1996-02-25 - Hack attempt? “12 days” from anon.com

Header Data

From: Rishab Aiyer Ghosh <rishab@best.com>
To: pierre@dragon.achilles.net (Pierre Bourque)
Message Hash: 681930bdfa724e21ecb20fd634dceeae89d8d4fe5beeb9e63532f348e2fd202c
Message ID: <199602251845.KAA09031@shellx.best.com>
Reply To: <Pine.SUN.3.91.960224183530.28777A-100000@dragon.achilles.net>
UTC Datetime: 1996-02-25 19:07:56 UTC
Raw Date: Mon, 26 Feb 1996 03:07:56 +0800

Raw message

From: Rishab Aiyer Ghosh <rishab@best.com>
Date: Mon, 26 Feb 1996 03:07:56 +0800
To: pierre@dragon.achilles.net (Pierre Bourque)
Subject: Hack attempt? "12 days" from anon.com
In-Reply-To: <Pine.SUN.3.91.960224183530.28777A-100000@dragon.achilles.net>
Message-ID: <199602251845.KAA09031@shellx.best.com>
MIME-Version: 1.0
Content-Type: text/plain



Regarding the mysterious mail from mailer-daemon@anon.com
that many people have received:
1. The mail was apparently sent by a daemon bouncing
   an undeliverable mail. anon.com is a "virtual domain"
   hosted at io.com, so it's unlikely that the daemon would
   have an anon.com address. 
2. Headers show it was routed through 38.10.221.81 and
   smtp1.interramp.com. That IP address showed up as
   ip81.la.ca.interramp.com the first time I tried a 
   traceroute. The second time it showed up as 
   ip81.syracuse.ny.interramp.com. In any case, traceroute
   went recursive between los-angeles.ca.isdn.psi.net
   (38.145.221.110) and lan.losangeles.ca.psi.net
   (38.145.221.1). This indicates the target could not be
   reached - perhaps it's a PPP address, or disconnected.
3. There is an X-Sender: (Unverified) header entry. So the
   mail was SMTP faked without the HELO protocol.
4. The error purpoting to originate from mailer-daemon@anon.com
   says the mail was addressed to PeppermintPty@loacst.org. loacst.org
   is not a registered domain.
5. PeppermintPty is obviously Peppermint Patty; the "original message"
   is signed Marcie. Peanut fans will recognise these characters.

So - what was it all about? An elaborate prank? A convoluted NSA
plot? I would lean towards the first, but perhaps we'll know
on March 1st, the date to "gain access to target".

Rishab
ps. the copy I received follows:

>From mailer-daemon@anon.com  Fri Feb 23 20:08:00 1996
Received: from m-net148.arbornet.org (m-net.arbornet.org [148.59.250.2]) by shellx.best.com (8.6.12/8.6.5) with SMTP id UAA20969 for <rishab@best.com>; Fri, 23 Feb 1996 20:07:44 -0800
Received: from smtp1.interramp.com by m-net148.arbornet.org with smtp
        (Smail3.1.29.1 #4) id m0tqBGv-0009SHC; Fri, 23 Feb 96 23:07 WET
Received: from [38.10.221.81] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp)
        id XAA24970; Fri, 23 Feb 1996 23:06:42 -0500
X-Sender:  (Unverified)
Message-Id: <v01520db9ad53979e9858@[38.10.221.81]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 23 Feb 1996 08:11:33 -0800
To: (Recipient list suppressed)
From: mailer-daemon@anon.com (System Mail Manager)
Subject: Twelve Days of Christmas
Status: RO


-- <System Report> --
UNDELIVERABLE MAIL: Unknown Host("PeppermintPty@loacst.org")
UNDELIVERABLE MAIL: Bad Key

-- <Original Message Follows> --

*** TOP LEVEL: DESTROY IMMEDIATELY UPON READING ***
*** DO NOT PRINT OR SAVE. Code1.8 Table2Hex6    ***

DAY 10: DR. BLACK located a promising entry point at the target site. DR.
BLACK recovered four of the six password tokens before his position was
compromised. DR. BLACK will be replaced by DR. ORANGE.

Estimated time to recover the remaining two password tokens and gain access
to target: EIGHT DAYS (03.01.96)

Confidence is HIGH.

My team has been working around the clock for a month now. Please tell your
people to be more tolerant. Yelling doesn't help anything.

Marcie










Thread