[3216] in WWW Security List Archive
Email security, was 'Re: I believe you ...'
daemon@ATHENA.MIT.EDU (Frank Knobbe)
Fri Oct 11 22:44:06 1996
From: "Frank Knobbe" <FKnobbe@ix.netcom.com>
To: "David Murray" <dmurray@pdssoftware.com>, www-security@ns2.rutgers.edu
Date: Fri, 11 Oct 1996 19:15:28 -0600
Reply-to: FKnobbe@ix.netcom.com
CC: root@techex.com
Errors-To: owner-www-security@ns2.rutgers.edu
On 11 Oct 96 at 11:50, David Murray wrote about: Re: I believe you is
partly respons
Since this list deals with security, let me throw in a comment. You
wrote...
> We just saw that we can protect the list by protesting to the
> administrators of the site where the e-mail originated. In this
> case, people were referred to primenet and cyberhighway. How did we
> know that? Look at all the detail of the mail headers in the
> original message. You will see that a mail server at primenet sent
> it to rutgers, and further down you will see that primenet received
> it from cyberhighway. If your e-mail reader doesn't show you this
> info, find out how to turn it on (it happens to be Ctrl-H in my
> client). Send your complaints to root, postmaster, abuse, and/or
> support (if its an obvious ISP).
Unfortunately this is not completly true. There are ways to disguise
the route of the email (received from's). True is that most SMTP
relays add the IP address of the sender in the 'received' line. That
way you can track the sender down (Call ISP, give time and IP
address, ISP looks in log and cancels the account).
But not all SMTP relays do that and I think this IS a security issue that needs to be addressed
(Hey Geoffrey, this is for you). I'm a little embarassed now, but I
have to admit that I sent the follow-up from the 'account'
He@Tickles.us. The SMTP relay demon at techex.com does NOT add the IP
address of the sender. I HELOed as hermes.techex.com and faked the
rest of the 'received' lines (I made a mistake though; I used CST, EST
and MST but never actually converted to local times...). The way the
header lists the info (header is attached) everything looks valid (I
included the real IP addresses of the systems to make it more
realistic). It end's with cyberhighway again, but the mail never came
from there.
Now, in this case the admin at techex can look through his log and
find (hopefully) my real IP address, look up the ISP and report the
abuse. But if you add plenty of 'received' lines, most likely noone
would find the right entry point, the border or real and fake.
This should not be a manual on 'How to fake email', nor am I proud of
my archivement (Especially since I did end up with a few typos...).
In my eyes a security hole has to be exposed in order to fix it. A
private message to Geoffrey (root@techex) would fix this hole, but I
like to ask ALL sysadmins out there to make sure their mail services
are tight and don't allow those things to happen.
I'm sure techex is not the only system that has this security
problem. Again, I would like to ask all sysadmins to make sure their
systems are secure.
I feel better now getting this of my chest. Post comments public,
flames via email.
Regards,
Frank Knobbe
P.S.: I have nothing to do with that guy from cyberhighway and do not
support faking of email. I'm not a hacker and I'm FOR the Telecom
Decency Act, which protects people from emails like the one we have
seen. Freedom of speech ...fine, but within the framework of moral
and decency please.
P.P.S.: Use PGP to protect yourself with authentication of email.
[-[begin attachment: header]-]
Return-Path: <owner-www-security@ns2.rutgers.edu>
Received: from ns2.rutgers.edu (ns2.rutgers.edu [128.6.21.2]) by ixmail2.ix.netcom.com (8.7.5/SMI-4.1/Netcom)
id WAA23329; Wed, 9 Oct 1996 22:42:43 -0700 (PDT)
Received: (from daemon@localhost) by ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) id WAA05308 for
www-security-outgoing; Wed, 9 Oct 1996 22:00:52 -0400
Received: from vulcan.techex.com (vulcan.techex.com [199.77.82.66])
by ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) with ESMTP id
WAA05302 for <www-security@ns2.rutgers.edu>; Wed, 9 Oct 1996 22:00:50
-0400
From: He@tickles.us
Received: from hermes.techex.com by vulcan.techex.com (cf GDP2.0) id BAA16954; Thu, 10 Oct 1996 01:57:19 GMT
[-[start of fake lines]-]
Received: from primenet.com (primenet.com [206.165.5.104]) by hermes.techex.com (8.7.5/SMI-4.1/199.77.82.49) id 298554; Wed, 09 Oct
1996 20:35:19 -0600 (CDT)
Received: from moron.cyberhighway.net (ts1-02.phx.cyberhighway.net [206.26.253.5]) by primenet.com
(8.8.0/8.8.0) with SMTP id KBA00231 for <www-security@ns2.rutgers.edu>; Wed, 9 Oct 1996 20:27:22 -0500 (EST)
Date: wed, 9 oct 1996 20:12:49 -0700 (MST)
Message-Id: <1996100923312.KBA00231@primenet.com>
To: That_loser@cyberhighway.net, www-security@ns2.rutgers.edu
Subject: Re: Your people are #$%#%(Censored)
[-[end of attachment]-]
--
http://www.netcom.com/~fknobbe
--
WARNING: ANYONE SENDING UNREQUESTED ADVERTISEMENT WILL BE
ADDED TO A FILTER LIST, WHICH WILL AUTOMATICALLY DELETE
EVERY MAIL FROM THE SENDER. THIS WILL INTERRUPT FURTHER
CORRESPONDENCE. PLEASE REFRAIN FROM SENDING JUNK E-MAIL.
