[ISN] FC: FAA.gov ran open mail relay, could let people forge FAA email (fwd)

From: InfoSec News (isnat_private)
Date: Wed Nov 07 2001 - 01:21:41 PST

  • Next message: InfoSec News: "Re: [ISN] true terror..."

    Forwarded from: security curmudgeon <jerichoat_private>
    
    ---------- Forwarded message ----------
    From: Declan McCullagh <declanat_private>
    X-Sender: declanat_private
    To: politechat_private
    Date: Tue, 06 Nov 2001 08:53:04 -0500
    Subject: FC: FAA.gov ran open mail relay, could let people forge FAA email
    
    [Excerpted from RISKS Digest Vol 21 Issue 73. (ftp://ftp.sri.com/risks) --DBM]
    
    [...]
    
    Date: Sun, 4 Nov 2001 17:15:16 -0500 (EST)
    From: Bill Duncan <bduncanat_private>
    Subject: FAA Asleep at the Control Column?
    
    A few days ago while looking through the e-mail rejection logs, I was
    surprised to find some e-mail blocked by virtue of being in an RBL
    list and coming from a host in the FAA.GOV domain.  The e-mail was
    obvious spam, as I'd blocked the same sender (from a domain in the UK)
    from various other addresses.
    
    Being a new private pilot and with the recent of September events
    fresh in my mind, I quickly investigated.  Sure enough, there was a
    host on their network, loaded with software from that outfit in
    Redmond, and happily spewing relayed mail.  (I tested whether it would
    relay mail from anywhere to anywhere else by telneting to its smtp
    port.)
    
    Furthermore, to get on this exclusive RBL list, the e-mail relay
    must've been in operation for some time.
    
    Imagining scenarios where relaying e-mail through the FAA system might
    at best be an embarrassment, and at worst might be some kind of a
    security threat, I immediately e-mailed whatever addresses I could
    find on their website as well as the usual postmasterat_private etc.  
    So far, no response, and according to my log files, I'm still
    rejecting spam from them.
    
    While many US Federal Government agencies are discovering the virtues
    of Open Source for security, I'm dismayed to find that the FAA is
    still using software well known for insecurities on their website as
    well as other hosts connected to the Internet.  Getting junk e-mail
    relayed through the FAA might be just an annoyance, but it might also
    point to other security issues there.
    
    So if you get any e-mail from the FAA, be careful.  It's probably just
    SPAM, but it might be worse.
    
       Follow-up: Mon, 5 Nov 2001 15:41:11 -0500 (EST)
    
    I didn't want to include the identifying IP address in the original
    submission, to protect the guilty, but it looks like they took it off
    this morning.  I tried pinging the address and they are no longer
    there.  The last SPAM which was sent my way from that address was at
    1:15 this morning EST.
    
    Although I e-mailed about 4 addresses at the FAA, including one for
    emergency response, I've received no replies as yet.  But I guess the
    message finally got through this morning.  Maybe they'll take it as a
    wakeup call, which I didn't think they'd really need after the recent
    events...
    
    Here's the last log entry from my mail log, with the local address
    changed. I'm using Exim.
    
    2001-11-05 01:15:18 recipients from atos.faa.gov [204.108.10.130] refused
    2001-11-05 01:15:18 recipient <localnameat_private> refused
       from atos.faa.gov [204.108.10.130]
       sender=<masterdisc8745at_private> (host_reject_recipients)
    
    Bill Duncan, VE3IED http://www.beachnet.org bduncanat_private
    +1 416 693-5960
    
    [...]
    
    Date: Thu, 1 Nov 2001 20:39:12 -0500
    From: Monty Solomon <montyat_private>
    Subject: Sony uses DMCA against Aibo Enthusiast's Site
    
    Sony Dogs Aibo Enthusiast's Site
    
    Courts: The company uses a controversial law to stop owners from altering
    the robotic pet. Some consumers balk.
    
    Sony Corp. is using a controversial U.S. law aimed at protecting
    intellectual property to pull the plug on a Web site that helps owners of
    Aibo, Sony's popular and pricey robotic pet, teach their electronic dogs new
    tricks.  Aibo owners are outraged, and hundreds have vowed to stop buying
    Sony products altogether until the company backs off. Sony has sold more
    than 100,000 Aibos worldwide since 1999, at prices ranging from $800 to
    $3,000. The dogs have spawned a community of enthusiasts who fuss over the
    mechanical marvels as if they were real canines.  [Source: Article by Dave
    Wilson and Alex Pham, *Los Angeles Times*, 1 Nov 2001]
       http://www.latimes.com/business/la-000086726nov01.story?coll=la-headlines
    
    [...]
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 03:00:30 PST