Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!decwrl!sun!plaid!chuq From: chuq@plaid.Sun.COM (Chuq Von Rospach) Newsgroups: news.admin Subject: Re: sendsys Message-ID: <57793@sun.uucp> Date: 23 Jun 88 20:51:01 GMT References: <3071@rpp386.UUCP> <710@vsi1.UUCP> <107@carpet.WLK.COM> Sender: news@sun.uucp Reply-To: chuq@sun.UUCP (Chuq Von Rospach) Distribution: na Organization: Fictional Reality Lines: 76 > My point is that we're not certain whether it is >Webber or someone trying to flood Webber's mailbox. Personally I think it's >Webber but I have no evidence or proof, but the rutgers news administrator >has a log. If he did, indeed, post the sendsys messages, they will appear >in the rutgers log. If he didn't then they won't. I'd be willing to bet it's not in the rutgers logs. Even if they did come from rutgers (and I think they didn't, but not completely convinced) they were forgeries outside of the standard system. The four messages went to four different sites (ucbvax, agate, ames and husc6) -- the only thing they have in common is that they're all NNTP sites. The messages were all posted at 20:20. Because of the way USENET/NNTP transfers are done, if all four really were posted on rutgers at the same time and then distributed normally, it'd be very unlikely for them to take two different paths. I find four different paths too implausible to consider. What seems to have happened was that someone (on rutgers or masquerading as rutgers) fired up an nntp connect with each of the four sites and fed it the forged message. This guarantees maximum speed in disbursal, a minimum chance that a site will catch and kill the messages and the greatest amount of confusion as everyone goes tracking back to the common site looking for the source of the forgery. (for really good forgeries, there is no common source, as these messages show). Who did it? Damn good question, and I can only speculate. o Webber did it: why? two conflicting reasons. First, to flood the net with lots of bogus mail messages, just for jollies. He could also proceed to claim that someone was forging the messages as an attempt to "get" him, thereby (maybe) engendering a little sympathy. Or even simply to get some more attention. Who knows. o Someone did it to Webber. Why? because Webber's a pain in the neck. I'm sure someone out there could rationalizing vandalizing the network just to "get" Webber. Or perhaps they thought it was cute and didn't realize the implications. Guerilla tactics on USENET. What a concept. If folks really want to track this down, I suggest the following: o rutgers: was Webber logged on at the time? o the four sites that received the message initially: do the logs (if they still exist) shed any light on where the message really came from? Do you have logs of nntp connections that can tell you who really was hooked up when the message came in? Personally, I doubt the logging information is good enough to get and solid information. More importantly, I think we need to re-think control messages, especially mailback control messages. My suggestions (right off the top of my head). o mailback messages should be zapped from the next release (or patch set) of the software. The minimal useful purpose they have is overshadowed by the potentials for nastiness, especially with the size of the net these days. o admins who can play with source should disable them without waiting. If you're really motivated, set up the source to trap the message as it goes through, so you don't propogate it to downstream sites taht might not trap it (and therefore will send messages back up the pipe through you!) o the backbone, especially, should trap and kill these things. Chuq Von Rospach chuq@sun.COM Delphi: CHUQ Robert A. Heinlein: 1907-1988. He will never truly die as long as we read his words and speak his name. Rest in Peace.