I think I was sniffed?
Derek Martin
derek at cerberus.ne.mediaone.net
Mon Jul 10 21:07:12 EDT 2000
Today, Ron Peterson gleaned this insight:
> "Matthew J. Brodeur" wrote:
> >
> > First of all, without the specifics of the spam messages and knowledge
> > of Harvard.Net's mail server setup it's possible that this was just a case
> > of mail forging. Someone could have seen your address and decided to use
> > it to get around the sender check on the mail server. On many servers you
> > wouldn't need a password to do that, just some knowledge of SMTP commands.
> >
> > If this was sniffing the most likely case is the POP3 access across the
> > internet.
>
> Here's the skinny from HarvardNet. They recieved notification from
> someone that some kind of SPAM originated from their network. They were
> sent the SPAM headers.
>
> Then they compare the IP address in the SPAM header to logfile of who
> was logged in and assigned that IP address (via DHCP) at the time the
> message's timestamp says the message was sent. Which was me.
One question that still remains is, were YOU logged in at that time?
It could still be a forged IP address. There's no reason at all to think
that the mail came from your computer. Spammers do this all the time.
But even if it did, if you were booted into linux and you have sendmail
running, they could have used you as a spam relay while you were
connected.
It's rather unlikely that you wouldn't have noticed it if that was the
case though, as this very likely would have made your machine really busy.
unless the spammer was using you only for a small quantity of mail, your
disk drive would have been busy for a good amount of time, which should
have seemed wierd to you.
But, there's still the possibility that a) the address was completely
forged or b) the spammer used your machine to relay only a small amount of
mail.
This is what makes tracking spam so hard. If you WERE logged on at that
time, check your logs for mail being relayed at that time.
Furthermore, if you are running sendmail on your laptop, STOP! You don't
need it, and it will only make you vulnerable to attack and/or spam
(relaying). Use your ISP's SMTP relay instead of your local machine
(chances are good you're already doing that anyway).
--
---------------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
ddm at MissionCriticalLinux.com | derek at cerberus.ne.mediaone.net
---------------------------------------------------------------
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list