 68.1.17.8
8.17.1.68.in-addr.arpa. PTR IN 86400 38ms smtpmyemail.cox.net.