The Nizkor Project: Remembering the Holocaust (Shoah)

Shofar FTP Archive File: people/d/dranetz.jeffrey.l//xensei-logs-email

Received: from xensei2.xensei.com (xensei2.xensei.com [198.151.175.2]) by vixa.voyager.net (8.6.11/8.6.11) with ESMTP id QAA17134 for ; Thu, 11 Jan 1996 16:44:56 -0500
Received: (from xenium@localhost) by xensei2.xensei.com (8.6.11/Xensei-M1.01/122994-BRC) id QAA02639; Thu, 11 Jan 1996 16:44:47 -0500
X-UIDL: 821396785.000
Date: Thu, 11 Jan 1996 16:44:46 -0500 (EST)
From: Jeff Morris 
To: Jamie McCarthy 
cc: Xensei Admin List ,        Ken McVay ,        Margaret - Netcom Security ,        Carleton Freenet Postmaster ,        America On-Line Abuse Manager 
Subject: Re: Recent Mail Bombing
In-Reply-To: <199601112116.QAA15120@vixa.voyager.net>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Thu, 11 Jan 1996, Jamie McCarthy wrote:

> Xensei-admins wrote:
> 
> >I'd be happy to provide any information which would be helpful in
> >determining the exact source of the attack.
> 
> Great.  Thank you.  Ken's not logged in right now, so I'll field this one.
> 
> Here's the first line in the sendmail log which netcom provided us with:
> 
> Jan  2 07:49:28 mail5 sendmail[4889]: HAA04874: 
> from=, size=23926, class=0, pri=53926, 
> nrcpts=1, msgid=<199601021552.KAA06930@xensei2.xensei.com>, proto=ESMTP, 
> relay=xensei2.xensei.com [198.151.175.2]
> 
> You can find the full log (un-word-wrapped :-) at:
> 
> ftp://ftp.almanac.bc.ca/pub/people/d/dranetz.jeffrey.l/netcom-sendmail-log
> 
> The remaining lines are logs of the listserv subscriptions being sent to 
> Ken and his unsubscribe requests.  There are no more logs of forged email 
> "from" him, so the above line is all we have to go on at the moment.  At 
> least as I understand it.
> 
> Is the above timestamp and IP number enough to go on?

Hi Jamie,

Yes, that was all I needed, thanks. 

Our own sendmail log (relevant portion attached below), shows that the
message "from" kmcvay@nizkor.almanac.bc.ca to Netcom's listserv account was
sent via our mail server from 205.136.68.38, one of our dynamic dial-up IP
addresses.  A cross reference of our dial-up accounting logs (also attached)
shows that this IP address was in fact in use by the Xensei account "jeffd"
at the time this message was received by our server for delivery. 

Assuming that our log files are secure, which I believe they are, the only
possibilites would appear to be that either Jeff Dranetz himself generated
the forged message, or that his account was broken into. 

As per my earlier message regarding acceptable use, Jeff Dranetz's account
has been suspended pending further investigation.  I'll let you and Kenneth
know what the final outcome is. 

---

Jan 2 10:52:31 xensei2 sendmail[6930]: KAA06930:
from=, size=24162, class=0, pri=54162, nrcpts=1,
msgid=<199601021552.KAA06930@xensei2.xensei.com>, proto=SMTP,
relay=xensei-PPP-0038.xensei.com [205.136.68.38]

Jan 2 10:52:37 xensei2 sendmail[6935]: KAA06930: to=,
delay=00:00:10, mailer=smtp, relay=mail5.netcom.com.  [192.100.81.141],
stat=Sent (HAA04874 Message accepted for delivery)

---

Tue Jan  2 10:52:05 1996
        Acct-Session-Id = "17001189"
        User-Name = "jeffd"
        Client-Id = 198.151.175.10
        Client-Port-Id = 14
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        User-Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-Address = 205.136.68.38
        Acct-Delay-Time = 0
 
---
 
Tue Jan  2 11:03:52 1996
        Acct-Session-Id = "17001189"
        User-Name = "jeffd"
        Client-Id = 198.151.175.10
        Client-Port-Id = 14
        Acct-Status-Type = Stop
        Acct-Session-Time = 707
        Acct-Authentic = RADIUS
        User-Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-Address = 205.136.68.38
        Acct-Delay-Time = 0

---


      Jeff Morris - http://www.xensei.com/users/jeffm/
+----------------------------------------------------------+
|                 The Xensei Corporation                   |
| Affordable SLIP/PPP Internet Access - Boston South Shore |
|    Phone: 617.376.6342   -   E-Mail: info@xensei.com     |
|                 http://www.xensei.com/                   |
+----------------------------------------------------------+

Home ·  Site Map ·  What's New? ·  Search Nizkor

© The Nizkor Project, 1991-2012

This site is intended for educational purposes to teach about the Holocaust and to combat hatred. Any statements or excerpts found on this site are for educational purposes only.

As part of these educational purposes, Nizkor may include on this website materials, such as excerpts from the writings of racists and antisemites. Far from approving these writings, Nizkor condemns them and provides them so that its readers can learn the nature and extent of hate and antisemitic discourse. Nizkor urges the readers of these pages to condemn racist and hate speech in all of its forms and manifestations.