I've been following the fakemail thread for some time and nobody has mentioned
that it is quite trivial to trace the note back to the originating machine.
"Trivial" if you have logs at your 'access' points into your net.
We have a central mail server for our site (mail.org) that is basically a huge
POP, SMTP mail system. We log just about everything that comes into the machine
using the standard syslog, tcp wrapper and similar tools. It handles about 1.5
million local deliveries a week and we average about 7 email related complaints
a week (fakemail, obscene mail). Yes, it is a log of log information( 600-800MB
a month) and we offload those logs to CD (ftp them to a system w/ a CD burner)
for permanent storage. However, we've had good success in tracing a note back to
a machine. Now, proving the owner of the ID was the SAME person is obviously
more difficult. That's where other types of controls factor in the equation.
We have public sites here but in order to use the systems, a person has to sign
in (with ID) to use the machine. (Policy, Policy, Policy). This helps us in the
case of netscape type mailers on insecure platforms (PC/Macs) Sure, this
doesn't apply in email outside our site but if the offending note came from our
site to yours, we could probably help you identify its trail through our site.
You need an interlocking series of policy decisions and actions to help defeat
the fakemail stuff. Logging traffic at your individual systems, network access
points (tacacs type stuff), sign-in policies at public sites like labs,
archiving logs for permanent storage, etc. all make it easier to track down the
offender. It doesn't solve everything but it narrows the field considerably.
Yes, it takes a lot of time to setup and maintain but then you have to consider
the consequences of NOT doing anything. Unfortunately, sometime it takes a
really bad incident to wake up mgt.
Hope this helps.
VA Tech Computing Center
Blacksburg, VA 24060
email: randy .
From: Michael Baumann <baumann @