On Sun, 23 Oct 1994, der Mouse wrote: <message clipped> > This appears to be a forged attempt to mailbomb someone else. If you > read the headers carefully, you'll see that SFU appears in only the > From: header - the letter comes from helix.net and has a helix.net > Message-ID. And when I looked at vanepp@sfu.ca.... Yes, vanepp@sfu.ca is the guy in charge of security at SFU. > Computing Services? "staff"? A staff person at SFU surely knows > better than to send out this piece of stupidity, especially since "expn > root" informs me that vanepp is one of nine people who get root's mail. Yes, he knows better. > So I think someone on helix.net originated this, probably the person > responsible for the first piece of stupidity. What vanepp has to do > with it I have trouble imagining; I would suspect that sfu.ca had been > cracked and vanepp's .forward file replaced to point to the real > culprit, but EXPN and VRFY on whistler's SMTP server don't give me that > impression. The account was one of Helix's. It was cracked. > I suppose it's _possible_ that Peter Van Epp _is_ the person > responsible and that the mail was forged from his account on helix.net, > but that seems extremely unlikely. Exactly. He is not the responsible one. > I'm sending a copy to root@sfu.ca so that (a) vanepp probably gets it, > and (b) if vanepp's mail is being stolen somehow that I can't see > through VRFY and EXPN, the other roots there can deal with it. The cracker just wants to mailbomb vanepp. He's done it before, he'll do it again. Just not from *my* site, if I have anything to say about it. Does ANYBODY have any code that will limit the number of messages a single user can send per day?? Or any other code to detect mail bombs? Sending 5 identical messages to different addresses? (Or the same address, for that matter..) -- Charles Howes -- chowes@helix.net Always tell the truth, then you make it the other bloke's problem! - Sean Connery, 1971