Any Blackberry BES administrators or gurus here?

I used to run a BES for an old client years ago but never had anything come up that I am trying to now find an answer for.

Basically I am wondering if there is any reason that a Blackberry sending a message from the US would have an X--originating-iP : [176.239.82.32] in the source? That IP links back to a RIM BES in the UK.

Any help would be great...thanks!

It's been years (thankfully) since I had to deal with BES... but from memory, the phones send outbound mail through the RIM network and not the BES box, then the BES box syncs back to them. It was incredibly terrible design.

That being said, the message will have an IP of wherever RIM routes it to from the phone.
Now, it does seem very odd that a message would route halfway across the world before hitting an smtp server- but cell carrier BGP routes are a bit more interesting than ours. It's entirely possible that if the local carriers links were mostly saturated at the time that it would have a lower 'cost' to bounce the data over the long wire- BGP routers can change paths very frequently for cost based routing, and they have no forethought as to where that datas final destination might be.

originally posted by: lordcomac
It's been years (thankfully) since I had to deal with BES... but from memory, the phones send outbound mail through the RIM network and not the BES box, then the BES box syncs back to them. It was incredibly terrible design.

That being said, the message will have an IP of wherever RIM routes it to from the phone.
Now, it does seem very odd that a message would route halfway across the world before hitting an smtp server- but cell carrier BGP routes are a bit more interesting than ours. It's entirely possible that if the local carriers links were mostly saturated at the time that it would have a lower 'cost' to bounce the data over the long wire- BGP routers can change paths very frequently for cost based routing, and they have no forethought as to where that datas final destination might be.

I appreciate the answer. Still have a question on it though.

Based of of your thought on it, that would suggest intelligence built into the message routing I think, such as a shortest path algorithm when certain "traffic" flags are thrown.

What if the Blackberry device sending the message is a secure device? I would think that this would prevent it from hitting any BES outside of a hard coded BES for security reasons?

I have also read, I believe, that a secure BB has a specific PIN that only allows it to connect to a certain BES for security purposes. This seems like a plausible reason, but why connect to one in the EU/UK if your physical location is in the US 90% of the time? Do you know if there would be any benefit to that at all?

The process is overly complex given the necessity for security. The BlackBerry Enterprise Service and BlackBerry's NOC are virtually dependent on each other.

If you are seeing a foreign IP in relation to the BlackBerry handheld, it's quite possible that said device is associated with a BES back in the UK.

So while the User is in the US, that BES user account was originally set up in the UK and I assume that User has found their way stateside?

I haven't taught BlackBerry in forever but if I can help, shoot me a PM and I'll get back late this afternoon.

originally posted by: Vasa Croe
This seems like a plausible reason, but why connect to one in the EU/UK if your physical location is in the US 90% of the time? Do you know if there would be any benefit to that at all?

There would be a benefit to intelligence agencies. There are laws in the US against spying on US citizens (not that those laws are followed that closely), but they allow spying outside the US. Major players like AT&T, Verizon, etc cooperated with spies in setting up mass surveillance, so if they can cooperate, why not RIM? The one man who refused to play ball with them at Qwest was punished severely. I don't know if that is the reason for routing to the UK but until you find another reason, I would have it on a list of possibilities.

originally posted by: OEE84
The process is overly complex given the necessity for security. The BlackBerry Enterprise Service and BlackBerry's NOC are virtually dependent on each other.

If you are seeing a foreign IP in relation to the BlackBerry handheld, it's quite possible that said device is associated with a BES back in the UK.

So while the User is in the US, that BES user account was originally set up in the UK and I assume that User has found their way stateside?

I haven't taught BlackBerry in forever but if I can help, shoot me a PM and I'll get back late this afternoon.

Sent you a PM....you still around? I have MANY questions in regards to BES. I used to be certified administrator for a couple organizations but this is back in early 2000's and have pretty much forgotten most things, though I don't recall any of my questions ever coming up at that time.

Would love to have some PM's or a thread discussion on them.

Thanks!

originally posted by: Arbitrageur

originally posted by: Vasa Croe
This seems like a plausible reason, but why connect to one in the EU/UK if your physical location is in the US 90% of the time? Do you know if there would be any benefit to that at all?

There would be a benefit to intelligence agencies. There are laws in the US against spying on US citizens (not that those laws are followed that closely), but they allow spying outside the US. Major players like AT&T, Verizon, etc cooperated with spies in setting up mass surveillance, so if they can cooperate, why not RIM? The one man who refused to play ball with them at Qwest was punished severely. I don't know if that is the reason for routing to the UK but until you find another reason, I would have it on a list of possibilities.

Well...my question on this mostly arises out of the emails I have found associated with this particular server and the fact it hasn't shown up in any other emails that I can find anywhere online making me wonder if it is a private use RIM relay specifically for a certain domain, and located outside the US as to not fall under US jurisdiction for search and seizure.

a reply to: Vasa Croe

This indicates they were probably using RIM as their BES host directly (cloud) instead of on prem. A foreign IP would have showed up if she was in Europe at the time and her email was routed through the UK RIM BES servers.

