dma@pcssc.com (Dave Armbrust) (03/29/91)
It seems that the SCO Mailing list has been attacked! This following is what had happened based on best guess. A site by the name of overlf.UUCP had been broken into. apparently someone had log in via modem and had taken the L-sys file from this system. Using this information this system had login to fdurt1.fdu.edu and had sent several hundred of duplicate messages to sco-list@uunet.uu.net while pretending to be overlf.UUCP. during this transfer of several hundred messages the real overlf.UUCP was in a single user mode as they were aware of the break-in. This information came to me from ross@fdurt1.fdu.edu. ross@fdurt1.fdu.edu had disabled the login for overlf at 10PM on Monday 3/25/91. These massive duplicates have caused major problems for the readers of the SCO mailing list. They have cause more major problems for myself as I have personally received well over 2000 error messages from mailers all over stating <too many hops>. While trying to catch up on this back log of junk messages UUNET had also informed me that there was over 25 Megs of back logged mail for my site and still growing every minute. I have asked them to remove this back log which they stated would take them several hours because of the massive size. Until this backlog can be removed and things brought to a normal state the SCO mailing list has been turned off. Any duplications should come to me rather then the readers of this list. It looks like we will be able to move the the SCO Mailing List distribution point to another site that does not run sendmail! edhew@xenitec has agreed to do so. This should stop the duplicate problems caused by uunet sendmail bugs. I will post a message after the transfer has occured and seems to be stable. For those of you that have run mailing list before and have "never subjected my members to anthing like this" I suggest that you try to run one to over 400 sites with the large amount of trafic that goes through the SCO Mailing List. Then I will be glad to compare notes with you. Yes, I know it should be a news group but we have already tried that and the vote failed. Anyone that has sent mail to me since Monday should consider re-mailing to me as I may not have received it. I will even try to respond to flames. For those of you interested in the attack I have attached some notes below. Dave Armbrust | uunet!pcssc!dma PC Software Systems | dma@pcssc.com or 4370 S. Tamiami Trail | owner-sco-list@uunet.uu.net Sarasota, FL 34231-3400 | Phone: (813)922-8857 If you put garbage in a computer nothing comes out but garbage. But this garbage, having passed through a very expensive machine, is somehow ennobled and none dare criticize it. ============================================================================== There also appears to be at least 3 versions of the message. The 2nd and 3rd versions I assumed were modified for some reason. It is possible that some or all of the modifications were made by mailer programs. I will attempt to explain the modifications below. ------------------------------------------------------------------------------- The first version contains the lines: ... Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C) id AA13593; Mon, 25 Mar 91 11:34:04 -0500 Received: from kb2ear by overlf.UUCP id aa21394; Mon, 25 Mar 91 11:49:06 EST Received: by kb2ear.UUCP (smail2.5X) id AA13593; 25 Mar 91 11:34:04 EST (Mon) Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA18746; Mon, 25 Mar 91 03:28:04 EST ... Return-Path: <raney@cs.toronto.edu> Received: by anchor.Colorado.EDU (cu.bind.900828) Sun, 24 Mar 91 09:37:46 -0700 Date: Sun, 24 Mar 1991 11:37:46 -0500 From: Scott Raney <raney@anchor.colorado.edu> Message-Id: <9103241637.AA02548@anchor.Colorado.EDU> To: pride386!root%fdurt1@uunet.UU.NET ... Sender: root@anchor.colorado.edu OK, that's it. I'm ... ------------------------------------------------------------------------------- The second version contains the lines: ... Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C) id (varies with each message); Mon, 25 Mar 91 (varies) -0500 Received: from kb2ear by overlf.UUCP id aa23985; Mon, 25 Mar 91 17:09:27 EST Received: by kb2ear.UUCP (smail2.5X) id AA16691; 25 Mar 91 16:17:18 EST (Mon) Received: from cs.utexas.edu by rutgersedu (5.59/SMI4.0/RU1.4/3.08) id AA09891; Mon, 25 Mar 91 15:41:59 EST Received: from uunet.UU.NET by cs.utexas.edu (5.64/1.98) with SMTP id AA15041; Mon, 25 Mar 91 14:40:44 -0600 Received: by uunet.UU.NET (5.61/UUNET-primary-gateway) id AA02808; Mon, 25 Mar 91 12:48:31 -0500 Received: from relay1.UU.NET by uunet.UU.NET with SMTP (5.61/UUNET-primary-gateway) id AA02787; Mon, 25 Mar 91 12:48:21 -0500 Received: from fdurt1.fdu.edu by relay1.UU.NET with SMTP (5.61/UUNET-shadow-mx) id AA29347; Mon, 25 Mar 91 12:48:09 -0500 Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C) id AA16681; Mon, 25 Mar 91 12:48:36 -0500 Received: from kb2ear by overlf.UUCP id aa21394; Mon, 25 Mar 91 11:49:06 EST Received: by kb2ear.UUCP (smail2.5X) id AA13593; 25 Mar 91 11:34:04 EST (Mon) Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA18746; Mon, 25 Mar 91 03:28:04 EST ... Return-Path: <raney> Received: by anchor.Colorado.EDU (cu.bind.900828) Sun, 24 Mar 91 09:37:46 -0700 Date: Sun, 24 Mar 19 09:37:46 -0700 From: Scott Raney <raney@anchor.colorado.edu> Message-Id: <9103241637.AA02548@anchor.Colorado.EDU> To: pride386!root%fdurt1@uunet.UU.NET ... Sender: root@anchor.colorado.edu OK, that's it. I'm ... ------------------------------------------------------------------------------- Deferences between 1st and 2nd version: 1) Return-Path: changed from <raney@anchor.colorado.edu> to <raney> 2) Date: changed from Sun, 24 Mar 1991 11:37:46 -0500 to Sun, 24 Mar 91 09:37:46 -0700 3) Messages appear to now have made at least one round trip. ------------------------------------------------------------------------------- The third messages contains the lines: Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C) id (varies with each message); Mon, 25 Mar 91 (varies) -0500 Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA09891; Mon, 25 Mar 91 15:41:59 EST Received: from uunet.UU.NET by cs.utexas.edu (5.64/1.98) with SMTP id AA15041; Mon, 25 Mar 91 14:40:44 -0600 Received: by uunet.UU.NET (5.61/UUNET-primary-gateway) id AA02808; Mon, 25 Mar 91 12:48:31 -0500 Received: from relay1.UU.NET by uunet.UU.NET with SMTP (5.61/UUNET-primary-gateway) id AA02787; Mon, 25 Mar 91 12:48:21 -0500 Received: from fdurt1.fdu.edu by relay1.UU.NET with SMTP (5.61/UUNET-shadow-mx) id AA29347; Mon, 25 Mar 91 12:48:09 -0500 Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C) id AA16681; Mon, 25 Mar 91 12:48:36 -0500 Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08) id AA18746; Mon, 25 Mar 91 03:28:04 EST ... Return-Path: <raney> Received: by anchor.Colorado.EDU (cu.bind.900828) Sun, 24 Mar 91 09:37:46 -0700 Date: Sun, 24 Mar 1991 09:37:46 -0700 From: sco-list@uunet.uu.net Message-Id: <9103241637.AA02548@anchor.Colorado.EDU> To: root%fdurt1@pride386.uucp ... Sender: sco-list@uunet.uu.net OK, that's it. I'm ... ------------------------------------------------------------------------------- The differences from 2nd to 3rd versions are: 1) All reference to kb2ear and overlf.UUCP were removed! Note: Now it appears that the messages when directly from rutgers.edu to fdurt1.fdu.edu. (fdurt1.fdu.edu does not communicate with rutgers.edu directly.) 2) From: changed from From: Scott Ranye <raney@anchor.colorado.edu> to From: sco-list@uunet.uu.net 3) To: changed from To: pride386!root%fdurt1@uunet.UU.NET to To: root%fdurt1@pride386.uucp ------------------------------------------------------------------------------- Dave Armbrust | uunet!pcssc!dma PC Software Systems | dma@pcssc.com or 4370 S. Tamiami Trail | owner-sco-list@uunet.uu.net Sarasota, FL 34231-3400 | Phone: (813)922-8857 If you put garbage in a computer nothing comes out but garbage. But this garbage, having passed through a very expensive machine, is somehow ennobled and none dare criticize it.
mpd@anomaly.SBS.COM (Michael P. Deignan) (03/30/91)
dma@pcssc.com (Dave Armbrust) writes: >It seems that the SCO Mailing list has been attacked! You know, if this didn't cause such a serious problem on the network, it would be kinda funny. I've never seen people HATE a mailing list SO much. Even the opponents of m.a.g don't hate the ACTIV-L mailing list this much. I don't even think SCI.AQUARIA is hated as much as the SCO Mailing List. Well... Nah... >Yes, I know it should be a news group but we have already tried that >and the vote failed. No, it shouldn't have been a newsgroup. That's why the vote failed. Plus, why do you need a newsgroup when the SCO.* hierarchy is available? MD -- -- Michael P. Deignan / Since I *OWN* SBS.COM, -- Domain: mpd@anomaly.sbs.com / These Opinions Generally -- UUCP: ...!uunet!rayssd!anomaly!mpd / Represent The Opinions Of -- Telebit: +1 401 455 0347 / My Company...