I think I was sniffed?

[rpeterson at wallacefloyd.com (Ron Peterson)]

Derek Martin wrote:
> 
> Today, Ron Peterson gleaned this insight:
> 
> > "Matthew J. Brodeur" wrote:
> > >
> > >    First of all, without the specifics of the spam messages and knowledge
> > > of Harvard.Net's mail server setup it's possible that this was just a case
> > > of mail forging.  Someone could have seen your address and decided to use
> > > it to get around the sender check on the mail server.  On many servers you
> > > wouldn't need a password to do that, just some knowledge of SMTP commands.
> > >
> > >    If this was sniffing the most likely case is the POP3 access across the
> > > internet.
> >
> > Here's the skinny from HarvardNet.  They recieved notification from
> > someone that some kind of SPAM originated from their network.  They were
> > sent the SPAM headers.
> >
> > Then they compare the IP address in the SPAM header to logfile of who
> > was logged in and assigned that IP address (via DHCP) at the time the
> > message's timestamp says the message was sent.  Which was me.
> 
> One question that still remains is, were YOU logged in at that time?

No.  I used 'last' to compare my login activity with the mailheader
timestamps.  Someone dialed in as me, methinks.  Or otherwise logged in
as me.  Or forged the IP address.

> It could still be a forged IP address.

I'm curious.  How would someone go about forging an IP address in a mail
header?  I would actually prefer to think that's what happened. 
Otherwise I have to think someone stole my password, probably by
compromising my ISP.  Which means this could easily happen again.  Yuck.

> It's rather unlikely that you wouldn't have noticed it if that was the
> case though,

I'm really not very observant... ;-)

> This is what makes tracking spam so hard.  If you WERE logged on at that
> time, check your logs for mail being relayed at that time.

I /am/ running sendmail on my laptop.  My maillog only indicates a small
amount of activity at the time I was logged in.  I came back from
vacation that day, and picked up my email in the evening.
 
> Furthermore, if you are running sendmail on your laptop, STOP!

Hmm.  I see why you say that.  I like using my laptop for screwing
around development type stuff before launching stuff on my company's
servers, though.  I think I'd rather just try to do what I can to make
sure I'm running sendmail securely, than shutting it off completely. 
But feel free to persuade me that I'm bonkers...

Things could be much worse.  I'm going to consider this a wake up call,
though, and begin learning all I can about how to thoroughly secure and
monitor my systems.

-- 

Ron Peterson
Systems Manager
Wallace Floyd Design Group
273 Summer Street
Boston, MA  02210
617.350.7400 tel
617.350.0051 fax
rpeterson at wallacefloyd.com
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).