Re[2]: Email Hack: Help.

To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>, www-security@ns2.rutgers.edu
Subject: Re[2]: Email Hack: Help.
From: Kyle Amon <kyle_amon@jabil.com>
Date: Tue, 25 Jun 96 15:11:47 EST
     Not trying to flame, but I don't think that'll help.  It will only deny 
     access to services which are controlled by inetd.  Check the file 
     /etc/inetd.conf and you're unlikely to find your mail deamon (sendmail? 
     If so, what version?) listed in there.  It is commonly run as a 
     stand-alone server.  And what this "hacker" is probably doing is just 
     telneting (probably with a script) to your smtp port (25) and talking 
     with your daemon directly.
     
     Do you have a router?  What mail daemon are you using?
     
     Kyle Amon


______________________________ Reply Separator _________________________________
Subject: Re: Email Hack: Help.
Author:  Steff Watkins <Steff.Watkins@bristol.ac.uk> at IE_StPeteB1
Date:    6/25/96 8:45 AM


Doug Breault wrote:
=>
=>Hello Everyone,
=>
=>We've got a problem here with a hacker. There's some punk 
=>apparently hacking a mail server somewhere and sending BS postings all over 
=>the net regarding get rich quick schemes, etc - from a non-existent 
=>account on our server. They've done it twice so far, from two different 
=>non-existent accounts.
     
=>2. What are the methods one uses to do fake these FROM fields? And is 
=>   there a way to prevent it?
     
Hi Doug,
     
  may be able to help here.
     
Assuming that the systems that have email daemons are Unix-based, you can 
use the 'hosts.allow' and 'hosts.deny' mechanism.
     
Just add all valid hosts to the '/etc/hosts.allow' file and then put 'all' 
in the '/etc/hosts.deny' file against the 'smtp' entry.
     
Hope this helps,
     
Steff
     

Received: from mail.jabil.com (172.16.1.19) by apollo.jabil.com with SMTP
  (IMA Internet Exchange 2.0 Enterprise) id 1D023DE0; Tue, 25 Jun 96 10:37:34
-0700
Received: from labyrinth.cftnet.com by mail.jabil.com id aa18291;
          25 Jun 96 10:33 EDT
Received: from scfn.thpl.lib.fl.us (scfn.thpl.lib.fl.us [204.198.80.3]) by
labyrinth.cftnet.com (8.6.11/8.6.9) with ESMTP id KAA03209 for
<amonk@labyrinth.cftnet.com>; Tue, 25 Jun 1996 10:48:28 -0400
Received: from ns2.rutgers.edu (ns2.rutgers.edu [128.6.21.2]) by
scfn.thpl.lib.fl.us (8.6.11/8.6.5) with ESMTP id KAA18879 for
<sfbzb1pu@scfn.thpl.lib.fl.us>; Tue, 25 Jun 1996 10:45:25 -0400
Received: (from daemon@localhost) by ns2.rutgers.edu
(8.6.12+bestmx+oldruq+newsunq/8.6.12) id DAA09690 for www-security-outgoing;
Tue, 25 Jun 1996 03:44:12 -0400
Received: from dira.bris.ac.uk (dira.bris.ac.uk [137.222.10.41]) by
ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) with ESMTP id DAA09685 for
<WWW-SECURITY@ns2.rutgers.edu>; Tue, 25 Jun 1996 03:44:10 -0400
Received: from sun.cse.bris.ac.uk by dira.bris.ac.uk with SMTP (PP);
          Tue, 25 Jun 1996 08:45:13 +0100
Received: by sun.cse.bris.ac.uk (4.1/SMI-SVR4)	id AA03544;
          Tue, 25 Jun 96 08:45:09 BST
From: Steff Watkins <Steff.Watkins@bristol.ac.uk>
Message-Id: <9606250745.AA03544@sun.cse.bris.ac.uk>
Subject: Re: Email Hack: Help.
To: WWW-SECURITY@ns2.rutgers.edu
Date: Tue, 25 Jun 1996 08:45:08 +0100 (BST)
In-Reply-To: <Pine.BSD/.3.91.960624123356.12305A-100000@ns.sprintout.com> from
"Doug Breault" at Jun 24, 96 12:42:45 pm
X-Mailer: ELM [version 2.4 PL21]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 783       
Sender: owner-www-security@ns2.rutgers.edu
Precedence: bulk
Errors-To: owner-www-security@ns2.rutgers.edu