-----BEGIN PGP SIGNED MESSAGE----- This is a very strange forgery. It appears that the attacker used fcaglp.fcaglp.unlp.edu.ar as a relay. This machine is running an old version of HP sendmail that apparently accepts any hostname the user enters after "helo". I tried sending myself fakemail using this site but haven't got a response yet. The interesting thing is that the attacker used the hostname echotech.com and not iquest.net. echotech.com is a real domain so the attacker might have been dumb enough to connect from echotech.com and enter the real origin. Or the SMTP server might just pretend it's fooled and put the real hostname in the received header regardless of what's entered after the helo. I'm not familiar with HP sendmail so I don't know whether this is true or not. On Sun, 9 Feb 1997, Bovine Remailer wrote:
Date: Sun, 9 Feb 1997 08:42:45 -0500 (EST) From: Bovine Remailer <haystack@holy.cow.net> To: cypherpunks@toad.com
NEW ATTACK ON CP LIST
Date: Sun, 9 Feb 1997 03:55:04 -0500 From: Linda Thompson <lindat@iquest.net> To: robert@iquest.net Cc: aen-news@aen.org Subject: URGENT
Someone is sending THREATS to the President and Senate and using *MY* name and account to do it. One bounced and was sent to me. You should be able to find out where it came from by the message I.D. I think it is EXTREMELY important that you find out where this came from!!
Also, earlier in the day, I got a message that I was subscribed by "majordomo" to cypherpunks. I did NOT subscribe to cypherpunks and I would bet that whoever did THAT also sent this message.
Here's the threat message:
Return-Path: <MAILER-DAEMON@fcaglp.fcaglp.unlp.edu.ar> Delivered-To: lindat@iquest.net Received: (qmail 29848 invoked from network); 9 Feb 1997 02:51:40 -0000 Received: from fcaglp.fcaglp.unlp.edu.ar (163.10.4.1) by iquest3.iquest.net with SMTP; 9 Feb 1997 02:51:40 -0000 Received: by fcaglp.fcaglp.unlp.edu.ar (1.38.193.4/16.2) id AI19659; Sat, 8 Feb 1997 23:49:27 -0300 Message-Id: <9702090249.AI19659@fcaglp.fcaglp.unlp.edu.ar> Date: Sat, 8 Feb 1997 05:12:37 -0300 From: MAILER-DAEMON@fcaglp.fcaglp.unlp.edu.ar (Mail Delivery Subsystem) Subject: Returned mail: User unknown To: lindat@iquest.net X-UIDL: 85c7fe8ecdc2605eb6bc80bfa71b223e Status: U
----- Transcript of session follows ----- 550 xfAA16374: line 6: vice-president@whitehouse.gov... User unknown
----- Unsent message follows ----- Received: from echotech.com by fcaglp.fcaglp.unlp.edu.ar with SMTP (1.38.193.4/16.2) id AA16374; Sat, 8 Feb 1997 05:12:37 -0300 Message-Id: <9702080812.AA16374@fcaglp.fcaglp.unlp.edu.ar> Date: Sat, 8 Feb 1997 05:12:37 -0300 From: lindat@iquest.net Return-Path: <lindat@iquest.net> [recipient list deleted] Reply-To: lindat@iquest.net Return-Receipt-To: lindat@iquest.net Comment: Authenticated sender is <lindat@iquest.net> Subject: message to USSA Senate
All files on the Senate's computers will be deleted by our gang of cypherpunks dedicated to the eradication of your systems.
Mark -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBMv4meizIPc7jvyFpAQFu/ggAoap+9UBSbtitcQuGL3Og5u1nQRJhaviV BJqXC0ZwNBKCEeVQm3HIME47eqB8JVite2YBvyXZbj/QAsFQAEY1k4oJlfn5tCLE w/ifDrqeQhFWXtNC64iRFJm7EEOMDJ56rNVUA8NkKJZstl8ny/7LTFeTDGxf18gL nQVHJ447I5B0WVQt42F1Gfcmxh3bPjbZXd8TRKSKjhuBfqum8916dlXso1hB3WaC TSYIHa3R33HmwYA2xtDJ6ZJwtlPF/wPkVIYgbhrt+S6SPGfa+yEUnCE72qceo3eh 1imu97YBiP0EPveEdD5yIlH23rZRbCJ9RmDrZruCY2ldG1wJh3+6Jg== =psFL -----END PGP SIGNATURE-----
participants (1)
-
Mark M.