Email forgery
Mark M.
markm at voicenet.com
Sun Feb 9 11:29:42 PST 1997
-----BEGIN PGP SIGNED MESSAGE-----
This is a very strange forgery. It appears that the attacker used
fcaglp.fcaglp.unlp.edu.ar as a relay. This machine is running an old version
of HP sendmail that apparently accepts any hostname the user enters after
"helo". I tried sending myself fakemail using this site but haven't got a
response yet. The interesting thing is that the attacker used the hostname
echotech.com and not iquest.net. echotech.com is a real domain so the attacker
might have been dumb enough to connect from echotech.com and enter the real
origin. Or the SMTP server might just pretend it's fooled and put the real
hostname in the received header regardless of what's entered after the helo.
I'm not familiar with HP sendmail so I don't know whether this is true or not.
On Sun, 9 Feb 1997, Bovine Remailer wrote:
> Date: Sun, 9 Feb 1997 08:42:45 -0500 (EST)
> From: Bovine Remailer <haystack at holy.cow.net>
> To: cypherpunks at toad.com
>
> NEW ATTACK ON CP LIST
>
>
> >Date: Sun, 9 Feb 1997 03:55:04 -0500
> >From: Linda Thompson <lindat at iquest.net>
> >To: robert at iquest.net
> >Cc: aen-news at aen.org
> >Subject: URGENT
> >
> >Someone is sending THREATS to the President and Senate and using *MY*
> >name
> >and account to do it. One bounced and was sent to me. You should be
> >able
> >to find out where it came from by the message I.D. I think it is
> >EXTREMELY
> >important that you find out where this came from!!
> >
> >Also, earlier in the day, I got a message that I was subscribed by
> >"majordomo" to cypherpunks. I did NOT subscribe to cypherpunks and I
> >would
> >bet that whoever did THAT also sent this message.
> >
> >Here's the threat message:
> >
> >Return-Path: <MAILER-DAEMON at fcaglp.fcaglp.unlp.edu.ar>
> >Delivered-To: lindat at iquest.net
> >Received: (qmail 29848 invoked from network); 9 Feb 1997 02:51:40 -0000
> >Received: from fcaglp.fcaglp.unlp.edu.ar (163.10.4.1)
> > by iquest3.iquest.net with SMTP; 9 Feb 1997 02:51:40 -0000
> >Received: by fcaglp.fcaglp.unlp.edu.ar
> > (1.38.193.4/16.2) id AI19659; Sat, 8 Feb 1997 23:49:27 -0300
> >Message-Id: <9702090249.AI19659 at fcaglp.fcaglp.unlp.edu.ar>
> >Date: Sat, 8 Feb 1997 05:12:37 -0300
> >From: MAILER-DAEMON at fcaglp.fcaglp.unlp.edu.ar (Mail Delivery Subsystem)
> >Subject: Returned mail: User unknown
> >To: lindat at iquest.net
> >X-UIDL: 85c7fe8ecdc2605eb6bc80bfa71b223e
> >Status: U
> >
> > ----- Transcript of session follows -----
> >550 xfAA16374: line 6: vice-president at whitehouse.gov... User unknown
> >
> > ----- Unsent message follows -----
> >Received: from echotech.com by fcaglp.fcaglp.unlp.edu.ar with SMTP
> > (1.38.193.4/16.2) id AA16374; Sat, 8 Feb 1997 05:12:37 -0300
> >Message-Id: <9702080812.AA16374 at fcaglp.fcaglp.unlp.edu.ar>
> >Date: Sat, 8 Feb 1997 05:12:37 -0300
> >From: lindat at iquest.net
> >Return-Path: <lindat at iquest.net>
[recipient list deleted]
> >Reply-To: lindat at iquest.net
> >Return-Receipt-To: lindat at iquest.net
> >Comment: Authenticated sender is <lindat at iquest.net>
> >Subject: message to USSA Senate
> >
> >All files on the Senate's computers will be deleted by our
> >gang of cypherpunks dedicated to the eradication of your systems.
Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv
iQEVAwUBMv4meizIPc7jvyFpAQFu/ggAoap+9UBSbtitcQuGL3Og5u1nQRJhaviV
BJqXC0ZwNBKCEeVQm3HIME47eqB8JVite2YBvyXZbj/QAsFQAEY1k4oJlfn5tCLE
w/ifDrqeQhFWXtNC64iRFJm7EEOMDJ56rNVUA8NkKJZstl8ny/7LTFeTDGxf18gL
nQVHJ447I5B0WVQt42F1Gfcmxh3bPjbZXd8TRKSKjhuBfqum8916dlXso1hB3WaC
TSYIHa3R33HmwYA2xtDJ6ZJwtlPF/wPkVIYgbhrt+S6SPGfa+yEUnCE72qceo3eh
1imu97YBiP0EPveEdD5yIlH23rZRbCJ9RmDrZruCY2ldG1wJh3+6Jg==
=psFL
-----END PGP SIGNATURE-----
More information about the cypherpunks-legacy
mailing list