[ISN] Computerworld victim of spoof

From: mea culpa (jerichoat_private)
Date: Thu Dec 03 1998 - 00:24:48 PST

  • Next message: mea culpa: "[ISN] Poland: Hackers Destroy Polish Telecom Website"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    
    --------------876928B79EE80B37CF56D742
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981202181404.3873Hat_private>
    
    
    Forwarded From: darek milewski <darekmat_private>
    
    http://www.computerworld.com/home/news.nsf/CWFlash/9812023spam
    
    Computerworld victim of spoof
    By Tom Diederich
    
    We've been "spoofed."
    
    Last week, hackers began sending out spam E-mail promoting pornographic
    Web sites.  The message headers made it appear as if the originator of the
    E-mail was Computerworld.com.ph, which is the domain of Computerworld
    Philippines, a Computerworld sister publication. 
    
    This practice is called "spoofing," a hacking technique in which
    third-party servers are covertly used to relay information. 
    
    According to Tom Lamoureux, Computerworld Inc.'s director of support
    services, the hackers relayed the spam through servers at four U.S.
    universities. Lamoureux said his team is working with the colleges in an
    attempt to find who actually sent the E-mail and to determine how many
    people were targeted. 
    
    "It's impossible to tell right now, but I would imagine somewhere between
    thousands and hundreds of thousands have gotten the spam," Lamoureux said. 
    
    "These messages probably did not originate in the Philippines," he added.
    "My guess is they came from somewhere domestic because they all ultimately
    pointed to www.tripod.com, an online community site.  The porn sites
    promoted in the spam E-mail also resided on Tripod. 
    
    Tripod, in Williamstown, Mass., did not immediately respond to a request
    for an interview. However, Lamoureux said he spoke with an employee there
    who said that such attacks are not uncommon. Tripod's standard procedure
    is to shut down accounts and pull all related sites when such activity is
    detected. 
    
    Unfortunately, spoofing is a simple procedure. 
    
    "In order to do a smut posting like this, all you really need is a place
    to put the files -- there's a lot of online Web-hosting companies that
    will do that for you -- and a dial-up account with an [Internet service
    provider], which are a dime a dozen," Lamoureux said. 
    
    "It's really impossible to tell how many people were affected. The only
    real way to tell would be to check the mail server that [the spam] was
    relayed through, but the problem is that colleges have lots of servers in
    place and not all of them are administered." 
    
    By checking the message headers, Computerworld's technicians determined
    that servers at four U.S. colleges were affected: Virginia Commonwealth
    University, the University of Wyoming, the University of Michigan and Duke
    University. 
    
    Michigan and Duke were spammed yesterday, Lamoureux said. "The best chance
    to find out who originated the messages is really with these two colleges,
    because they can look at the logs." Even though the domain name address
    has been spoofed, he said, the sender's real IP address typically is
    present. However, Lamoureux said, proxy servers can be used to cook up
    fake IP addresses. 
    
    The spammers may have used a dial-up account with an Internet service
    provider. 
    
    "Unless companies, and in this case universities, tighten down their mail
    servers, this problem will really happen forever," Lamoureux said. 
    
    --------------876928B79EE80B37CF56D742--
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:07 PDT