From: nobody@REPLAY.COM (Anonymous)
Date: Tue, 16 Dec 1997 01:31:08 +0800
To: cypherpunks@cyberpass.net
Subject: No Subject
In-Reply-To: <a3VcpW2klLwAYskYVqKWcw==@bureau42.ml.org>
Message-ID: <199712151722.SAA11051@basement.replay.com>
MIME-Version: 1.0
Content-Type: text/plain



bureau42 Anonymous Remailer <nobody@bureau42.ml.org> writes:

> On Sun, 14 Dec 1997 at 08:12:31 -0600 Human Gus-Peter wrote:

>> It is interesting to note that the emails from 
>> treasury.gov constituted the same type of 'threat' that 
>> Bell was roundly accused of by government officials and 
>> the press.

> I've seen brief mention of this before, but have never seen 
> any details on the list. Aside from Jim Choate questioning
> my arithmetic or attention span, would anyone be kind enough
> to provide pointers to information about incidents of c-p
> list members having received unsolicited email from .gov?

Check the archives.  There was plenty of discussion when it happened.

I'm convinced they used names pulled out of Bell's computer, not a
cypherpunks subscriber list as they sent my copy of the SPAM to an
email address that had long been retired at the time of the mailing,
but had been used to exchange email with Jim.  Far more active list
members than I didn't get a copy.

> Declan, did you catch a whiff of this when it happened? I 
> would think everyone's alarm bells would have gone off and 
> people would have been intensely interested in the messages 
> themselves, particularly the headers.

They did, and we were.  Here's a copy of one message I saved:

To: cypherpunks@algebra.com
Subject: gotcha (was Re: DEATH TO THE TYRANTS)
References: <1.5.4.32.19970723233941.006d1374@pop.pipeline.com> <v03102800affc86bdca7e@[207.167.93.63]>
From: SL Baur <steve@xemacs.org>
In-Reply-To: Tim May's message of "Wed, 23 Jul 1997 21:21:48 -0700"
Date: 23 Jul 1997 22:18:12 -0700
Message-ID: <m2lo2xauzv.fsf_-_@altair.xemacs.org>

Tim May <tcmay@got.net> writes:

> Namely, who is "irsnwpr@net.insp.irs.gov" and what does he or she think of
> the "DEATH TO TYRANTS" subject header, sent to me (and maybe others).
 ...
>  The headers in the first of the messages I received were:

> Received: from tcs_gateway1.treas.gov (tcs-gateway1.treas.gov
> [204.151.245.2]) by you.got.net (8.8.5/8.8.3) with SMTP id PAA28395 for
> <tcmay@got.net>; Fri, 18 Jul 1997 15:29:59 -0700
 ...
> Received: from tcs_gateway1.treas.gov (tcs-gateway1.treas.gov
> [204.151.245.2]) by you.got.net (8.8.5/8.8.3) with SMTP id PAA28954 for
> <tcmay@got.net>; Fri, 18 Jul 1997 15:39:39 -0700

If those headers are forged, it is an expert forgery.

The MX hosts for the net.insp.irs.gov domain are fun:
net.insp.irs.gov        preference = 10, mail exchanger = tcs-gateway2.treas.gov
net.insp.irs.gov        preference = 20, mail exchanger = tcs-gateway1.treas.gov
net.insp.irs.gov        preference = 30, mail exchanger = gotcha.treas.gov
irs.gov nameserver = gotcha.treas.gov
irs.gov nameserver = nis.ans.net
irs.gov nameserver = ns.ans.net
tcs-gateway2.treas.gov  internet address = 204.151.246.2
tcs-gateway1.treas.gov  internet address = 204.151.245.2
gotcha.treas.gov        internet address = 204.151.246.80

`gotcha.treas.gov'?  It's a real host connected through ans.net ...

12  h10-1.t32-0.New-York.t3.ans.net (140.223.57.30)  139.839 ms  126.702 ms  125.82 ms
13  h11-1.t56-1.Washington-DC.t3.ans.net (140.223.57.21)  147.248 ms  124.774 ms  118.815 ms
14  f0-0.cnss60.Washington-DC.t3.ans.net (140.222.56.196)  192.54 ms  125.939 ms  166.529 ms
15  enss3080.t3.ans.net (192.103.66.18)  130.917 ms  131.057 ms  145.377 ms
16  gotcha.treas.gov (204.151.246.80)  133.065 ms  134.345 ms  131.596 ms

Except for hop 16, this is the same traceroute as to
tcs-gateway2.treas.gov.  For what it's worth, the traceroute to
tcs-gateway1 is slightly different:

 8  h13-1.t16-0.Los-Angeles.t3.ans.net (140.223.9.14)  44.997 ms  51.526 ms  51.875 ms
 9  h14-1.t112-0.Albuquerque.t3.ans.net (140.223.17.10)  60.895 ms  60.426 ms  57.762 ms
10  h14-1.t64-0.Houston.t3.ans.net (140.223.65.9)  81.131 ms *  85.067 ms
11  h14-1.t80-1.St-Louis.t3.ans.net (140.223.65.14)  117.62 ms  100.623 ms  104.878 ms
12  h10-1.t60-0.Reston.t3.ans.net (140.223.61.13)  126.368 ms  136.017 ms  123.367 ms
13  f2-0.c60-10.Reston.t3.ans.net (140.223.60.220)  129.505 ms  128.214 ms  128.52 ms
14  enss3079.t3.ans.net (204.148.66.66)  134.707 ms  162.912 ms  160.774 ms
15  tcs-gateway1.treas.gov (204.151.245.2)  154.268 ms *  155.898 ms