[2280] in WWW Security List Archive
Re: Email Hack: Help.
daemon@ATHENA.MIT.EDU (Chris Garrigues)
Thu Jun 27 13:04:02 1996
To: www-security@ns2.rutgers.edu
Cc: cwg@deepeddy.DeepEddy.Com
In-Reply-To: Your message of "Tue, 25 Jun 1996 18:50:00 PDT."
<31D09748.3D6A@cup.hp.com>
Date: Thu, 27 Jun 1996 09:32:14 -0500
From: Chris Garrigues <cwg@DeepEddy.Com>
Errors-To: owner-www-security@ns2.rutgers.edu
--===_-1_Thu_Jun_27_09:32:12_CDT_1996
Content-Type: text/plain; charset=us-ascii
> Somebody told me that the key to bagging a hacker is in the ``MX
> records,'' does that ring a bell to anyone? They said you can
> nail them through MX records. Now to find out the specifics. ;-)
I think "somebody" didn't know what they were talking about. I suppose they
might mean to look in the nameserver logs for references to your MX records at
the time the fake mail was sent or something like that....but that doesn't
make much sense either.
About the only certain thing you have to go on is the "Recieved:" headers in
the email. Trace them backwards to see what hosts the mail claims to have
been through. Then look at the logs on those hosts until you find one where
the logs don't show the email. That host is the one they were logged onto at
the time they sent the mail. If this system is a Unix machine, you'll have to
figured out who was on at the time and there's your suspect list. If it's a
SLIP/PPP address somewhere, you'll have to figure out who was on that address
at that time. If it's a PC, you probably have them.
It's time to play Sherlock Holmes.
Chris
--
Chris Garrigues O- cwg@DeepEddy.Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
--===_-1_Thu_Jun_27_09:32:12_CDT_1996
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQB1AwUBMdKbaJaQnaaFII2dAQEk+wL+O7xBn18yDdlnOpjj9u1gYAIMaOycvLbb
o+sCHAP/18b+Z1tmuULFnx0Qp+zLAh1D12z73gDdJ/X/DbEVV5cKfDT4RaWE2OfX
r/x4aXVGjnwl/SI0kk5j4AlK6ruc/8JA
=5IKX
-----END PGP MESSAGE-----
--===_-1_Thu_Jun_27_09:32:12_CDT_1996--
