root@gilbbs.UUCP (The Super User) (03/31/86)
I recently received a mail message which has an obviously phoney address as the return path. I am concerned about this mis-use of the network. Is there any way that we might be able to track such a posting? The offensive posting header follows: Received: by hplabs.ARPA ; Thu, 27 Mar 86 00:03:55 pst Received: by hao.NCAR (4.12/4.7) id AA08482; Thu, 27 Mar 86 00:26:14 mst Received: by seismo.ARPA (4.12/4.7) id AA03491; Thu, 27 Mar 86 13:45:53 est Received: by mcvax.UUCP (4.12/4.7) id AA09712; Thu, 27 Mar 86 10:48:31 gmt Received: by moskvax.USSR (4.12/4.7) id AA08123; Wed, 26 Mar 86 23:19:33 ust Received: by kremlin.USSR (4.12/4.7) id AA03099; Wed, 26 Mar 86 23:15:03 ust Date: Thu, 27 Mar 86 00:06:02 mst Message-Id: <8603270706.AA08411@kremlin.USSR> From: hplabs!hao!kremlin!andropov (Yuri's Ghost) Subject: Re: looking for CSUC *TALK* users Apparently-To: moskvax!mcvax!seismo!hao!hplabs!qantel!gilbbs!mc68020 Status: R [body of message removed] Can anyone assist me in determining the origin of this letter? Thanks in advance. Sincerely, Yuri
stephen@dcl-cs.UUCP (04/02/86)
In article <134@gilbbs.UUCP> root@gilbbs.UUCP writes: >Is there any way that we might be able to track such a posting? > > The offensive posting header follows: > > >Received: by hplabs.ARPA ; Thu, 27 Mar 86 00:03:55 pst >Received: by hao.NCAR (4.12/4.7) > id AA08482; Thu, 27 Mar 86 00:26:14 mst >Received: by seismo.ARPA (4.12/4.7) > id AA03491; Thu, 27 Mar 86 13:45:53 est >Received: by mcvax.UUCP (4.12/4.7) > id AA09712; Thu, 27 Mar 86 10:48:31 gmt >Received: by moskvax.USSR (4.12/4.7) > id AA08123; Wed, 26 Mar 86 23:19:33 ust >Received: by kremlin.USSR (4.12/4.7) > id AA03099; Wed, 26 Mar 86 23:15:03 ust Our mailer puts "Received" stamps on according to where the mail actually came from. Thus, this mail message would've become: Received: from hao.NCAR by hplabs.ARPA ; Thu, 27 Mar 86 00:03:55 pst Received: from seismo.ARPA by hao.NCAR (4.12/4.7) id AA08482; Thu, 27 Mar 86 00:26:14 mst Received: from mcvax.UUCP by seismo.ARPA (4.12/4.7) id AA03491; Thu, 27 Mar 86 13:45:53 est Received: from moskvax.USSR by mcvax.UUCP (4.12/4.7) id AA09712; Thu, 27 Mar 86 10:48:31 gmt Received: from kremlin.USSR by moskvax.USSR (4.12/4.7) id AA08123; Wed, 26 Mar 86 23:19:33 ust Received: by kremlin.USSR (4.12/4.7) id AA03099; Wed, 26 Mar 86 23:15:03 ust All you would then have to do is see where the discrepancy is. E.g., if part of the message was instead: Received: from bogus.UUCP by mcvax.UUCP (4.12/4.7) id AA09712; Thu, 27 Mar 86 10:48:31 gmt Received: from kremlin.USSR by moskvax.USSR (4.12/4.7) id AA08123; Wed, 26 Mar 86 23:19:33 ust you would be able to find it. It is my firm belief that all mailers should do this for this reason (this conforms to RFC822). -- UUCP: ...!seismo!mcvax!ukc!dcl-cs!stephen DARPA: stephen%comp.lancs.ac.uk@ucl-cs | Post: University of Lancaster, JANET: stephen@uk.ac.lancs.comp | Department of Computing, Phone: +44 524 65201 Ext. 4120 | Bailrigg, Lancaster, UK. Project:Alvey ECLIPSE Distribution | LA1 4YR
lauren@vortex.UUCP (Lauren Weinstein) (04/05/86)
Received lines are certainly useful, but note that so long as there are sites that use a single publicly known login and phone number for dialup access, random sites can call up and claim to be other sites for the purpose of submitting bogus mail. As always, I urge sites NOT to establish general-use logins in that manner, and instead to establish separate login accounts for each site dialing up whenever possible. --Lauren--
henry@utzoo.UUCP (Henry Spencer) (04/06/86)
