Received: from xensei2.xensei.com (xensei2.xensei.com [198.151.175.2]) by vixa.voyager.net (8.6.11/8.6.11) with ESMTP id QAA17134 for; Thu, 11 Jan 1996 16:44:56 -0500 Received: (from xenium@localhost) by xensei2.xensei.com (8.6.11/Xensei-M1.01/122994-BRC) id QAA02639; Thu, 11 Jan 1996 16:44:47 -0500 X-UIDL: 821396785.000 Date: Thu, 11 Jan 1996 16:44:46 -0500 (EST) From: Jeff Morris To: Jamie McCarthy cc: Xensei Admin List , Ken McVay , Margaret - Netcom Security , Carleton Freenet Postmaster , America On-Line Abuse Manager Subject: Re: Recent Mail Bombing In-Reply-To: <199601112116.QAA15120@vixa.voyager.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 11 Jan 1996, Jamie McCarthy wrote: > Xensei-admins wrote: > > >I'd be happy to provide any information which would be helpful in > >determining the exact source of the attack. > > Great. Thank you. Ken's not logged in right now, so I'll field this one. > > Here's the first line in the sendmail log which netcom provided us with: > > Jan 2 07:49:28 mail5 sendmail[4889]: HAA04874: > from= , size=23926, class=0, pri=53926, > nrcpts=1, msgid=<199601021552.KAA06930@xensei2.xensei.com>, proto=ESMTP, > relay=xensei2.xensei.com [198.151.175.2] > > You can find the full log (un-word-wrapped :-) at: > > ftp://ftp.almanac.bc.ca/pub/people/d/dranetz.jeffrey.l/netcom-sendmail-log > > The remaining lines are logs of the listserv subscriptions being sent to > Ken and his unsubscribe requests. There are no more logs of forged email > "from" him, so the above line is all we have to go on at the moment. At > least as I understand it. > > Is the above timestamp and IP number enough to go on? Hi Jamie, Yes, that was all I needed, thanks. Our own sendmail log (relevant portion attached below), shows that the message "from" kmcvay@nizkor.almanac.bc.ca to Netcom's listserv account was sent via our mail server from 205.136.68.38, one of our dynamic dial-up IP addresses. A cross reference of our dial-up accounting logs (also attached) shows that this IP address was in fact in use by the Xensei account "jeffd" at the time this message was received by our server for delivery. Assuming that our log files are secure, which I believe they are, the only possibilites would appear to be that either Jeff Dranetz himself generated the forged message, or that his account was broken into. As per my earlier message regarding acceptable use, Jeff Dranetz's account has been suspended pending further investigation. I'll let you and Kenneth know what the final outcome is. --- Jan 2 10:52:31 xensei2 sendmail[6930]: KAA06930: from= , size=24162, class=0, pri=54162, nrcpts=1, msgid=<199601021552.KAA06930@xensei2.xensei.com>, proto=SMTP, relay=xensei-PPP-0038.xensei.com [205.136.68.38] Jan 2 10:52:37 xensei2 sendmail[6935]: KAA06930: to= , delay=00:00:10, mailer=smtp, relay=mail5.netcom.com. [192.100.81.141], stat=Sent (HAA04874 Message accepted for delivery) --- Tue Jan 2 10:52:05 1996 Acct-Session-Id = "17001189" User-Name = "jeffd" Client-Id = 198.151.175.10 Client-Port-Id = 14 Acct-Status-Type = Start Acct-Authentic = RADIUS User-Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 205.136.68.38 Acct-Delay-Time = 0 --- Tue Jan 2 11:03:52 1996 Acct-Session-Id = "17001189" User-Name = "jeffd" Client-Id = 198.151.175.10 Client-Port-Id = 14 Acct-Status-Type = Stop Acct-Session-Time = 707 Acct-Authentic = RADIUS User-Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 205.136.68.38 Acct-Delay-Time = 0 --- Jeff Morris - http://www.xensei.com/users/jeffm/ +----------------------------------------------------------+ | The Xensei Corporation | | Affordable SLIP/PPP Internet Access - Boston South Shore | | Phone: 617.376.6342 - E-Mail: info@xensei.com | | http://www.xensei.com/ | +----------------------------------------------------------+
Home ·
Site Map ·
What's New? ·
Search
Nizkor
© The Nizkor Project, 1991-2012
This site is intended for educational purposes to teach about the Holocaust and
to combat hatred.
Any statements or excerpts found on this site are for educational purposes only.
As part of these educational purposes, Nizkor may
include on this website materials, such as excerpts from the writings of racists and antisemites. Far from approving these writings, Nizkor condemns them and
provides them so that its readers can learn the nature and extent of hate and antisemitic discourse. Nizkor urges the readers of these pages to condemn racist
and hate speech in all of its forms and manifestations.