SCO Mailing List - Problems
Dave Armbrust
dma at pcssc.com
Fri Mar 29 10:00:29 AEST 1991
It seems that the SCO Mailing list has been attacked!
This following is what had happened based on best guess.
A site by the name of overlf.UUCP had been broken into.
apparently someone had log in via modem and had taken the
L-sys file from this system. Using this information
this system had login to fdurt1.fdu.edu and had sent
several hundred of duplicate messages to sco-list at uunet.uu.net
while pretending to be overlf.UUCP. during this transfer of
several hundred messages the real overlf.UUCP was in a single
user mode as they were aware of the break-in. This information
came to me from ross at fdurt1.fdu.edu. ross at fdurt1.fdu.edu
had disabled the login for overlf at 10PM on Monday 3/25/91.
These massive duplicates have caused major problems for the readers
of the SCO mailing list. They have cause more major problems
for myself as I have personally received well over 2000 error messages
from mailers all over stating <too many hops>.
While trying to catch up on this back log of junk messages
UUNET had also informed me that there was over 25 Megs of back logged
mail for my site and still growing every minute. I have asked them to
remove this back log which they stated would take them several hours
because of the massive size.
Until this backlog can be removed and things brought to a normal state
the SCO mailing list has been turned off. Any duplications should
come to me rather then the readers of this list.
It looks like we will be able to move the the SCO Mailing List distribution
point to another site that does not run sendmail! edhew at xenitec has agreed
to do so. This should stop the duplicate problems caused by uunet
sendmail bugs. I will post a message after the transfer has occured
and seems to be stable.
For those of you that have run mailing list before and have "never
subjected my members to anthing like this" I suggest that you try to
run one to over 400 sites with the large amount of trafic that goes
through the SCO Mailing List. Then I will be glad to compare notes with you.
Yes, I know it should be a news group but we have already tried that
and the vote failed.
Anyone that has sent mail to me since Monday should consider re-mailing
to me as I may not have received it. I will even try to respond to flames.
For those of you interested in the attack I have attached some
notes below.
Dave Armbrust | uunet!pcssc!dma
PC Software Systems | dma at pcssc.com or
4370 S. Tamiami Trail | owner-sco-list at uunet.uu.net
Sarasota, FL 34231-3400 | Phone: (813)922-8857
If you put garbage in a computer nothing comes out but garbage. But
this garbage, having passed through a very expensive machine, is
somehow ennobled and none dare criticize it.
==============================================================================
There also appears to be at least 3 versions of the message.
The 2nd and 3rd versions I assumed were modified for some reason.
It is possible that some or all of the modifications were made by
mailer programs. I will attempt to explain the modifications
below.
-------------------------------------------------------------------------------
The first version contains the lines:
...
Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C)
id AA13593; Mon, 25 Mar 91 11:34:04 -0500
Received: from kb2ear by overlf.UUCP id aa21394; Mon, 25 Mar 91 11:49:06 EST
Received: by kb2ear.UUCP (smail2.5X)
id AA13593; 25 Mar 91 11:34:04 EST (Mon)
Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08)
id AA18746; Mon, 25 Mar 91 03:28:04 EST
...
Return-Path: <raney at cs.toronto.edu>
Received: by anchor.Colorado.EDU (cu.bind.900828) Sun, 24 Mar 91 09:37:46 -0700
Date: Sun, 24 Mar 1991 11:37:46 -0500
From: Scott Raney <raney at anchor.colorado.edu>
Message-Id: <9103241637.AA02548 at anchor.Colorado.EDU>
To: pride386!root%fdurt1 at uunet.UU.NET
...
Sender: root at anchor.colorado.edu
OK, that's it. I'm ...
-------------------------------------------------------------------------------
The second version contains the lines:
...
Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C)
id (varies with each message); Mon, 25 Mar 91 (varies) -0500
Received: from kb2ear by overlf.UUCP id aa23985; Mon, 25 Mar 91 17:09:27 EST
Received: by kb2ear.UUCP (smail2.5X)
id AA16691; 25 Mar 91 16:17:18 EST (Mon)
Received: from cs.utexas.edu by rutgersedu (5.59/SMI4.0/RU1.4/3.08)
id AA09891; Mon, 25 Mar 91 15:41:59 EST
Received: from uunet.UU.NET by cs.utexas.edu (5.64/1.98) with SMTP
id AA15041; Mon, 25 Mar 91 14:40:44 -0600
Received: by uunet.UU.NET (5.61/UUNET-primary-gateway)
id AA02808; Mon, 25 Mar 91 12:48:31 -0500
Received: from relay1.UU.NET by uunet.UU.NET with SMTP
(5.61/UUNET-primary-gateway) id AA02787; Mon, 25 Mar 91 12:48:21 -0500
Received: from fdurt1.fdu.edu by relay1.UU.NET with SMTP
(5.61/UUNET-shadow-mx) id AA29347; Mon, 25 Mar 91 12:48:09 -0500
Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C)
id AA16681; Mon, 25 Mar 91 12:48:36 -0500
Received: from kb2ear by overlf.UUCP id aa21394; Mon, 25 Mar 91 11:49:06 EST
Received: by kb2ear.UUCP (smail2.5X)
id AA13593; 25 Mar 91 11:34:04 EST (Mon)
Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08)
id AA18746; Mon, 25 Mar 91 03:28:04 EST
...
Return-Path: <raney>
Received: by anchor.Colorado.EDU (cu.bind.900828) Sun, 24 Mar 91 09:37:46 -0700
Date: Sun, 24 Mar 19 09:37:46 -0700
From: Scott Raney <raney at anchor.colorado.edu>
Message-Id: <9103241637.AA02548 at anchor.Colorado.EDU>
To: pride386!root%fdurt1 at uunet.UU.NET
...
Sender: root at anchor.colorado.edu
OK, that's it. I'm ...
-------------------------------------------------------------------------------
Deferences between 1st and 2nd version:
1) Return-Path: changed from <raney at anchor.colorado.edu> to <raney>
2) Date: changed from Sun, 24 Mar 1991 11:37:46 -0500 to
Sun, 24 Mar 91 09:37:46 -0700
3) Messages appear to now have made at least one round trip.
-------------------------------------------------------------------------------
The third messages contains the lines:
Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C)
id (varies with each message); Mon, 25 Mar 91 (varies) -0500
Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08)
id AA09891; Mon, 25 Mar 91 15:41:59 EST
Received: from uunet.UU.NET by cs.utexas.edu (5.64/1.98) with SMTP
id AA15041; Mon, 25 Mar 91 14:40:44 -0600
Received: by uunet.UU.NET (5.61/UUNET-primary-gateway)
id AA02808; Mon, 25 Mar 91 12:48:31 -0500
Received: from relay1.UU.NET by uunet.UU.NET with SMTP
(5.61/UUNET-primary-gateway) id AA02787; Mon, 25 Mar 91 12:48:21 -0500
Received: from fdurt1.fdu.edu by relay1.UU.NET with SMTP
(5.61/UUNET-shadow-mx) id AA29347; Mon, 25 Mar 91 12:48:09 -0500
Received: by fdurt1.fdu.edu (5.57/Ultrix3.0-C)
id AA16681; Mon, 25 Mar 91 12:48:36 -0500
Received: from cs.utexas.edu by rutgers.edu (5.59/SMI4.0/RU1.4/3.08)
id AA18746; Mon, 25 Mar 91 03:28:04 EST
...
Return-Path: <raney>
Received: by anchor.Colorado.EDU (cu.bind.900828) Sun, 24 Mar 91 09:37:46 -0700
Date: Sun, 24 Mar 1991 09:37:46 -0700
From: sco-list at uunet.uu.net
Message-Id: <9103241637.AA02548 at anchor.Colorado.EDU>
To: root%fdurt1 at pride386.uucp
...
Sender: sco-list at uunet.uu.net
OK, that's it. I'm ...
-------------------------------------------------------------------------------
The differences from 2nd to 3rd versions are:
1) All reference to kb2ear and overlf.UUCP were removed!
Note: Now it appears that the messages when directly from
rutgers.edu to fdurt1.fdu.edu. (fdurt1.fdu.edu does not communicate
with rutgers.edu directly.)
2) From: changed from From: Scott Ranye <raney at anchor.colorado.edu> to
From: sco-list at uunet.uu.net
3) To: changed from To: pride386!root%fdurt1 at uunet.UU.NET to
To: root%fdurt1 at pride386.uucp
-------------------------------------------------------------------------------
Dave Armbrust | uunet!pcssc!dma
PC Software Systems | dma at pcssc.com or
4370 S. Tamiami Trail | owner-sco-list at uunet.uu.net
Sarasota, FL 34231-3400 | Phone: (813)922-8857
If you put garbage in a computer nothing comes out but garbage. But
this garbage, having passed through a very expensive machine, is
somehow ennobled and none dare criticize it.
More information about the Comp.unix.xenix.sco
mailing list