Firewalls: Re: Fakemail

Firewalls
(April 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Fakemail
From:	marchany @ vtserf . cc . vt . edu
Date:	Thu, 25 Apr 96 10:41:14 -0400
To:	Michael Baumann <baumann @ proton . llumc . edu>
Cc:	firewalls @ GreatCircle . com, marchany @ vtserf . cc . vt . edu
In-reply-to:	Your message of "Wed, 24 Apr 96 18:21:51 PDT." <Pine . SUN . 3 . 91 . 960424181014 . 11406J-100000 @ mycroft . llumc . edu>

I've been following the fakemail thread for some time and nobody has mentioned 
that it is quite trivial to trace the note back to the originating machine.
"Trivial" if you have logs at your 'access' points into your net.

We have a central mail server for our site (mail.org) that is basically a huge 
POP, SMTP mail system. We log just about everything that comes into the machine 
using the standard syslog, tcp wrapper and similar tools. It handles about 1.5 
million local deliveries a week and we average about 7 email related complaints 
a week (fakemail, obscene mail). Yes, it is a log of log information( 600-800MB 
a month) and we offload those logs to CD (ftp them to a system w/ a CD burner) 
for permanent storage. However, we've had good success in tracing a note back to 
a machine. Now, proving the owner of the ID was the SAME person is obviously 
more difficult. That's where other types of controls factor in the equation.

We have public sites here but in order to use the systems, a person has to sign 
in (with ID) to use the machine. (Policy, Policy, Policy). This helps us in the 
case of netscape type mailers on insecure platforms (PC/Macs)  Sure, this 
doesn't apply in email outside our site but if the offending note came from our 
site to yours, we could probably help you identify its trail through our site.

You need an interlocking series of policy decisions and actions to help defeat 
the fakemail stuff. Logging traffic at your individual systems, network access 
points (tacacs type stuff), sign-in policies at public sites like labs, 
archiving logs for permanent storage, etc. all make it easier to track down the 
offender. It doesn't solve everything but it narrows the field considerably. 
Yes, it takes a lot of time to setup and maintain but then you have to consider 
the consequences of NOT doing anything. Unfortunately, sometime it takes a 
really bad incident to wake up mgt.

Hope this helps.

	-Randy Marchany
	VA Tech Computing Center
	Blacksburg, VA 24060

Internet: http://www.bev.net
email: randy .
 marchany @
 vt .
 edu

References:

re: Fakemail
From: Michael Baumann <baumann @ proton . llumc . edu>

Indexed By Date	Previous:	Re: your mail From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Date	Next:	Re: subnet mask problem From: michelem @ sundc . East . Sun . COM (Michele Mullins - Commercial SE-Sun-Vienna VA)
Indexed By Thread	Previous:	re: Fakemail From: Michael Baumann <baumann @ proton . llumc . edu>
Indexed By Thread	Next:	Re: Fakemail From: nkeenan @ gsionline . com (Nick Keenan)