If RIM was their actual host, then the messages would be stored by RIM and under whatever retention policy RIM has for it's customers, usually 60 days. Even on prem will only store the BES messages for whatever you set the rention to, by default it is "space available", so it starts overwriting the oldest mails as you hit whatever your disk threshold is (10% by default I think). This does not affect your device, and messages will stay on your device as long as you have room, however if your device were to get wiped you could only restore as far back as your BES server has retained.

We've had to use exchange to resend old emails we recovered just so VIP's could get ALL their email back on their blackberry.

originally posted by: raymundoko
a reply to: Vasa Croe

This indicates they were probably using RIM as their BES host directly (cloud) instead of on prem. A foreign IP would have showed up if she was in Europe at the time and her email was routed through the UK RIM BES servers.

If RIM was their actual host, then the messages would be stored by RIM and under whatever retention policy RIM has for it's customers, usually 60 days. Even on prem will only store the BES messages for whatever you set the rention to, by default it is "space available", so it starts overwriting the oldest mails as you hit whatever your disk threshold is (10% by default I think). This does not affect your device, and messages will stay on your device as long as you have room, however if your device were to get wiped you could only restore as far back as your BES server has retained.

We've had to use exchange to resend old emails we recovered just so VIP's could get ALL their email back on their blackberry.

So would it be unusual if a person's email did originate from a UK BES server if they were in the US at the time it was sent?

a reply to: Vasa Croe

That would be highly unusual. If the pager service is flagged it means the device is on cell service which means the device was most probably in the U.K. or Europe.

originally posted by: raymundoko
a reply to: Vasa Croe

That would be highly unusual. If the pager service is flagged it means the device is on cell service which means the device was most probably in the U.K. or Europe.

Ok....here is my reasoning for this question and I can't really figure out any good reason for this to have happened.

So this snip from a hrcoffice.com email shows it originated from Hillary and from an IP of 178.239.82.32



Now that IP traces back to a RIM server in the UK



And one of the naming servers has an IP of 193.109.81.21 which traces to Saudi Arabia



Now the reverse DNS address of the Saudi server is 21.81.109.193 which traces back to a DoD server in Washington



Now my reasoning for all this questioning and pics is this....if you look at the original source for the email and the email itself in the Podesta files under email ID 45447 you can see it was sent on May 20, 2015 by [email protected]. Now on May 19, 2015 Hillary was in Independence, Iowa:

Source

And on the 20th she was in Chicago:

Souce

And in that last article it makes it clear she is headed back to New Hampshire the next day and was doing fundraisers all night in Chicago:

Tonight, Clinton is expected to appear at two campaign fundraisers. Clinton heads back to New Hampshire tomorrow and Friday. Follow all the updates from New Hampshire on Clinton’s Twitter and Facebook accounts as well as the Hillary for New Hampshire Twitter account. And don’t forget to donate to the campaign.

So...how can she have sent an email from her BB that originated in the UK while in the US?

a reply to: Vasa Croe

I don't know how to explain that...let me ask one of my employees who knows BES better than me on Monday.

originally posted by: raymundoko
a reply to: Vasa Croe

I don't know how to explain that...let me ask one of my employees who knows BES better than me on Monday.

Much appreciated!

originally posted by: raymundoko
a reply to: Vasa Croe

I don't know how to explain that...let me ask one of my employees who knows BES better than me on Monday.

Let me know what you find out today. Very interested in the explanation for this, if there is one I guess.

a reply to: Vasa Croe

My employee pointed out that this is a SEPARATE email domain from clintonemail.com and appears to be using Office 365 via Cloud BES. The registrant information for the domain is:

Domain Name: HRCOFFICE.COM
Registrar URL: www.godaddy.com...
Registrant Name: Nick Merrill.

Here is Nick Merrill

It could be that this domain is hosted out of the UK for office via something like RackSpace, which means all messages would be routed through and stored in the UK, however the NS are all located in the USA and appear to be part of the google hosting network. This in and of itself means little, as the google platform then allows you to internally route mail, which is ALL hrcoffice.com is used for.

Considering who it was who ran this, I would not be surprised if Nick was routing messages through the UK to avoid US laws on retention and surveillance. In fact, I would wager that he was sought out specifically because of who he was when this domain was created.

originally posted by: raymundoko
a reply to: Vasa Croe

My employee pointed out that this is a SEPARATE email domain from clintonemail.com and appears to be using Office 365 via Cloud BES. The registrant information for the domain is:

Domain Name: HRCOFFICE.COM
Registrar URL: www.godaddy.com...
Registrant Name: Nick Merrill.

Here is Nick Merrill

It could be that this domain is hosted out of the UK for office via something like RackSpace, which means all messages would be routed through and stored in the UK, however the NS are all located in the USA and appear to be part of the google hosting network. This in and of itself means little, as the google platform then allows you to internally route mail, which is ALL hrcoffice.com is used for.

Considering who it was who ran this, I would not be surprised if Nick was routing messages through the UK to avoid US laws on retention and surveillance. In fact, I would wager that he was sought out specifically because of who he was when this domain was created.

Much appreciated...I figured it was a way around having email in the US.

Bump for relevance of Saudi connection and timeline reference....

a reply to: Vasa Croe

Three things would cause it:

1) The user is in Europe
2) There is an issue with the RIM network in the USA and they are routing traffic through the UK. They have a global traffic manager in front of their paths.
3) Their mail is hosted in Europe.

a reply to: Vasa Croe

Interesting, very interesting.

Random poking aroudn finds the following:

Network information
IP address 193.109.81.21
Reverse DNS (PTR record) xns01lhr.rim.net
DNS server (NS record) xns01lhr.rim.net (193.109.81.21)
xns01ykf.rim.net (206.51.26.10)
ASN number 18705
ASN name (ISP) BlackBerry Limited
IP-range/subnet 193.109.81.0/24
193.109.81.0 - 193.109.81.255

...

inetnum: 193.109.81.0 - 193.109.81.255
netname: UK-RIM-20010815
country: SA
org: ORG-RIMU1-RIPE
admin-c: IA918-RIPE
tech-c: IA918-RIPE
remarks: rev-srv: xns01ykf.rim.net
remarks: rev-srv: xns01lhr.rim.net
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MNT-RIM-UK
mnt-routes: MNT-RIM-UK
mnt-domains: MNT-RIM-UK
created: 2015-01-15T15:50:16Z
last-modified: 2016-04-14T08:11:56Z
source: RIPE # Filtered

organisation: ORG-RIMU1-RIPE
org-name: BlackBerry UK Limited
org-type: LIR
address: 176 Columbia St. W.
address: N2L 3W8
address: Waterloo, ON
address: CANADA
phone: +15198887465
fax-no: +15198886906
abuse-c: AR17878-RIPE
mnt-ref: MNT-RIM-UK
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
admin-c: PW1218-RIPE
admin-c: BH3943-RIPE
admin-c: MJL-RIPE
abuse-mailbox: removed email address
tech-c: IA918-RIPE
created: 2008-06-09T12:47:41Z
last-modified: 2016-03-09T17:13:02Z
source: RIPE # Filtered

TCPIPUTILS

Using this site, we are able to see that the server location is inside the Royal airport:

Address type IPv4
Hostname xns01lhr.rim.net
ASN 18705 - RIMBLACKBERRY - BlackBerry Limited
ISP BlackBerry UK Limited
Timezone Asia/Riyadh (UTC+3)
Local time 03:57:24
Country Saudi Arabia Saudi Arabia
State / Region Ar Riyāḑ
City Riyadh
Coordinates 24.7117, 46.7242

db-ip

Maybe this is pertinent, maybe it's not. Is there any way that the emails could be routed through this server and copied as it passes through?



Google Maps

originally posted by: jadedANDcynical
a reply to: Vasa Croe

Interesting, very interesting.

Random poking aroudn finds the following:

Network information
IP address 193.109.81.21
Reverse DNS (PTR record) xns01lhr.rim.net
DNS server (NS record) xns01lhr.rim.net (193.109.81.21)
xns01ykf.rim.net (206.51.26.10)
ASN number 18705
ASN name (ISP) BlackBerry Limited
IP-range/subnet 193.109.81.0/24
193.109.81.0 - 193.109.81.255

...

inetnum: 193.109.81.0 - 193.109.81.255
netname: UK-RIM-20010815
country: SA
org: ORG-RIMU1-RIPE
admin-c: IA918-RIPE
tech-c: IA918-RIPE
remarks: rev-srv: xns01ykf.rim.net
remarks: rev-srv: xns01lhr.rim.net
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MNT-RIM-UK
mnt-routes: MNT-RIM-UK
mnt-domains: MNT-RIM-UK
created: 2015-01-15T15:50:16Z
last-modified: 2016-04-14T08:11:56Z
source: RIPE # Filtered

organisation: ORG-RIMU1-RIPE
org-name: BlackBerry UK Limited
org-type: LIR
address: 176 Columbia St. W.
address: N2L 3W8
address: Waterloo, ON
address: CANADA
phone: +15198887465
fax-no: +15198886906
abuse-c: AR17878-RIPE
mnt-ref: MNT-RIM-UK
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
admin-c: PW1218-RIPE
admin-c: BH3943-RIPE
admin-c: MJL-RIPE
abuse-mailbox: removed email address
tech-c: IA918-RIPE
created: 2008-06-09T12:47:41Z
last-modified: 2016-03-09T17:13:02Z
source: RIPE # Filtered

TCPIPUTILS

Using this site, we are able to see that the server location is inside the Royal airport:

Address type IPv4
Hostname xns01lhr.rim.net
ASN 18705 - RIMBLACKBERRY - BlackBerry Limited
ISP BlackBerry UK Limited
Timezone Asia/Riyadh (UTC+3)
Local time 03:57:24
Country Saudi Arabia Saudi Arabia
State / Region Ar Riyāḑ
City Riyadh
Coordinates 24.7117, 46.7242

db-ip

Maybe this is pertinent, maybe it's not. Is there any way that the emails could be routed through this server and copied as it passes through?

Google Maps

Well that is certainly odd I believe, unless they house a major hub of tech there, or the US houses their server there for some reason.