[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: Faked mail or break-in?
From: "Nelu Dumitru" <nelu () matco ! ro>
Date: 1997-01-30 14:40:58
[Download RAW message or body]
Here is another possibility: to telnet to port 25 and to made the messages
"by hand". In this case your SMTP server will send forward the messages
Regards,
Nelu
----------
> From: Chih-hung Feng <chfeng@iii.org.tw>
> To: Firewalls@GreatCircle.COM
> Subject: Faked mail or break-in?
> Date: Thursday, January 30, 1997 8:26 AM
>
> Greetings,
>
> I apologize for this message is slightly off-togic to this list. But I
> am sure if I need a quick answer, here is the most likely place to get
> one.
>
> One of my colleague received a foul-mouthed intimidating letter the other
> day, possible due to his posts in some newsgroup. The mail was
deliberately
> faked so we could not identify the origin. But what troubled us most was
its
> header, going something like this:
>
> >From FxckYou@Hell Mon Jan 27 13:44:02 1997
> Return-Path: <Mailer-Daemon>
> Received: from hostC.xyz.edu.tw by hostD.iii.org.tw (SMI-8.6/SMI-SVR4)
> id NAA21246; Mon, 27 Jan 1997 13:44:01 +0800
> Received: from hostB.xyz.edu.tw by hostC.xyz.edu.tw with SMTP
> (1.37.109.20/16.2) id AA192423485; Mon, 27 Jan 1997 13:38:05 +0800
> Received: from [IP of hostA.iii.org.tw] by hostB.xyz.edu.tw (4.1/SMI-4.1)
> id AA02412; Mon, 27 Jan 97 13:37:14 CST
> Date: Mon, 27 Jan 97 13:36:32 CST
> From: FxckYou@Hell
> Message-Id: <9701270537.AA02412@hostB.xyz.edu.tw>
> Apparently-To: my-colleague@hostD.iii.org.tw
> Content-Length: 153
> Status: RO
>
> As you can see, the mail header indicated that it started at hostA (in my
> company),
> through hostB and hostC (both located in a university here), to the
mailbox in
> hostD.
>
> My organization is protected only by routers, in which all incoming
traffic is
> forbidden except TCP/port 25 and WWW (only to certain Web servers). We
> started an
> investigation at hostA and could not find any traces to suggest a
break-in.
> So far
> we concluded 3 possible scenarios for this event:
>
> 1. hostA was compromised (we have done some enhancement for its
security).
>
> 2. it was a joke from our own employee, which is not likely.
>
> 3. the mail route was faked by unknown mechanisms e.g. source routing(I
am not
> good at this). And could you identify or suggest it for me?
>
> Any opinions and comments will be appreciated.
>
> --
> Chih-hung Feng (¶¾§Ó¥°) Institute for Information Industry(III)
> TEL : 02-5643588 ext 174 FAX : 02-5643775
> EMAIL: <chfeng@iii.org.tw> <chfeng@netrd.iii.org.tw>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic