Great Circle Associates List-Managers
(March 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Recent forged subscriptions (fwd)
From: Robert S Brewer <rbrewer @ lava . net>
Date: Mon, 11 Mar 1996 11:19:31 -1000
To: Christopher Samuel <chris @ rivers . dra . hmg . gb>
Cc: list-managers @ greatcircle . com, postmaster @ malasada . lava . net, postmaster @ iquest . net
In-reply-to: Your message of "Mon, 11 Mar 1996 15:11:53 GMT." <12791.826557113@rivers.dra.hmg.gb>

In message Christopher Samuel <chris@rivers.dra.hmg.gb> writes:
>/*
> * Cc'd to the postmasters of the sites being abused as a "heads up"
> *
> * Summary for them: a lot of forged subscribe messages for various
> * users around the net have been issued using your sites as convenient
> * staging posts due to the mail software you use. This is not intended
> * as a flame at all, just as some information in case you were not aware.
> */
>
>Here are the edited highlights of a selection of the forged subscription
>messages I received, fortunately the majordomo-owner of mono.org has hacked
>the code to include potentially useful information after the last round.
>Thanks Dave!
>
>The hosts malasada.lava.net and iquest.net seem to be implicated, but I
>suspect that is merely because they are running versions of SMail that
>don't appear to bother doing any checking on the name presented at the
>initial SMTP HELO greeting, and thus cannot be traced any further.

Thanks for the info. In our case, you are right in that the attacker was
just using us as a relay. The actual attack was traced back to a cracked
account at Netcom which has since been deactivated.

We have improved our Received header creation so that it now includes the
real IP address of the host sending the email, so future attacks can be
traced to the source without our intervention. We just added the following
to our config file for Smail (included for the benefit of other Smail admins):

received_field="Received: \
        ${if def:sender_host\
                {from $sender_host [$sender_host_addr] by $primary_name\
                 ${if def:sender_proto: with $sender_proto}\
                \n\t(Smail$version #$compile_num) }\
        else {by $primary_name ${if def:sender_proto:with $sender_proto }\
                (Smail$version #$compile_num)\n\t}}\
        id $message_id; $spool_date"



References:
Indexed By Date Previous: Recent forged subscriptions (fwd)
From: Christopher Samuel <chris@rivers.dra.hmg.gb>
Next: Effect that increasing list/WWW access has on content
From: "Eric J. Hansen" <eric@worldmachine.com>
Indexed By Thread Previous: Recent forged subscriptions (fwd)
From: Christopher Samuel <chris@rivers.dra.hmg.gb>
Next: Effect that increasing list/WWW access has on content
From: "Eric J. Hansen" <eric@worldmachine.com>

Google
 
Search Internet Search www.greatcircle.com