Great Circle Associates List-Managers
(November 1995)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Bulk Forged Subscriptions
From: Brent @ GreatCircle . COM (Brent Chapman)
Date: Sun, 12 Nov 1995 11:17:11 +0100
To: Lazlo Nibble <lazlo @ swcp . com>, list-managers @ greatcircle . com (lm)
Cc: root @ eagle . ais . net, postmaster @ eagle . ais . net, root @ ais . net, postmaster @ ais . net

At 10:58 AM 11/12/95, Lazlo Nibble wrote:
>I just logged on to find that the following six addresses had been
>bulk-subscribed to all eleven of my mailing lists (six lists + five digests):
>
>    anon3c31 <anon3c31 @
 nyx .
 cs .
 du .
 edu>
>    articles <articles @
 blacklisted411 .
 com>
>    cliff <cliff @
 cfa .
 harvard .
 edu>
>    garner <garner @
 rocky .
 oswego .
 edu>
>    meetings <meetings @
 2600 .
 com>
>    syanide <syanide @
 boardwatch .
 com>
>
>You do the math.  This was definitely helped along by a "lists" command, and
>I suspect that all the other lists at my site suffered the same fate.

All of our lists got hit by this as well.  I keep a copy of all incoming
messages sent to majordomo @
 greatcircle .
 com (it's a useful debugging tool),
so I was able to examine the original messages.  They all have headers that
look like:

    Received: from eagle.ais.net (eagle.ais.net [199.0.154.5]) by
        miles.greatcircle.com (8.7.1/Miles-950430-1) with SMTP
        id AAA07176 for <majordomo @
 greatcircle .
 com>;
        Sun, 12 Nov 1995 00:18:01 -0800 (PST)
    Received: from boardwatch.com by eagle.ais.net with smtp
        (Smail3.1.29.1 #18) id m0tEXlT-000DCUC; Sun, 12 Nov 95 02:27 CST
    Message-Id: <m0tEXlT-000DCUC @
 eagle .
 ais .
 net>
    Date: Sun, 12 Nov 95 02:27 CST
    From: syanide <syanide @
 boardwatch .
 com>
    Subject: subscribe
    To: majordomo @
 greatcircle .
 com
    Content-Type: TEXT/PLAIN; charset=US-ASCII

The messages were all injected at machine eagle.ais.net.  Its SMTP server
apparently believes whatever clients tell it in the "HELO" line, so the
"Received: from boardwatch.com" is bogus.  I don't know if the folks at
eagle.ais.net have logs through which they could track this back further,
perhaps to see where the SMTP connection came from.


-Brent

--
Brent Chapman         | Great Circle Associates  | For Firewalls Tutorial info:
Brent @
 GreatCircle .
 COM | 1057 West Dana Street    | Tutorial-Info @
 GreatCircle .
 COM
+1 415 962 0841       | Mountain View, CA  94041 | http://www.greatcircle.com



Indexed By Date Previous: Bulk Forged Subscriptions
From: Lazlo Nibble <lazlo @ swcp . com>
Next: Re: Bulk Forged Subscriptions
From: paulh @ imc . org (Paul Hoffman)
Indexed By Thread Previous: Bulk Forged Subscriptions
From: Lazlo Nibble <lazlo @ swcp . com>
Next: Re: Bulk Forged Subscriptions
From: paulh @ imc . org (Paul Hoffman)

Google
 
Search Internet Search www.greatcircle.com