[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tracing port 25 mail forgery



While looking over some of the detcrud I noticed something interesting...

>From [email protected]  Mon Jul 18 15:48:30 1994
>Received: from virginia.edu (uvaarpa.Virginia.EDU [128.143.2.7]) by
>kaiwan.kaiwan.com (8.6.9/8.6.5) with SMTP
>          id PAA27245 for <[email protected]>; Mon, 18 Jul 1994 15:48:24 -0700
>          *** KAIWAN Internet Access ***
>From: [email protected]
>Received: from fulton.seas.virginia.edu by uvaarpa.virginia.edu id aa05968;
>          18 Jul 94 18:48 EDT
>Received: from <netcom12.netcom.com> ([email protected]
> [192.100.81.126]) by fulton.seas.Virginia.EDU (8.6.8/8.6.6) with SMTP id
> SAA67017 for <[email protected] >; Mon, 18 Jul 1994 18:48:20 -0400
>Date: Mon, 18 Jul 1994 18:48:20 -0400
>Message-Id: <[email protected]>
>To: [email protected]
>Request-Remailing-To: [email protected]
>
>##
>Followups-To: news.admin.policy
>Reply-To: <[email protected]>
>Subject: Netcom is being SCAPEGOATED
>
...drivel removed...

In the Received: header, fulton.seas.Virginia.EDU identifies the message as
coming from [email protected]

My question is, How did it do this???  Did it use identd?  I tried making a
fake mail thru that site and it did not show my username...but neither kaiwan
nor andrew have identd installed.  nova.unix.portal.com did the same thing:

>Received: from <netcom12.netcom.com> ([email protected] [192.100.81.108])
>by nova.unix.portal.com (8.6.7/8.6.5) with SMTP id SAA22450 for
><[email protected] >; Mon, 18 Jul 1994 18:09:22 -0700

Comments?