[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Email forgery



-----BEGIN PGP SIGNED MESSAGE-----

This is a very strange forgery.  It appears that the attacker used
fcaglp.fcaglp.unlp.edu.ar as a relay.  This machine is running an old version
of HP sendmail that apparently accepts any hostname the user enters after
"helo".  I tried sending myself fakemail using this site but haven't got a
response yet.  The interesting thing is that the attacker used the hostname
echotech.com and not iquest.net.  echotech.com is a real domain so the attacker
might have been dumb enough to connect from echotech.com and enter the real
origin.  Or the SMTP server might just pretend it's fooled and put the real
hostname in the received header regardless of what's entered after the helo.
I'm not familiar with HP sendmail so I don't know whether this is true or not.

On Sun, 9 Feb 1997, Bovine Remailer wrote:

> Date: Sun, 9 Feb 1997 08:42:45 -0500 (EST)
> From: Bovine Remailer <[email protected]>
> To: [email protected]
>
> NEW ATTACK ON CP LIST
>
>
> >Date: Sun, 9 Feb 1997 03:55:04 -0500
> >From: Linda Thompson <[email protected]>
> >To: [email protected]
> >Cc: [email protected]
> >Subject: URGENT
> >
> >Someone is sending THREATS to the President and Senate and using *MY*
> >name
> >and account to do it.  One bounced and was sent to me.  You should be
> >able
> >to find out where it came from by the message I.D.  I think it is
> >EXTREMELY
> >important that you find out where this came from!!
> >
> >Also, earlier in the day, I got a message that I was subscribed by
> >"majordomo" to cypherpunks.  I did NOT subscribe to cypherpunks and I
> >would
> >bet that whoever did THAT also sent this message.
> >
> >Here's the threat message:
> >
> >Return-Path: <[email protected]>
> >Delivered-To: [email protected]
> >Received: (qmail 29848 invoked from network); 9 Feb 1997 02:51:40 -0000
> >Received: from fcaglp.fcaglp.unlp.edu.ar (163.10.4.1)
> >  by iquest3.iquest.net with SMTP; 9 Feb 1997 02:51:40 -0000
> >Received: by fcaglp.fcaglp.unlp.edu.ar
> >	(1.38.193.4/16.2) id AI19659; Sat, 8 Feb 1997 23:49:27 -0300
> >Message-Id: <[email protected]>
> >Date: Sat, 8 Feb 1997 05:12:37 -0300
> >From: [email protected] (Mail Delivery Subsystem)
> >Subject: Returned mail: User unknown
> >To: [email protected]
> >X-UIDL: 85c7fe8ecdc2605eb6bc80bfa71b223e
> >Status: U
> >
> >   ----- Transcript of session follows -----
> >550 xfAA16374: line 6: [email protected]... User unknown
> >
> >   ----- Unsent message follows -----
> >Received: from echotech.com by fcaglp.fcaglp.unlp.edu.ar with SMTP
> >	(1.38.193.4/16.2) id AA16374; Sat, 8 Feb 1997 05:12:37 -0300
> >Message-Id: <[email protected]>
> >Date: Sat, 8 Feb 1997 05:12:37 -0300
> >From: [email protected]
> >Return-Path: <[email protected]>
[recipient list deleted]
> >Reply-To: [email protected]
> >Return-Receipt-To: [email protected]
> >Comment: Authenticated sender is <[email protected]>
> >Subject: message to USSA Senate
> >
> >All files on the Senate's computers will be deleted by our
> >gang of cypherpunks dedicated to the eradication of your systems.



Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBMv4meizIPc7jvyFpAQFu/ggAoap+9UBSbtitcQuGL3Og5u1nQRJhaviV
BJqXC0ZwNBKCEeVQm3HIME47eqB8JVite2YBvyXZbj/QAsFQAEY1k4oJlfn5tCLE
w/ifDrqeQhFWXtNC64iRFJm7EEOMDJ56rNVUA8NkKJZstl8ny/7LTFeTDGxf18gL
nQVHJ447I5B0WVQt42F1Gfcmxh3bPjbZXd8TRKSKjhuBfqum8916dlXso1hB3WaC
TSYIHa3R33HmwYA2xtDJ6ZJwtlPF/wPkVIYgbhrt+S6SPGfa+yEUnCE72qceo3eh
1imu97YBiP0EPveEdD5yIlH23rZRbCJ9RmDrZruCY2ldG1wJh3+6Jg==
=psFL
-----END PGP SIGNATURE-----