From: rclark@nyx10.cs.du.edu (Robert W. F. Clark)
Date: Tue, 21 Dec 93 08:35:09 PST
To: cypherpunks@toad.com
Subject: Re:  "Free Willy"
Message-ID: <9312211629.AA07359@nyx10.cs.du.edu>
MIME-Version: 1.0
Content-Type: text/plain



Michael E. Marrotta writes:

> Which does show the wisconsin 144 stuff, but none of the Delphi-
> Bix-UUnet nonsense.  So what I am to make of this?  Two sharp 
> 'punks finger this as coming from (through?) wisconsin 144.  So, 
> I conclude that this spoofer goes to U-Wisc.  He has accounts on 
> Bix and Delphi.  He forwards Free Willy from 144 to Delphi to Bix 
> and from there to toad.  But ferguson didn't have Delphi and Bix 
> in his solution.  And, again, the message came to me with just the 
> address of the Presidential Palace in Federal City. 

Not necessarily; I tried telgate, and it accepts connections
from anywhere.  This makes it ideal for spoofing, as only if
a log is kept of remote connections could the true location
of the spoofer be discovered.

Even in that case, a savvy user of PADs and other non-Internet
functions could easily add another layer of concealment to
an already fairly clever spoof.

The spoofer _may_ be at uwisc, but it is also possible
that a telnet gate collector is at work here.  There are
dozens of cisco servers, X.25 gateways, etc. which
allow public access from any site.   

The wise choice is, of course, to disable both incoming
and outgoing interdomain telnet connections from these
gateways.  However, this is not always done.
----
Robert W. F. Clark
rclark@nyx.cs.du.edu