List-Managers: sendmail -f attack?

List-Managers
(January 1997)

Indexed By Thread: [Previous] [Next]

Subject:	sendmail -f attack?
From:	Mike Nolan <nolan @ celery . tssi . com>
Date:	Tue, 28 Jan 1997 10:53:21 -0600 (CST)
To:	list-managers @ GreatCircle . com (List Managers)
Reply-to:	nolan @ tssi . com

It appears that someone at eds.com is sending mail to my mailing list
but altering it to appear to be coming from someone else.  I've received about
eight messages in the past hour apparently from a non-subscriber masquerading 
as someone else.   Below is an example.  

As best I can determine, it is coming from someone on either a system named 
'dilbert' or one named 'cameron' within eds.com, possibly from a user gfcastee 
who has access to sendmail with the -f flag.  (Am I reading the headers right?)
The Received headers on the original message (stripped by procmail/smartlist
but retained in my archives) also point towards EDS.

The mail seems to be coming from EDS, even though my sendmail logs show
it as coming from sstone@pvtnetworks.net.  (That's the author of an earlier
message to my list.)

I don't know if this some kind of attack or just a user who is playing with
something or has a configuration problem.  I've written to the technical
contact at EDS to see if he has any suggestions.  Any advice from other
list managers?
--
Mike Nolan
nolan@tssi.com
> 
> From huskers-request@tssi.com  Tue Jan 28 10:25:59 1997
> Received: (from celery.tssi.com) by celery.tssi.com (8.7.5/8.7.3) id KAA31722; Tue, 28 Jan 1997 10:25:53 -0600
> Resent-Date: Tue, 28 Jan 1997 10:25:53 -0600
> From: sstone@pvtnetworks.net
> Message-ID: <199701281611.JAA25110@dilbert>
> X-Authentication-Warning: dilbert.neo.comm.eds.com: gfcastee set sender to sstone@pvtnetworks.net using -f
> To: huskers@tssi.com
> Date: Fri, 24 Jan 1997 11:56:56 -0600
> Resent-Message-ID: <"v-KIG3.0.bl7.FYYxo"@celery>
> Resent-From: huskers@tssi.com
> Subject: Unidentified subject!
> X-Mailing-List: <huskers@tssi.com> archive/latest/17516
> X-Loop: huskers@tssi.com
> Precedence: list
> Resent-Sender: huskers-request@tssi.com
> Status: RO
> 
> 
> 
> Resent-Message-ID: <"_vvTq.0.d_1.QFGwo"@celery>
> Resent-From: huskers@tssi.com
> X-Mailing-List: <huskers@tssi.com> archive/latest/17397
> X-Loop: huskers@tssi.com
> Precedence: list
> Resent-Sender: huskers-request@tssi.com
> 
> --LAB03985.854131936/cameron.neo.comm.eds.com.--
> 
> 
>

Follow-Ups:

Re: sendmail -f attack?
From: Brad Knowles <brad@his.com>

Indexed By Date	Previous:	Re: Mailing List Reference Manuals From: Bonnie Scott <bonnie@staff.prodigy.com>
Indexed By Date	Next:	Hiding outgoing listnames From: Jered J Floyd <jered@mit.edu>
Indexed By Thread	Previous:	Re: Mailing List Reference Manuals From: "Robert W. Neill, Jr." <rwneilljr@howdyneighbor.com>
Indexed By Thread	Next:	Re: sendmail -f attack? From: Brad Knowles <brad@his.com>