Regarding the mysterious mail from mailer-daemon@anon.com that many people have received: 1. The mail was apparently sent by a daemon bouncing an undeliverable mail. anon.com is a "virtual domain" hosted at io.com, so it's unlikely that the daemon would have an anon.com address. 2. Headers show it was routed through 38.10.221.81 and smtp1.interramp.com. That IP address showed up as ip81.la.ca.interramp.com the first time I tried a traceroute. The second time it showed up as ip81.syracuse.ny.interramp.com. In any case, traceroute went recursive between los-angeles.ca.isdn.psi.net (38.145.221.110) and lan.losangeles.ca.psi.net (38.145.221.1). This indicates the target could not be reached - perhaps it's a PPP address, or disconnected. 3. There is an X-Sender: (Unverified) header entry. So the mail was SMTP faked without the HELO protocol. 4. The error purpoting to originate from mailer-daemon@anon.com says the mail was addressed to PeppermintPty@loacst.org. loacst.org is not a registered domain. 5. PeppermintPty is obviously Peppermint Patty; the "original message" is signed Marcie. Peanut fans will recognise these characters. So - what was it all about? An elaborate prank? A convoluted NSA plot? I would lean towards the first, but perhaps we'll know on March 1st, the date to "gain access to target". Rishab ps. the copy I received follows:
From mailer-daemon@anon.com Fri Feb 23 20:08:00 1996 Received: from m-net148.arbornet.org (m-net.arbornet.org [148.59.250.2]) by shellx.best.com (8.6.12/8.6.5) with SMTP id UAA20969 for <rishab@best.com>; Fri, 23 Feb 1996 20:07:44 -0800 Received: from smtp1.interramp.com by m-net148.arbornet.org with smtp (Smail3.1.29.1 #4) id m0tqBGv-0009SHC; Fri, 23 Feb 96 23:07 WET Received: from [38.10.221.81] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id XAA24970; Fri, 23 Feb 1996 23:06:42 -0500 X-Sender: (Unverified) Message-Id: <v01520db9ad53979e9858@[38.10.221.81]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 23 Feb 1996 08:11:33 -0800 To: (Recipient list suppressed) From: mailer-daemon@anon.com (System Mail Manager) Subject: Twelve Days of Christmas Status: RO
-- <System Report> -- UNDELIVERABLE MAIL: Unknown Host("PeppermintPty@loacst.org") UNDELIVERABLE MAIL: Bad Key -- <Original Message Follows> -- *** TOP LEVEL: DESTROY IMMEDIATELY UPON READING *** *** DO NOT PRINT OR SAVE. Code1.8 Table2Hex6 *** DAY 10: DR. BLACK located a promising entry point at the target site. DR. BLACK recovered four of the six password tokens before his position was compromised. DR. BLACK will be replaced by DR. ORANGE. Estimated time to recover the remaining two password tokens and gain access to target: EIGHT DAYS (03.01.96) Confidence is HIGH. My team has been working around the clock for a month now. Please tell your people to be more tolerant. Yelling doesn't help anything. Marcie