> Our mailer puts "Received" stamps on according to where the mail actually > came from. ... All you would then have to do is see where the discrepancy > is... It is my firm belief that all mailers should do this for this reason > (this conforms to RFC822). Unfortunately, we are talking about news, not mailers. And news article headers are already bloated. If your site gets a full feed, a substantial fraction of the disk space needed to store news is storing largely-redundant headers. Similarly, sites which get news via Long Distance are paying a noticeable fraction of their phone bills for headers. Considering the convoluted paths that news articles sometimes take, adding a "Received" header for every hop would greatly worsen these problems. Even for mail, those headers are making much money for phone companies; for news it's just impractical. -- Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry
north@ulysses.UUCP (Steve North) (04/07/86)
You're very confident that headers can't be forged? Why, that seems quite reasonable!
fair@styx.UUCP (Erik E. Fair) (04/09/86)
The bottom line is: there is no user authentication in either of netnews or electronic mail, as we know them. (but don't forget: neither is there any authentication in the world Postal System...) Yow! Are we paranoid yet? Erik E. Fair styx!fair fair@lll-tis-b.arpa
dormitzer@h-sc1.UUCP (paul dormitzer) (04/09/86)
Before going into a long discussion about the practicality of tracking news articles, one should ask "Do we really care?". It seems to me that if someone wants to go to the trouble of forging news paths, they'll probably find a way to do it no matter how paranoid we are, and furthermore it hurts no-one if they do. (Unless, of course, they claim to be another member of the network community, effectively slandering the person they claim to be.) Last year there was a note from ``yuri!kremvax!kgbvax!...'' on net.jokes and people spent the next month screaming about how they thought security on the net was broken. By virtue of the fact that this is in effect a public discussion forum (netnews, that is), the concept of security is basically nil, since any site that can find a host to pass news to it gets full access. Furthermore, on many university sites computer accounts are available to all members of the university, so if "they" want to "infiltrate" our network, "they" have probably already done so, and the only way to stop "unwanted access" is to completely shut down the news system. If security is not an issue, then the only worry is that of who sent which article. In a forum such as we have, the important point is to exchange information and ideas, not to find out who said what. (Unless, of course, you just want to flame people... which is not only childish but also detracts from the exchange of ideas.) -- The above ideas do not necessarily reflect the opinion of Harvard University, its faculty or staff, or the Harvard University Science Center. Paul Dormitzer ...!harvard!h-sc1!dormitzer
jso@edison.UUCP (John Owens) (04/11/86)
> > Our mailer puts "Received" stamps on according to where the mail actually > > came from. ... All you would then have to do is see where the discrepancy > > is... It is my firm belief that all mailers should do this for this reason > > (this conforms to RFC822). > > Unfortunately, we are talking about news, not mailers. > Henry Spencer @ U of Toronto Zoology Unfortunately, we are talking about mail, not news. The original forged mail had plenty of Received headers; the referenced text above refers to "Received: from xxx by yyy" being superior to just "Received: by yyy". -- John Owens @ General Electric Company (+1 804 978 5726) edison!jso%virginia@CSNet-Relay.ARPA [old arpa] edison!jso@virginia.EDU [w/ nameservers] jso@edison.UUCP [w/ uucp domains] {cbosgd allegra ncsu xanth}!uvacs!edison!jso [roll your own]