Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.computerworld.com/home/news.nsf/CWFlash/9812023spam
Computerworld victim of spoof
By Tom Diederich
We've been "spoofed."
Last week, hackers began sending out spam E-mail promoting pornographic
Web sites. The message headers made it appear as if the originator of the
E-mail was Computerworld.com.ph, which is the domain of Computerworld
Philippines, a Computerworld sister publication.
This practice is called "spoofing," a hacking technique in which
third-party servers are covertly used to relay information.
According to Tom Lamoureux, Computerworld Inc.'s director of support
services, the hackers relayed the spam through servers at four U.S.
universities. Lamoureux said his team is working with the colleges in an
attempt to find who actually sent the E-mail and to determine how many
people were targeted.
"It's impossible to tell right now, but I would imagine somewhere between
thousands and hundreds of thousands have gotten the spam," Lamoureux said.
"These messages probably did not originate in the Philippines," he added.
"My guess is they came from somewhere domestic because they all ultimately
pointed to www.tripod.com, an online community site. The porn sites
promoted in the spam E-mail also resided on Tripod.
Tripod, in Williamstown, Mass., did not immediately respond to a request
for an interview. However, Lamoureux said he spoke with an employee there
who said that such attacks are not uncommon. Tripod's standard procedure
is to shut down accounts and pull all related sites when such activity is
detected.
Unfortunately, spoofing is a simple procedure.
"In order to do a smut posting like this, all you really need is a place
to put the files -- there's a lot of online Web-hosting companies that
will do that for you -- and a dial-up account with an [Internet service
provider], which are a dime a dozen," Lamoureux said.
"It's really impossible to tell how many people were affected. The only
real way to tell would be to check the mail server that [the spam] was
relayed through, but the problem is that colleges have lots of servers in
place and not all of them are administered."
By checking the message headers, Computerworld's technicians determined
that servers at four U.S. colleges were affected: Virginia Commonwealth
University, the University of Wyoming, the University of Michigan and Duke
University.
Michigan and Duke were spammed yesterday, Lamoureux said. "The best chance
to find out who originated the messages is really with these two colleges,
because they can look at the logs." Even though the domain name address
has been spoofed, he said, the sender's real IP address typically is
present. However, Lamoureux said, proxy servers can be used to cook up
fake IP addresses.
The spammers may have used a dial-up account with an Internet service
provider.
"Unless companies, and in this case universities, tighten down their mail
servers, this problem will really happen forever," Lamoureux said.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 08:57:44 1998