[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack attempt? "12 days" from anon.com



Are they trying to access Snoopy's doghouse ?

Pierre Bourque
Mercenary Scribbler
SurfBoard: <a href=" http://www.achilles.net/~pierre ">here</a>
And on the Left Coast: [email protected]



On Sun, 25 Feb 1996, Rishab Aiyer Ghosh wrote:

> 
> Regarding the mysterious mail from [email protected]
> that many people have received:
> 1. The mail was apparently sent by a daemon bouncing
>    an undeliverable mail. anon.com is a "virtual domain"
>    hosted at io.com, so it's unlikely that the daemon would
>    have an anon.com address. 
> 2. Headers show it was routed through 38.10.221.81 and
>    smtp1.interramp.com. That IP address showed up as
>    ip81.la.ca.interramp.com the first time I tried a 
>    traceroute. The second time it showed up as 
>    ip81.syracuse.ny.interramp.com. In any case, traceroute
>    went recursive between los-angeles.ca.isdn.psi.net
>    (38.145.221.110) and lan.losangeles.ca.psi.net
>    (38.145.221.1). This indicates the target could not be
>    reached - perhaps it's a PPP address, or disconnected.
> 3. There is an X-Sender: (Unverified) header entry. So the
>    mail was SMTP faked without the HELO protocol.
> 4. The error purpoting to originate from [email protected]
>    says the mail was addressed to [email protected]. loacst.org
>    is not a registered domain.
> 5. PeppermintPty is obviously Peppermint Patty; the "original message"
>    is signed Marcie. Peanut fans will recognise these characters.
> 
> So - what was it all about? An elaborate prank? A convoluted NSA
> plot? I would lean towards the first, but perhaps we'll know
> on March 1st, the date to "gain access to target".
> 
> Rishab
> ps. the copy I received follows:
> 
> >From [email protected]  Fri Feb 23 20:08:00 1996
> Received: from m-net148.arbornet.org (m-net.arbornet.org [148.59.250.2]) by shellx.best.com (8.6.12/8.6.5) with SMTP id UAA20969 for <[email protected]>; Fri, 23 Feb 1996 20:07:44 -0800
> Received: from smtp1.interramp.com by m-net148.arbornet.org with smtp
>         (Smail3.1.29.1 #4) id m0tqBGv-0009SHC; Fri, 23 Feb 96 23:07 WET
> Received: from [38.10.221.81] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp)
>         id XAA24970; Fri, 23 Feb 1996 23:06:42 -0500
> X-Sender:  (Unverified)
> Message-Id: <v01520db9ad53979e9858@[38.10.221.81]>
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Date: Fri, 23 Feb 1996 08:11:33 -0800
> To: (Recipient list suppressed)
> From: [email protected] (System Mail Manager)
> Subject: Twelve Days of Christmas
> Status: RO
> 
> 
> -- <System Report> --
> UNDELIVERABLE MAIL: Unknown Host("[email protected]")
> UNDELIVERABLE MAIL: Bad Key
> 
> -- <Original Message Follows> --
> 
> *** TOP LEVEL: DESTROY IMMEDIATELY UPON READING ***
> *** DO NOT PRINT OR SAVE. Code1.8 Table2Hex6    ***
> 
> DAY 10: DR. BLACK located a promising entry point at the target site. DR.
> BLACK recovered four of the six password tokens before his position was
> compromised. DR. BLACK will be replaced by DR. ORANGE.
> 
> Estimated time to recover the remaining two password tokens and gain access
> to target: EIGHT DAYS (03.01.96)
> 
> Confidence is HIGH.
> 
> My team has been working around the clock for a month now. Please tell your
> people to be more tolerant. Yelling doesn't help anything.
> 
> Marcie
> 
> 
> 
> 
> 
>