Firewalls: Re: Faked mail or break-in?

Firewalls
(January 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Faked mail or break-in?
From:	"Nelu Dumitru" <nelu @ matco . ro>
Date:	Thu, 30 Jan 1997 14:40:58 -0800
To:	<Firewalls @ GreatCircle . COM>, "Chih-hung Feng" <chfeng @ iii . org . tw>

Here is another possibility: to telnet to port 25 and to made the messages
"by hand". In this case your SMTP server will send forward the messages

Regards,
Nelu

----------
> From: Chih-hung Feng <chfeng @
 iii .
 org .
 tw>
> To: Firewalls @
 GreatCircle .
 COM
> Subject: Faked mail or break-in?
> Date: Thursday, January 30, 1997 8:26 AM
> 
> Greetings,
> 
> I apologize for this message is slightly off-togic to this list. But I
> am sure if I need a quick answer, here is the most likely place to get
> one.
> 
> One of my colleague received a foul-mouthed intimidating letter the other
> day, possible due to his posts in some newsgroup. The mail was
deliberately
> faked so we could not identify the origin. But what troubled us most was
its 
> header, going something like this:
> 
> >From FxckYou @
 Hell Mon Jan 27 13:44:02 1997
> Return-Path: <Mailer-Daemon>
> Received: from hostC.xyz.edu.tw by hostD.iii.org.tw (SMI-8.6/SMI-SVR4)
> 	id NAA21246; Mon, 27 Jan 1997 13:44:01 +0800
> Received: from hostB.xyz.edu.tw by hostC.xyz.edu.tw with SMTP
> 	(1.37.109.20/16.2) id AA192423485; Mon, 27 Jan 1997 13:38:05 +0800
> Received: from [IP of hostA.iii.org.tw] by hostB.xyz.edu.tw (4.1/SMI-4.1)
>         id AA02412; Mon, 27 Jan 97 13:37:14 CST
> Date: Mon, 27 Jan 97 13:36:32 CST
> From: FxckYou @
 Hell
> Message-Id: <9701270537 .
 AA02412 @
 hostB .
 xyz .
 edu .
 tw>
> Apparently-To: my-colleague @
 hostD .
 iii .
 org .
 tw
> Content-Length: 153
> Status: RO
> 
> As you can see, the mail header indicated that it started at hostA (in my
> company),
> through hostB and hostC (both located in a university here), to the
mailbox in
> hostD.
> 
> My organization is protected only by routers, in which all incoming
traffic is 
> forbidden except TCP/port 25 and WWW (only to certain Web servers). We
> started an
> investigation at hostA and could not find any traces to suggest a
break-in.
> So far
> we concluded 3 possible scenarios for this event:
> 
> 1. hostA was compromised (we have done some enhancement for its
security).
> 
> 2. it was a joke from our own employee, which is not likely.
> 
> 3. the mail route was faked by unknown mechanisms e.g. source routing(I
am not 
>    good at this). And could you identify or suggest it for me?
> 
> Any opinions and comments will be appreciated.
> 
> --
> Chih-hung Feng (¶¾§Ó¥°) Institute for Information Industry(III)
> TEL  :   02-5643588 ext 174                  FAX  :  02-5643775
> EMAIL:   <chfeng @
 iii .
 org .
 tw>          <chfeng @
 netrd .
 iii .
 org .
 tw>

Indexed By Date	Previous:	AOL proxy From: "Mike Ordun" <mordun @ LANcomp . COM>
Indexed By Date	Next:	Re: Highly available Internet connection From: "Douglas M. MacFarlane" <madmac @ mcs . net>
Indexed By Thread	Previous:	Faked mail or break-in? From: Chih-hung Feng <chfeng @ iii . org . tw>
Indexed By Thread	Next:	RE: Secure Telneting into a internal network From: "Allen D. Harpham" <aharpham @ cnweb . com>