[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hack attempt? "12 days" from anon.com




Regarding the mysterious mail from [email protected]
that many people have received:
1. The mail was apparently sent by a daemon bouncing
   an undeliverable mail. anon.com is a "virtual domain"
   hosted at io.com, so it's unlikely that the daemon would
   have an anon.com address. 
2. Headers show it was routed through 38.10.221.81 and
   smtp1.interramp.com. That IP address showed up as
   ip81.la.ca.interramp.com the first time I tried a 
   traceroute. The second time it showed up as 
   ip81.syracuse.ny.interramp.com. In any case, traceroute
   went recursive between los-angeles.ca.isdn.psi.net
   (38.145.221.110) and lan.losangeles.ca.psi.net
   (38.145.221.1). This indicates the target could not be
   reached - perhaps it's a PPP address, or disconnected.
3. There is an X-Sender: (Unverified) header entry. So the
   mail was SMTP faked without the HELO protocol.
4. The error purpoting to originate from [email protected]
   says the mail was addressed to [email protected]. loacst.org
   is not a registered domain.
5. PeppermintPty is obviously Peppermint Patty; the "original message"
   is signed Marcie. Peanut fans will recognise these characters.

So - what was it all about? An elaborate prank? A convoluted NSA
plot? I would lean towards the first, but perhaps we'll know
on March 1st, the date to "gain access to target".

Rishab
ps. the copy I received follows:

>From [email protected]  Fri Feb 23 20:08:00 1996
Received: from m-net148.arbornet.org (m-net.arbornet.org [148.59.250.2]) by shellx.best.com (8.6.12/8.6.5) with SMTP id UAA20969 for <[email protected]>; Fri, 23 Feb 1996 20:07:44 -0800
Received: from smtp1.interramp.com by m-net148.arbornet.org with smtp
        (Smail3.1.29.1 #4) id m0tqBGv-0009SHC; Fri, 23 Feb 96 23:07 WET
Received: from [38.10.221.81] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp)
        id XAA24970; Fri, 23 Feb 1996 23:06:42 -0500
X-Sender:  (Unverified)
Message-Id: <v01520db9ad53979e9858@[38.10.221.81]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 23 Feb 1996 08:11:33 -0800
To: (Recipient list suppressed)
From: [email protected] (System Mail Manager)
Subject: Twelve Days of Christmas
Status: RO


-- <System Report> --
UNDELIVERABLE MAIL: Unknown Host("[email protected]")
UNDELIVERABLE MAIL: Bad Key

-- <Original Message Follows> --

*** TOP LEVEL: DESTROY IMMEDIATELY UPON READING ***
*** DO NOT PRINT OR SAVE. Code1.8 Table2Hex6    ***

DAY 10: DR. BLACK located a promising entry point at the target site. DR.
BLACK recovered four of the six password tokens before his position was
compromised. DR. BLACK will be replaced by DR. ORANGE.

Estimated time to recover the remaining two password tokens and gain access
to target: EIGHT DAYS (03.01.96)

Confidence is HIGH.

My team has been working around the clock for a month now. Please tell your
people to be more tolerant. Yelling doesn't help anything.

Marcie