[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Faked mail or break-in?
From:       "Nelu Dumitru" <nelu () matco ! ro>
Date:       1997-01-30 14:40:58
[Download RAW message or body]

Here is another possibility: to telnet to port 25 and to made the messages
"by hand". In this case your SMTP server will send forward the messages

Regards,
Nelu

----------
> From: Chih-hung Feng <chfeng@iii.org.tw>
> To: Firewalls@GreatCircle.COM
> Subject: Faked mail or break-in?
> Date: Thursday, January 30, 1997 8:26 AM
> 
> Greetings,
> 
> I apologize for this message is slightly off-togic to this list. But I
> am sure if I need a quick answer, here is the most likely place to get
> one.
> 
> One of my colleague received a foul-mouthed intimidating letter the other
> day, possible due to his posts in some newsgroup. The mail was
deliberately
> faked so we could not identify the origin. But what troubled us most was
its 
> header, going something like this:
> 
> >From FxckYou@Hell Mon Jan 27 13:44:02 1997
> Return-Path: <Mailer-Daemon>
> Received: from hostC.xyz.edu.tw by hostD.iii.org.tw (SMI-8.6/SMI-SVR4)
> 	id NAA21246; Mon, 27 Jan 1997 13:44:01 +0800
> Received: from hostB.xyz.edu.tw by hostC.xyz.edu.tw with SMTP
> 	(1.37.109.20/16.2) id AA192423485; Mon, 27 Jan 1997 13:38:05 +0800
> Received: from [IP of hostA.iii.org.tw] by hostB.xyz.edu.tw (4.1/SMI-4.1)
>         id AA02412; Mon, 27 Jan 97 13:37:14 CST
> Date: Mon, 27 Jan 97 13:36:32 CST
> From: FxckYou@Hell
> Message-Id: <9701270537.AA02412@hostB.xyz.edu.tw>
> Apparently-To: my-colleague@hostD.iii.org.tw
> Content-Length: 153
> Status: RO
> 
> As you can see, the mail header indicated that it started at hostA (in my
> company),
> through hostB and hostC (both located in a university here), to the
mailbox in
> hostD.
> 
> My organization is protected only by routers, in which all incoming
traffic is 
> forbidden except TCP/port 25 and WWW (only to certain Web servers). We
> started an
> investigation at hostA and could not find any traces to suggest a
break-in.
> So far
> we concluded 3 possible scenarios for this event:
> 
> 1. hostA was compromised (we have done some enhancement for its
security).
> 
> 2. it was a joke from our own employee, which is not likely.
> 
> 3. the mail route was faked by unknown mechanisms e.g. source routing(I
am not 
>    good at this). And could you identify or suggest it for me?
> 
> Any opinions and comments will be appreciated.
> 
> --
> Chih-hung Feng (¶¾§Ó¥°) Institute for Information Industry(III)
> TEL  :   02-5643588 ext 174                  FAX  :  02-5643775
> EMAIL:   <chfeng@iii.org.tw>          <chfeng@netrd.iii.org.tw>

[prev in list] [next in list] [prev in thread] [next in thread]