Mailing List SIMS@mail.stalker.com Message #6625
From: Tod Fitch <tod@LTFdesign.com>
Subject: Re: What should I make of this?
Date: Thu, 03 Aug 2000 07:24:35 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
At 07:05 AM 8/3/2000 , Stefan Jeglinski wrote:
 >Return-Path: larrymichael@netzero.net
 >Received: from [38.31.168.34] (HELO MailLite) by
 >adsl-63-192-216-68.dsl.snfc21.pacbell.net (Stalker SMTP Server
 >1.8b8) with SMTP id S.0000007613 for <RonaldRay1@netzero.net>; Fri,
 >28 Jul 2000 22:12:55 -0700
 >From: <larrymichael@netzero.net>
 >To: <RonaldRay1@netzero.net>
 >Subject: Re: SM site URL mail.ltfdesign.com
 >Date: Fri, 28 Jul 2000 20:33:20 -0800
 >MIME-Version: 1.0
 >Content-Type: text/plain
 >X-Mailer: MailLite 1.0
 >
 >My browser won't load it...is the URL right?

mail.ltfdesign.com is a name of my mail server. There is also a
webserver on the machine, but it will default to a benign screen if
accessed with the mail DNS name.

I have the feeling that these people are looking to use my server for
their own purposes. What should I be looking out for?

Kinda weird. Are you saying you suspect they have assumed they can do web-based mail on your server? Or, a more paranoid guess is that they are trying to break into SIMS via the http admin interface. I hope your password is pretty good. Any ideas what "SM" refers to? SendMail?!?

But tell me also, if these messages are being rejected via blacklist, then these guys aren't actually communicating with each other through your server, no? I must be missing something here - either RonaldRay1 and larrymichael are really dumb and like to beat their head against the wall, or ...

What do the relevant logs look like?


Unfortunately I had taken to scanning then deleting the logs before looking at the contents of the blklist account. My SIMS web interface is set to a odd ball port, not the default. Both the "account" and "passwords" are set to long strings with both upper and lower case letters. I am now toying with the idea of blocking that port at my fire wall and denying any outside administration of the mail server. That would be a big hit for me because most of the administration I normally do is from my work location not my wife's studio.

The webserver on the machine has no CGIs and is not setup to allow uploads. There is no web based mail on it.

To the best of my knowledge my SIMS setup precluded the above mail from being delivered to the addressee. I suspect that they have been poking at the system in preparation to a hijack attempt. I suspect that they screwed up on this email and did not intend to send it through my server.

I also wondered if the "SM" was a reference to Sendmail. Hum... The LinkSys fire wall box is reputed to have a stripped down version of Linux in it. Maybe a probe the IP address indicated a *nix machine rather than a Mac? Maybe that lead them to assume a Sendmail implementation. That seems odd in that SIMS identifies itself in the HELO exchange.....

Basically I don't know what to make of it.


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster