Tracking the "Crusader Spammer"


Newsgroups: news.admin.net-abuse.misc
Subject: Re: Crusader e-mail spam now using new address

taob@io.org (Brian Tao) writes:
>    Also note that mercury.sfsu.edu's sendmail does not verify your
>HELO hostname, allowing you to send mail without leaving a trace to
>your original site (except possibly in the logs).


ARGH!!!!  OK, folks-- they may have switched tactics, and gotten me,
although I'm not quite sure what's going on now.

There are three waves here, possibly with different MO's...

Waves 1 and 2 from mc3.hq.eso.org and U Strasbourg seem to have
resulted from the cracking of root on one machine, and then the
exploitation of a users .rhosts to gain access to the other.  (This is
from communication with their admins.)

Wave 1 had a false reference to slip.net.  I tried a lot of ways, but
I was unable to duplicate the headers.  Can anyone find a way to forge
the headers to make it look the same as the spam?


Wave 3 is this italian thing-- 

I just sent myself some email (without a HELO) through
mercury.sfsu.edu by way of asso.nis.garr.it The headers look like this:

> Received: from asso.nis.garr.it (asso.nis.garr.it [192.12.192.10]) by panix4.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id UAA12918 for <lan@panix.com>; Sat, 30 Sep 1995 20:27:34 -0400
> Received: from mercury.sfsu.edu ([130.212.10.162]) by asso.nis.garr.it (4.1/1.34/ABB950929)
>         id AA24414; Sun, 1 Oct 95 01:23:47 +0100
> Received: by mercury.sfsu.edu (5.0/SMI-SVR4)
>         id AA29982; Sat, 30 Sep 1995 17:27:06 -0700

The headers on the spam I received look like:


> Received: from asso.nis.garr.it (asso.nis.garr.it [192.12.192.10]) by panix4.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id DAA23779; Sat, 30 Sep 1995 03:18:33 -0400
> From: Crusader@national-alliance.org
> Received: by asso.nis.garr.it (4.1/1.34/ABB950929)
>         id AA12157; Sat, 30 Sep 95 07:29:42 +0100
> Received: by mercury.sfsu.edu (5.0/SMI-SVR4)
>         id AA21676; Fri, 29 Sep 95 21:03:27 -0700

Can anyone demonstrate a way to forge email this way, and asso give an
"originating" Received header?  If not, then this message originated
at asso.nis.garr.it, and NOT mercury.sfsu.edu.

--L


Addendum: Some astute people have also pointed out that the "id" on the sfsu headers are all "AA21676" - this should vary if they were real. Also, the time always ends in 3:27 -- this holds true for all of the copies I've been emailed, and see posted. I'd say it's fairly conclusive-- the mail did NOT go through SFSU, it originiated at ass.nis.garr.it.

By: lan@panix.com