[Previous] [Next] [Index]
[Thread]
Re[2]: Email Hack: Help.
Not trying to flame, but I don't think that'll help. It will only deny
access to services which are controlled by inetd. Check the file
/etc/inetd.conf and you're unlikely to find your mail deamon (sendmail?
If so, what version?) listed in there. It is commonly run as a
stand-alone server. And what this "hacker" is probably doing is just
telneting (probably with a script) to your smtp port (25) and talking
with your daemon directly.
Do you have a router? What mail daemon are you using?
Kyle Amon
______________________________ Reply Separator _________________________________
Subject: Re: Email Hack: Help.
Author: Steff Watkins <Steff.Watkins@bristol.ac.uk> at IE_StPeteB1
Date: 6/25/96 8:45 AM
Doug Breault wrote:
=>
=>Hello Everyone,
=>
=>We've got a problem here with a hacker. There's some punk
=>apparently hacking a mail server somewhere and sending BS postings all over
=>the net regarding get rich quick schemes, etc - from a non-existent
=>account on our server. They've done it twice so far, from two different
=>non-existent accounts.
=>2. What are the methods one uses to do fake these FROM fields? And is
=> there a way to prevent it?
Hi Doug,
may be able to help here.
Assuming that the systems that have email daemons are Unix-based, you can
use the 'hosts.allow' and 'hosts.deny' mechanism.
Just add all valid hosts to the '/etc/hosts.allow' file and then put 'all'
in the '/etc/hosts.deny' file against the 'smtp' entry.
Hope this helps,
Steff
Received: from mail.jabil.com (172.16.1.19) by apollo.jabil.com with SMTP
(IMA Internet Exchange 2.0 Enterprise) id 1D023DE0; Tue, 25 Jun 96 10:37:34
-0700
Received: from labyrinth.cftnet.com by mail.jabil.com id aa18291;
25 Jun 96 10:33 EDT
Received: from scfn.thpl.lib.fl.us (scfn.thpl.lib.fl.us [204.198.80.3]) by
labyrinth.cftnet.com (8.6.11/8.6.9) with ESMTP id KAA03209 for
<amonk@labyrinth.cftnet.com>; Tue, 25 Jun 1996 10:48:28 -0400
Received: from ns2.rutgers.edu (ns2.rutgers.edu [128.6.21.2]) by
scfn.thpl.lib.fl.us (8.6.11/8.6.5) with ESMTP id KAA18879 for
<sfbzb1pu@scfn.thpl.lib.fl.us>; Tue, 25 Jun 1996 10:45:25 -0400
Received: (from daemon@localhost) by ns2.rutgers.edu
(8.6.12+bestmx+oldruq+newsunq/8.6.12) id DAA09690 for www-security-outgoing;
Tue, 25 Jun 1996 03:44:12 -0400
Received: from dira.bris.ac.uk (dira.bris.ac.uk [137.222.10.41]) by
ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) with ESMTP id DAA09685 for
<WWW-SECURITY@ns2.rutgers.edu>; Tue, 25 Jun 1996 03:44:10 -0400
Received: from sun.cse.bris.ac.uk by dira.bris.ac.uk with SMTP (PP);
Tue, 25 Jun 1996 08:45:13 +0100
Received: by sun.cse.bris.ac.uk (4.1/SMI-SVR4) id AA03544;
Tue, 25 Jun 96 08:45:09 BST
From: Steff Watkins <Steff.Watkins@bristol.ac.uk>
Message-Id: <9606250745.AA03544@sun.cse.bris.ac.uk>
Subject: Re: Email Hack: Help.
To: WWW-SECURITY@ns2.rutgers.edu
Date: Tue, 25 Jun 1996 08:45:08 +0100 (BST)
In-Reply-To: <Pine.BSD/.3.91.960624123356.12305A-100000@ns.sprintout.com> from
"Doug Breault" at Jun 24, 96 12:42:45 pm
X-Mailer: ELM [version 2.4 PL21]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 783
Sender: owner-www-security@ns2.rutgers.edu
Precedence: bulk
Errors-To: owner-www-security@ns2.rutgers.edu