Newsgroups: news.admin.net-abuse.misc Subject: Re: Crusader e-mail spam now using new address taob@io.org (Brian Tao) writes: > Also note that mercury.sfsu.edu's sendmail does not verify your >HELO hostname, allowing you to send mail without leaving a trace to >your original site (except possibly in the logs). ARGH!!!! OK, folks-- they may have switched tactics, and gotten me, although I'm not quite sure what's going on now. There are three waves here, possibly with different MO's... Waves 1 and 2 from mc3.hq.eso.org and U Strasbourg seem to have resulted from the cracking of root on one machine, and then the exploitation of a users .rhosts to gain access to the other. (This is from communication with their admins.) Wave 1 had a false reference to slip.net. I tried a lot of ways, but I was unable to duplicate the headers. Can anyone find a way to forge the headers to make it look the same as the spam? Wave 3 is this italian thing-- I just sent myself some email (without a HELO) through mercury.sfsu.edu by way of asso.nis.garr.it The headers look like this: > Received: from asso.nis.garr.it (asso.nis.garr.it [192.12.192.10]) by panix4.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id UAA12918 for <lan@panix.com>; Sat, 30 Sep 1995 20:27:34 -0400 > Received: from mercury.sfsu.edu ([130.212.10.162]) by asso.nis.garr.it (4.1/1.34/ABB950929) > id AA24414; Sun, 1 Oct 95 01:23:47 +0100 > Received: by mercury.sfsu.edu (5.0/SMI-SVR4) > id AA29982; Sat, 30 Sep 1995 17:27:06 -0700 The headers on the spam I received look like: > Received: from asso.nis.garr.it (asso.nis.garr.it [192.12.192.10]) by panix4.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id DAA23779; Sat, 30 Sep 1995 03:18:33 -0400 > From: Crusader@national-alliance.org > Received: by asso.nis.garr.it (4.1/1.34/ABB950929) > id AA12157; Sat, 30 Sep 95 07:29:42 +0100 > Received: by mercury.sfsu.edu (5.0/SMI-SVR4) > id AA21676; Fri, 29 Sep 95 21:03:27 -0700 Can anyone demonstrate a way to forge email this way, and asso give an "originating" Received header? If not, then this message originated at asso.nis.garr.it, and NOT mercury.sfsu.edu. --L
Addendum: Some astute people have also pointed out that the "id" on the sfsu headers are all "AA21676" - this should vary if they were real. Also, the time always ends in 3:27 -- this holds true for all of the copies I've been emailed, and see posted. I'd say it's fairly conclusive-- the mail did NOT go through SFSU, it originiated at ass.nis.garr.it.