LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: suggestion to capture sub requests

Peter DiCamillo <[log in to unmask]>

Sat, 8 Jul 1995 00:52:01 EDT

text/plain (46 lines)

On 7 Jul 1995 at 11:17:05 Jeff Kell wrote:
>Apparently a mass "subscription spam" was sent to LISTSERV@BROWNVM to
>accomplish this mess as all of the console entries show that the mail
>requests were forwarded from LISTSERV@BROWNVM (and given the propagation
>delays in Bitnet, it would explain the length of time involved):
>
>7 Jul 1995 04:21:15 From LISTSERV@BROWNVM: X-FOR FWDED=2 [log in to unmask] SUBSCRIBE
>7 Jul 1995 04:21:16 To   [log in to unmask]: You have been added to the HP3000-L list.
>7 Jul 1995 04:21:16 Sent information mail to [log in to unmask]
>7 Jul 1995 04:21:17 Sent information mail to JEFF@UTCVM
>7 Jul 1995 04:21:17 Sent information mail to [log in to unmask]
>
>I am sending a copy of this mail to BROWNVM's postmaster/Listserv owner
>and hope they can find something in their logs to indicate the true
>origin of this attack.  The files DID come from BROWNVM (received by
>Listserv from RSCS, MAILER was not involved and thus no mail spoof here).

I checked our log files, and did find some informarion.  Our SMTP server
(brownvm.brown.edu) received 16 pieces of mail from io.org between 7/6/95
at 23:41 and 7/795 at 03:15.  Here's a typical log entry:

07/07/95 00:20:34 TCP (3) Helo Domain: io.org 142.77.70.2
07/07/95 00:20:36 Received Note 12462468 via TCP (3) From <[log in to unmask]>

The mail was all addressed to LISTSERV, and contained hundreds of
subscription requests for addresses not at io.org.  There seems little
doubt the mail was forged in order to inundate those addresses with
mail.  Here are the addresses that were forged:

[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]
[log in to unmask]

I'll keep the log files for a few days, in case someone wants more
detailed information.  I'm sending a copy of this mail to the site
contact at io.org, in case he can track down who did this.  If he
has logs, it shouldn't be too hard, since brownvm.brown.edu received
no other mail from io.org during that time period.

Peter

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM