Re: Attack Scenarios -> Header Munging
Justin J. Lister (ruf@osiris.cs.uow.edu.au)
Fri, 3 Feb 1995 03:58:36 +1100 (EST)
"Rupert G. Goldie wrote:"
>Frank Swift at Home wrote:
>> From: ruf@SPi.llnl.gov (Justin J. Lister)
>> While your signature indicates you're in Australia.
>> Justin is NOT from ruf@SPi.llnl.gov; maybe he's not ruf@cs.uow.edu.au ?
I took this to personal mail (as it isn't really suitable discussion
for the list). But I will repeat it so that I clear up any
misconceptions. Also hopefully the headers from this message will be a
bit better.
1. No conspiracy here (well not a major one - possible attack
signature ?) B)
As my signature identifies I *AM* ruf@cs.uow.edu.au.
>Or more likely, Justin just has a broken mailer. The header I received
>looks the same except that the From: line says
Well not exactly, it is a combination of mailer's that are out of my
control that are really responsible. I have tried alot of different
methods to correct the kludgey mail setup I am using. I really should
switch to popmail setup - but that requires I get the local
administrator to setup a pop3 server. ie. forget it.
>> From: ruf@SPi (Justin J. Lister)
>What has probably happened is that when your mailhost received this mail
>it attached the llnl.gov because it saw that SPi wasn't a FQDN. Looking
>back through my saved IDS mail it appears that Justin's mail has had
>this bogus From: line since at least October 21st.
Yes that is around the time I switched to using the elm reader on my
linux box (connected via term). This was done for a few reasons
1. Reading mail locally is alot faster. loading mail folder/reading
mail items etc.
2. Allows PGP to be used without concern for keystroke monitoring.
3. Saves disk space on remote machine. 1.37G on linux box so I have
lots of room. Important as I am subscribed to a few mailing lists that
generate ~10M/month.
Now for the reasons behind the munged header.
SETUP
Linux Box Sun term/MailHost Majordomo/ids mgr
Hostname: SPi smtp/25 -- redir -> osiris -- smtp --> wyrm
From: ruf@cs.uow.edu.au <ruf> ruf%SPI@wyrm.cc...
To: ids@uow.edu.au ids@uow.edu.au subscibers
I run linux with smail, the smail configs so that my outgoing mail has
From: ruf@cs.uow.edu.au. I redirect SPi/25 to osiris/25 (term
client/server program that gives slip/ppp like features without
requiring root level access to run. redirect transparently copies date
from 1 port to the other). Initially I was using .elm/elmheaders to
include Reply-To: ruf@cs.uow.edu (but majordomo writes its own as it
is setup with replies to the list). But it worked fine for personal
mail. Reply-To: was used as From: was being stripped by osiris (as it
is configured to strip host.domain. All mail in my sent folder has
correct From: ruf@cs.uow.edu.au but after process by osiris sendmail
turns into From: <ruf>. When this gets processed by wyrm (running
majordomo list administration s/w) it was getting modified to
ruf%SPi@wyrm.cc.uow.edu.au.
ie. Here is the headers I was getting for the identical post.
>From owner-ids@uow.edu.au Mon Jan 30 09:15:05 1995 +1100
Received: from wyrm.cc.uow.edu.au by osiris.cs.uow.edu.au with SMTP
(5.65c/IDA-1.5); id AA02010; Mon, 30 Jan 1995 09:15:01 +1100
(from owner-ids@uow.edu.au for <ruf@osiris.cs.uow.edu.au>)
Received: (from daemon@localhost) by wyrm.cc.uow.edu.au (8.6.9/8.6.9)
id JAA251\
8
Message-Id: <m0rYhJP-0005qGC@SPi>
From: ruf%SPi@wyrm.cc.uow.edu.au (Justin J. Lister)
I have started to experiment with my (SPi) smail
config/director/transports/routers files. Hopefully this post will
have a proper From:.
For further discussion please email me *directly*.
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-327 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+