Forged Articles, additional followup

Mark Thomas mark at netaxs.com
Tue Aug 16 20:46:28 EST 1994


On August 15, someone forged messages with subjects of:
"MAKE.MONEY.REAL.FAST!!" and "Book for sale!" to about 38 newsgroups.
These articles have "From:" lines of users at our site, but it is
evident from the "Path" and "NNTP-Posting-Host:" of "ts1.noc.drexel.edu"
that they did not come from our site.

We posted a followup explanation to these groups, and sent a message to 
the hundreds of people who complained to our users and postmaster.

On August 16, someone posted other similar forgeries to at least another 
70-80 newsgroups, and we received close to 1000 more complaints and flames
from people not noticing the real origin.  Drexel then also closed the
particular hole by which these articles were posted.

Our users are still receiving a steady flow of complaints about these messages.

Although USENET posts can be forged in different ways, these posts are easy
to identify.

Here is the header from one of the posted articles:

> Path: somewhere.edu!somewhere.else.edu!netnews.upenn.edu!news.drexel.edu!
                                                dunx1.ocs.drexel.edu!newsmaster
> From: bam at netaxs.com
> Newsgroups: misc.misc
> Subject: MAKE.MONEY.REAL.FAST!!
> Date: 15 Aug 1994 07:38:40 GMT
> Organization: Net Access - New York's Public Internet Site
> Lines: 21
> Message-ID: <32n620$6tq at dunx1.ocs.drexel.edu>
                          ^^^^^^^^^^^^^^^^^^^^
> NNTP-Posting-Host: ts1.noc.drexel.edu
                     ^^^^^^^^^^^^^^^^^^

>        This is NOT a chain letter, but a legal way to earn cash in the
   <article deleted>

Included in most of the articles is a PO Box mailing address for Avi
Freedman, the owner and operator of Netaxs BBS and Shell Accounts.
He is not responsible for these posts either.  (Apparently even our previous
explanation message didn't make that clear.)

If additional comments are absolutely necessary, please direct them to
our postmaster or postmaster at dunx1.ocs.drexel.edu, and not to our users.

If you have already received our earlier message, or read our post, we 
regret wasting the bandwidth.  It is getting difficult to keep track 
of who has already been informed, and even which groups have been covered.

Apologies are unnecessary from those reading this who sent us flames or
flooded us with mail, as the apology messages are also reaching a large
volume, and are just as hard to sort through.  (Though these do make for 
much more pleasant reading!)

In general responding to "MAKE.MONEY.FAST" and other potential flame-bait 
postings is a bad idea, at least without carefully examining the headers 
for "Path", NNTP-Posting-Host", and "From:" lines which agree with 
each other.  Even then, people often post such messages from compromised
accounts, so flames are likely to go the innocent.  Additionally the massive
volumes of email to the postmaster accounts here and at Drexel interfere 
with our ability to close security holes and track down the forger.


The most important thing is not to assume that any USENET post or Internet 
email message is authentic.   (unless you and the sender are using some
                               type of PEM or similar authentication method)


  - the NETAXS Support and Administration Team,
     and Mark Thomas (system administration)           (postmaster at netaxs.com)





More information about the Bioforum mailing list