1997-02-11 - Email forgery

Header Data

From: “Mark M.” <markm@voicenet.com>
To: lindat@iquest.net
Message Hash: d1eb9701d4bf43c83b3b96f17182fa24803eb93b78c2d7ccd7bf8dd67b08dcc6
Message ID: <199702111429.GAA20054@toad.com>
Reply To: N/A
UTC Datetime: 1997-02-11 14:29:22 UTC
Raw Date: Tue, 11 Feb 1997 06:29:22 -0800 (PST)

Raw message

From: "Mark M." <markm@voicenet.com>
Date: Tue, 11 Feb 1997 06:29:22 -0800 (PST)
To: lindat@iquest.net
Subject: Email forgery
Message-ID: <199702111429.GAA20054@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

This is a very strange forgery.  It appears that the attacker used
fcaglp.fcaglp.unlp.edu.ar as a relay.  This machine is running an old version
of HP sendmail that apparently accepts any hostname the user enters after
"helo".  I tried sending myself fakemail using this site but haven't got a
response yet.  The interesting thing is that the attacker used the hostname
echotech.com and not iquest.net.  echotech.com is a real domain so the attacker
might have been dumb enough to connect from echotech.com and enter the real
origin.  Or the SMTP server might just pretend it's fooled and put the real
hostname in the received header regardless of what's entered after the helo.
I'm not familiar with HP sendmail so I don't know whether this is true or not.

On Sun, 9 Feb 1997, Bovine Remailer wrote:

> Date: Sun, 9 Feb 1997 08:42:45 -0500 (EST)
> From: Bovine Remailer <haystack@holy.cow.net>
> To: cypherpunks@toad.com
>
> NEW ATTACK ON CP LIST
>
>
> >Date: Sun, 9 Feb 1997 03:55:04 -0500
> >From: Linda Thompson <lindat@iquest.net>
> >To: robert@iquest.net
> >Cc: aen-news@aen.org
> >Subject: URGENT
> >
> >Someone is sending THREATS to the President and Senate and using *MY*
> >name
> >and account to do it.  One bounced and was sent to me.  You should be
> >able
> >to find out where it came from by the message I.D.  I think it is
> >EXTREMELY
> >important that you find out where this came from!!
> >
> >Also, earlier in the day, I got a message that I was subscribed by
> >"majordomo" to cypherpunks.  I did NOT subscribe to cypherpunks and I
> >would
> >bet that whoever did THAT also sent this message.
> >
> >Here's the threat message:
> >
> >Return-Path: <MAILER-DAEMON@fcaglp.fcaglp.unlp.edu.ar>
> >Delivered-To: lindat@iquest.net
> >Received: (qmail 29848 invoked from network); 9 Feb 1997 02:51:40 -0000
> >Received: from fcaglp.fcaglp.unlp.edu.ar (163.10.4.1)
> >  by iquest3.iquest.net with SMTP; 9 Feb 1997 02:51:40 -0000
> >Received: by fcaglp.fcaglp.unlp.edu.ar
> >	(1.38.193.4/16.2) id AI19659; Sat, 8 Feb 1997 23:49:27 -0300
> >Message-Id: <9702090249.AI19659@fcaglp.fcaglp.unlp.edu.ar>
> >Date: Sat, 8 Feb 1997 05:12:37 -0300
> >From: MAILER-DAEMON@fcaglp.fcaglp.unlp.edu.ar (Mail Delivery Subsystem)
> >Subject: Returned mail: User unknown
> >To: lindat@iquest.net
> >X-UIDL: 85c7fe8ecdc2605eb6bc80bfa71b223e
> >Status: U
> >
> >   ----- Transcript of session follows -----
> >550 xfAA16374: line 6: vice-president@whitehouse.gov... User unknown
> >
> >   ----- Unsent message follows -----
> >Received: from echotech.com by fcaglp.fcaglp.unlp.edu.ar with SMTP
> >	(1.38.193.4/16.2) id AA16374; Sat, 8 Feb 1997 05:12:37 -0300
> >Message-Id: <9702080812.AA16374@fcaglp.fcaglp.unlp.edu.ar>
> >Date: Sat, 8 Feb 1997 05:12:37 -0300
> >From: lindat@iquest.net
> >Return-Path: <lindat@iquest.net>
[recipient list deleted]
> >Reply-To: lindat@iquest.net
> >Return-Receipt-To: lindat@iquest.net
> >Comment: Authenticated sender is <lindat@iquest.net>
> >Subject: message to USSA Senate
> >
> >All files on the Senate's computers will be deleted by our
> >gang of cypherpunks dedicated to the eradication of your systems.



Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBMv4meizIPc7jvyFpAQFu/ggAoap+9UBSbtitcQuGL3Og5u1nQRJhaviV
BJqXC0ZwNBKCEeVQm3HIME47eqB8JVite2YBvyXZbj/QAsFQAEY1k4oJlfn5tCLE
w/ifDrqeQhFWXtNC64iRFJm7EEOMDJ56rNVUA8NkKJZstl8ny/7LTFeTDGxf18gL
nQVHJ447I5B0WVQt42F1Gfcmxh3bPjbZXd8TRKSKjhuBfqum8916dlXso1hB3WaC
TSYIHa3R33HmwYA2xtDJ6ZJwtlPF/wPkVIYgbhrt+S6SPGfa+yEUnCE72qceo3eh
1imu97YBiP0EPveEdD5yIlH23rZRbCJ9RmDrZruCY2ldG1wJh3+6Jg==
=psFL
-----END PGP SIGNATURE-----







Thread