LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Justifiable paranoia?

Peter DiCamillo <[log in to unmask]>

Sat, 8 Jul 1995 17:02:59 EDT

text/plain (69 lines)

There's no puzzle here except which account at io.org is responsible
for the problem.  Here's a copy of the information I posted to
LSTSRV-L about it last night.

------------------

On 7 Jul 1995 at 11:17:05 Jeff Kell wrote:
>Apparently a mass "subscription spam" was sent to LISTSERV@BROWNVM to
>accomplish this mess as all of the console entries show that the mail
>requests were forwarded from LISTSERV@BROWNVM (and given the propagation
>delays in Bitnet, it would explain the length of time involved):
>
>7 Jul 1995 04:21:15 From LISTSERV@BROWNVM: X-FOR FWDED=2 [log in to unmask] SUBSCRIBE
>7 Jul 1995 04:21:16 To   [log in to unmask]: You have been added to the HP3000-L list.
>7 Jul 1995 04:21:16 Sent information mail to [log in to unmask]
>7 Jul 1995 04:21:17 Sent information mail to JEFF@UTCVM
>7 Jul 1995 04:21:17 Sent information mail to [log in to unmask]
>
>I am sending a copy of this mail to BROWNVM's postmaster/Listserv owner
>and hope they can find something in their logs to indicate the true
>origin of this attack.  The files DID come from BROWNVM (received by
>Listserv from RSCS, MAILER was not involved and thus no mail spoof here).

I checked our log files, and did find some information.  Our SMTP server
(brownvm.brown.edu) received 16 pieces of mail from io.org between 7/6/95
at 23:41 and 7/7/95 at 03:15.  Here's a typical log entry:

07/07/95 00:20:34 TCP (3) Helo Domain: io.org 142.77.70.2
07/07/95 00:20:36 Received Note 12462468 via TCP (3) From <[log in to unmask]>

The mail was all addressed to LISTSERV, and contained hundreds of
subscription requests for addresses not at io.org.  There seems little
doubt the mail was forged in order to inundate those addresses with
mail.  Here are the addresses that were forged:

[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]

I'll keep the log files for a few days, in case someone wants more
detailed information.  I'm sending a copy of this mail to the site
contact at io.org, in case he can track down who did this.  If he
has logs, it shouldn't be too hard, since brownvm.brown.edu received
no other mail from io.org during that time period.

------------------

This happened again tonight in the last couple hours with the following
addresses:

[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]

Also, in addition to subscribe commands, review commands are also
being forged.  However he's doing it, he managed to get Listserv here
to have about 7000 PUN files with 2-line jobs for subscribe and review
commands.

Peter

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM