Forged Articles, additional followup
mark at netaxs.com
Tue Aug 16 20:46:28 EST 1994
On August 15, someone forged messages with subjects of:
"MAKE.MONEY.REAL.FAST!!" and "Book for sale!" to about 38 newsgroups.
These articles have "From:" lines of users at our site, but it is
evident from the "Path" and "NNTP-Posting-Host:" of "ts1.noc.drexel.edu"
that they did not come from our site.
We posted a followup explanation to these groups, and sent a message to
the hundreds of people who complained to our users and postmaster.
On August 16, someone posted other similar forgeries to at least another
70-80 newsgroups, and we received close to 1000 more complaints and flames
from people not noticing the real origin. Drexel then also closed the
particular hole by which these articles were posted.
Our users are still receiving a steady flow of complaints about these messages.
Although USENET posts can be forged in different ways, these posts are easy
Here is the header from one of the posted articles:
> Path: somewhere.edu!somewhere.else.edu!netnews.upenn.edu!news.drexel.edu!
> From: bam at netaxs.com
> Newsgroups: misc.misc
> Subject: MAKE.MONEY.REAL.FAST!!
> Date: 15 Aug 1994 07:38:40 GMT
> Organization: Net Access - New York's Public Internet Site
> Lines: 21
> Message-ID: <32n620$6tq at dunx1.ocs.drexel.edu>
> NNTP-Posting-Host: ts1.noc.drexel.edu
> This is NOT a chain letter, but a legal way to earn cash in the
Included in most of the articles is a PO Box mailing address for Avi
Freedman, the owner and operator of Netaxs BBS and Shell Accounts.
He is not responsible for these posts either. (Apparently even our previous
explanation message didn't make that clear.)
If additional comments are absolutely necessary, please direct them to
our postmaster or postmaster at dunx1.ocs.drexel.edu, and not to our users.
If you have already received our earlier message, or read our post, we
regret wasting the bandwidth. It is getting difficult to keep track
of who has already been informed, and even which groups have been covered.
Apologies are unnecessary from those reading this who sent us flames or
flooded us with mail, as the apology messages are also reaching a large
volume, and are just as hard to sort through. (Though these do make for
much more pleasant reading!)
In general responding to "MAKE.MONEY.FAST" and other potential flame-bait
postings is a bad idea, at least without carefully examining the headers
for "Path", NNTP-Posting-Host", and "From:" lines which agree with
each other. Even then, people often post such messages from compromised
accounts, so flames are likely to go the innocent. Additionally the massive
volumes of email to the postmaster accounts here and at Drexel interfere
with our ability to close security holes and track down the forger.
The most important thing is not to assume that any USENET post or Internet
email message is authentic. (unless you and the sender are using some
type of PEM or similar authentication method)
- the NETAXS Support and Administration Team,
and Mark Thomas (system administration) (postmaster at netaxs.com)
More information about the Bioforum