On Thu, 3 Feb 2000, Vin McLellan wrote:
[Majordomo-owner snipped as it's not a majordomo problem and
firewalls-owner has already been notified several times]
> >Who ever is sending this message can we please STOP. There is nothing in
> it. >There is no subject and it is just taking up space on mail servers.
>
> Could it be a mechanical malfunction somewhere?
It's possible, but not too likely, unless you consider human malfunctions.
>
> Since three of the first 20 "empty" messages (with a blank subject
> line) that were sent to the List today appear come from me -- and I *didn't
> send them* -- I presume that the dozen-odd List regulars who were also
> listed as the source for the rest of these trash-mailings were also victims.
If you check the headers, you'll see that they'll match previous postings.
In my case, the headers in question were authentic for a machine that
hasn't been on-line for a couple of weeks.
> I'll leave it to the List Admin (or someone more skilled at reading
> the extended headers than I) to explain what has been happening here.
Someone - probably the person listed in the delivered to part of the
headers, or someone with access to their mail spool, has been forwarding
the old messages without their bodies.
> From what I see, it appears that the only content in these messages
> is the extended Header info from various posts to Firewalls and
> Firewall-wizards that date from January 7 and 8.
Yep. Exactly.
>
> It could be some sort of mobile malevolent code, I suppose. A
> purely "mechanical" software malfunction that sends out messages, dated
> today, which appear to come from various subscriber accounts -- with forged
> mail headers -- seems to be unlikely.
Depends. If it's a trojan or virus, forwarding saved messages back to the
recipient isn't that far from what we've seen in developing "e-mail
viruses." A mechanical process that's doing remailing, archiving, or
gatewaying to NNTP and has a bug *could* be at fault, though I also think
it unlikely.
> (My machine was connected to the net but unattended at the hour the
> three notes that seemed to come from my machine at time-stamped. On my
> local machine, however, I find no record of any outbound messages.)
(I was hoping you'd gotten the chance to answer the RSAREF message, so the
empty body was a double disappointment.)
> Highlights those thought-provoking questions about e-mail as
> evidence, even for internal corporate policy-enforcement, doesn't it?
Not if you corroborate with the logs on the various gateways in question.
For instance, if we had the logs for lists.gnac.net, we'd be able to match
the message-id with a connection host and timestamp. Then we'd be able to
go subpoena that host's log files and get a good chain of evidence.
Internally, we'd have all the logs and be able to match things up without
John Doe subpoenas.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
