[3015] in WWW Security List Archive
RE:Spam Header
daemon@ATHENA.MIT.EDU (David Kennedy)
Fri Sep 20 15:24:32 1996
Date: 20 Sep 96 13:36:07 EDT
From: David Kennedy <76702.3557@compuserve.com>
To: Gene Ingram <gene@hpfsvr01.cup.hp.com>,
WWW Security List <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
>> Received: from shell1.cybercom.net (shell1.cybercom.net
>> [206.28.134.6]) by kalypso.cybercom.net (8.6.12/8.6.12) with
>> ESMTP id BAA20402 for
This isn't rocket science, someone just hasn't explained to you how to read
headers.
This line makes it appear that the message originated at a shell account on
cybercom.net
I emphasize "appear" because it's possible to manipulate this, just as it's
possible that shell1 was compromised and the account there used to launch the
spam.
A whois check on cybercom.net reveals:
(run whois from your machine or from the web at:
http://rs.internic.net/cgi-bin/whois)
(there is no whois registration for kalypso or shell1)
Cyber Access Internet Communications, Inc. (CYBERCOM2-DOM)
422 Salem Street, Suite 152
Medford, MA 02155
Domain Name: CYBERCOM.NET
Administrative Contact, Technical Contact, Zone Contact, Billing Contact:
Petty-Schroeppel, Pippen (PP136) pippin@CYBERCOM.NET
(617) 396-0491
Record last updated on 20-Jun-96.
Record created on 12-Apr-95.
Domain servers in listed order:
NS1.CYBERCOM.NET 206.28.134.3
NS2.CYBERCOM.NET 206.28.134.4
NS2.MCI.NET 204.70.57.242
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
A traceroute reveals they're on the end of an MCI Net line:
(run traceroute from your machine if you have it or from the web at
http://www.net.cmu.edu/bin/traceroute)
traceroute to kalypso.cybercom.net (206.28.134.5), 30 hops max
1 RTRBONE.NET.CMU.EDU (128.2.1.2) 2 ms 2 ms 2 ms
2 nss5.psc.edu (192.88.114.254) 2 ms 2 ms 2 ms
3 border4-hssi1-0.WillowSprings.mci.net (204.70.108.5) 13 ms 12 ms 11 ms
4 core1-fddi-1.WillowSprings.mci.net (204.70.104.33) 12 ms 12 ms 12 ms
5 core-hssi-2.Boston.mci.net (204.70.1.45) 41 ms * 40 ms
6 core-hssi-2.Boston.mci.net (204.70.1.45) 41 ms 40 ms 40 ms
7 border2-fddi-0.Boston.mci.net (204.70.3.34) 134 ms * 50 ms
8 cyber-access.Boston.mci.net (204.70.21.70) 45 ms 49 ms 44 ms
9 * * kalypso.cybercom.net (206.28.134.5) 44 ms
That isn't the same IP as shell1, so a traceroute to it's IP is:
traceroute to 206.28.134.6 (206.28.134.6), 30 hops max
1 RTRBONE.NET.CMU.EDU (128.2.1.2) 2 ms 2 ms 2 ms
2 nss5.psc.edu (192.88.114.254) 3 ms 3 ms 2 ms
3 border4-hssi1-0.WillowSprings.mci.net (204.70.108.5) 12 ms 11 ms 11 ms
4 core1-fddi-1.WillowSprings.mci.net (204.70.104.33) 13 ms 12 ms 207 ms
5 core-hssi-2.Boston.mci.net (204.70.1.45) 65 ms 422 ms 43 ms
6 core-hssi-2.Boston.mci.net (204.70.1.45) 41 ms 419 ms 435 ms
7 * border2-fddi-0.Boston.mci.net (204.70.3.34) 41 ms 41 ms
8 * cyber-access.Boston.mci.net (204.70.21.70) 46 ms 44 ms
9 shell1.cybercom.net (206.28.134.6) 45 ms * *
(which tells me the computer is _on_ right now. It would respond unreachable or
time out if the computer at shell1 were turned off.)
Depending on how cybercom assigns IP's that may or may not be "offerextended" on
the other end of the wire right now. If cybercom assigns static IP's (you have
a permanently assigned IP address) it may well be offerextended. It also could
be that shell1 is a proxy to another network where the IP addresses are masked.
If cybercom assigns dynamic IP's, (you are assinged an IP from an available pool
each time you dial-up) then the chances of shell1 being offerextended is the
odds of offerextended being logged on to that host among all of the customers
cybercom supports with that host.
None of this amounted to an attempt to enter the computer, just looking to see
if it's there.
If you want to complain, the WHOIS point of contact above is a good place to
start. You might start off with SET POLITE = ON just in case cybercom doesn't
have any idea what "offerextended" is up to, or cybercom didn't have anything to
do with it.
OBTW, offerextended is quite likely a subscriber to www-security. offerextended
may not be playing with a full deck and may not appreciate either one of us. Oh
gee...
Regards,
Dave Kennedy CISSP
Research Director
National Computer Security Association
