Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!decwrl!sun!plaid!chuq
From: chuq@plaid.Sun.COM (Chuq Von Rospach)
Newsgroups: news.admin
Subject: Re: sendsys
Message-ID: <57793@sun.uucp>
Date: 23 Jun 88 20:51:01 GMT
References: <3071@rpp386.UUCP> <710@vsi1.UUCP> <107@carpet.WLK.COM>
Sender: news@sun.uucp
Reply-To: chuq@sun.UUCP (Chuq Von Rospach)
Distribution: na
Organization: Fictional Reality
Lines: 76

> My point is that we're not certain whether it is
>Webber or someone trying to flood Webber's mailbox.  Personally I think it's
>Webber but I have no evidence or proof, but the rutgers news administrator
>has a log.  If he did, indeed, post the sendsys messages, they will appear
>in the rutgers log.  If he didn't then they won't.

I'd be willing to bet it's not in the rutgers logs. Even if they did come
from rutgers (and I think they didn't, but not completely convinced) they
were forgeries outside of the standard system.

The four messages went to four different sites (ucbvax, agate, ames and
husc6) -- the only thing they have in common is that they're all NNTP sites.
The messages were all posted at 20:20. Because of the way USENET/NNTP
transfers are done, if all four really were posted on rutgers at the same
time and then distributed normally, it'd be very unlikely for them to take
two different paths. I find four different paths too implausible to consider.

What seems to have happened was that someone (on rutgers or
masquerading as rutgers) fired up an nntp connect with each of the four
sites and fed it the forged message. This guarantees maximum speed in
disbursal, a minimum chance that a site will catch and kill the messages 
and the greatest amount of confusion as everyone goes tracking back to the
common site looking for the source of the forgery. (for really good
forgeries, there is no common source, as these messages show).

Who did it? Damn good question, and I can only speculate. 

o Webber did it: why? two conflicting reasons. First, to flood the net with
  lots of bogus mail messages, just for jollies. He could also proceed to
  claim that someone was forging the messages as an attempt to "get" him,
  thereby (maybe) engendering a little sympathy. Or even simply to get some
  more attention. Who knows.

o Someone did it to Webber. Why? because Webber's a pain in the neck. 
  I'm sure someone out there could rationalizing vandalizing the network
  just to "get" Webber. Or perhaps they thought it was cute and didn't
  realize the implications. 

Guerilla tactics on USENET. What a concept. 

If folks really want to track this down, I suggest the following:

o rutgers: was Webber logged on at the time? 

o the four sites that received the message initially: do the logs (if they
  still exist) shed any light on where the message really came from? Do
  you have logs of nntp connections that can tell you who really was
  hooked up when the message came in?

Personally, I doubt the logging information is good enough to get and solid
information. 

More importantly, I think we need to re-think control messages, especially
mailback control messages. My suggestions (right off the top of my head).

o mailback messages should be zapped from the next release (or patch set) 
  of the software. The minimal useful purpose they have is overshadowed
  by the potentials for nastiness, especially with the size of the net
  these days.

o admins who can play with source should disable them without waiting. 
  If you're really motivated, set up the source to trap the message as
  it goes through, so you don't propogate it to downstream sites taht 
  might not trap it (and therefore will send messages back up the pipe
  through you!)

o the backbone, especially, should trap and kill these things.






Chuq Von Rospach			chuq@sun.COM		Delphi: CHUQ

	Robert A. Heinlein: 1907-1988. He will never truly die as long as we
                           read his words and speak his name. Rest in Peace.