Intro
When I first came upon a spear phishing email a few months ago which originated from the UK’s Ministry of Defence I thought that was pretty queer. Like, how ironic that an invoice scam is coming from a Defense Ministry. Do they have a bad actor? Are we on the cusp of cracking some big international cybertheft? Do we tell them?
Then their address space came up yet again just a few days ago, this time in a fairly different context. Microsoft’s Exchange Online service hosted in the UK cannot deliver email to a particular domain:
8/5/2016 3:32:35 PM - Server at e********s.net (25.152.12.27) returned '450 4.4.312 DNS query failed(ServerFailure)' |
I obscured the domain a bit. But it’s an everyday domain which every DNS server I’ve tested resolves just fine. But Microsoft doesn’t see it that way. Several test messages have shown non-delivery reports using these other addresses as well following the “Server at…”: 25.152.8.27, 25.152.16.27.
The Register sheds the most light – but it still lacks in critical details – on what might have happened to the UK Ministry of Defence’s IPv4 address space, namely, that some was sold. Here’s the article.
How do you show that all these 25.152.8.8 addresses belong to the Ministry of Defence? You use RIPE: http://ripe.net/ and do a search. It shows that 25.0.0.0/8 belongs to them. But according to the article in The Register this is no longer true as of late last year.
Why is Microsoft using these IP addresses? No idea. But something I read got me to suspecting that some outfits decided to use 25/8 address space as though it were private IP addresses!
References and related
4 replies on “Who’s using the UK Ministry of Defence’s IP addresses?”
Hi,
how did you solve the problem with the undeliverable mails? We got the same problem!
I didn’t! Microsoft got our detailed logs and, I guess, compared it to their private info and came to the conclusion that the DNS server of the recipient domain was timing out. I had to trust them and I actually do believe them. I could indirectly query a DNS server in Asia which timed out against the domain. Microsoft’s test connection showed a problem as well. The one public DNS server in the UK I could test did not show the issue, nor did the ones in Germany, but I do think there was something funny about the way the domain owners set up their DNS – hosting the DNS servers themselves on Amazon AWS is pretty unorthodox after all. So I just dumped it back to the recipient saying essentially, fix your problem.
Hi There,
We got the same phishing email issue. Originating client IP of that email leads to UK Ministry of defense. Any idea what would have happened ?
Phishing email went to many people as if like it has sent from one of my colleagues email address.
Hi Masood,
We have the same problem than you. Do you know more information about that?
Thank you,