For your info..
There were two article in Phrack Vol 41 regarding faking SMTP mailers...
I think you been had. One was an "Anonymous Mail Poster" by Sir
Hackalot, and the second was "The POWER of Electronic Mail" by The
Racketeer.
Either article gives you enough info to spoof anyone's mail to anyone
else.
Mike Hines
PCERT
---------------------------------
>I have been told that somebody is posting messages to
>alt.binaries.pictures.erotica in my name. Checking out (blush) I find
>messages with headers like the one below:
>
>
> From toreh @
bootes .
sds .
no Wed Nov 24 18:48:36 1993
> Newsgroups: alt.binaries.pictures.erotica
> Path: nntp-oslo.uninett.no!nac.no!kth.se!sunic!EU.net!uunet!world!dwk
> From: "The Guest"
> Subject: mpg viewer betsy1.jpg 1 of 1
> Message-ID: <CGnMEy .
EMC @
world .
std .
com>
> Followup-To: Any-One Who Cares
> Keywords: erotica
> Sender: The Guest
> Organization: Not Of This World
> Date: Wed, 17 Nov 1993 21:01:40 GMT
> Lines: 946
>
>
>I do not know much about mail spoofing. Our site is behind two routers,
>no bastion host:
>
>--------------- Internet -----------------
> |
> Router1
> |
>--------------- Public services net ------
> |
> Router2
> |
>--------------- Internal net -------------
> |
> bootes
>
>We read news from nntp-oslo.uninett.no.
>We let mail, dns, ntp in through the routers. We disallow any udp below
>1023. Also nfs. Outbound tcp is allowed.
>
>bootes is a one-man ultrix workstation. I can find no traces of tricking
>with hosts, passwd .rhosts files. My syslog files go back to Nov 17.
>
>I am worried...
>
>-- tore
>
----------------------------------------------------------------------
Internet: mshines @
ia .
purdue .
edu | Michael S. Hines
Bitnet: michaelh @
purccvm | Sr. Information Systems Auditor
Purdue WIZARD Mail: MSHINES | Purdue University
GTE Net: (317) 494-5845 | 1065 Freehafer Hall
CompuServe: 73240,1631 | West Lafayette, IN 47907-1065
America OnLine: mysterios |
|
|
