Re: Mysterious faked posting in CodherPlunks

Adam Back (aba@dcs.ex.ac.uk)
Mon, 18 Jan 1999 21:40:36 GMT

• Next message: Adam Back: "Re: hard to ban 'crypto holes' (Re: Crypto export....)"
• Previous message: Black Unicorn: "RE: hard to ban 'crypto holes' (Re: Crypto export....)"
• In reply to: mgraffam@idsi.net: "RE: hard to ban 'crypto holes' (Re: Crypto export....)"

Mok-Kong Shen writes:
> Mok-Kong Shen wrote:
> >
> > Sorry for the disturbance. But I just received the following
> > with the mysterious 'Is L.D: back?' and my name as sender (with
> > quotes though) and an attached file which I can't read.
>
> I have just made a comparison of the faked message with my above
> message by saving these to files and examine the header part.
> I found the following which is present in the first but not
> in the second:
>
> X400-Received: by /PRMD=nexor/ADMD=ATTMAIL/C=GB/; Relayed;
> Thu, 14 Jan 1999 09:29:57 +0000
> X400-Received: by mta lancaster.nexor.co.uk in
> /PRMD=nexor/ADMD=ATTMAIL/C=GB/;
> Relayed; Thu, 14 Jan 1999 09:29:57 +0000
> Date: Thu, 14 Jan 1999 09:29:57 +0000
> X400-Originator: Andy.Brown@nexor.co.uk

lancaster.nexor.co.uk or another mailhost in the full headers was
probably just used as an open relay by the true author. After the
point of injection in the Received headers any of the headers could
have been forged.

Looking at a recent message by Andy Brown, the above headers are
inconsistent with the headers created by messages he sends, his
messages include:

X400-MTS-Identifier: [/PRMD=nexor/ADMD=ATTMAIL/C=GB/;lancaster.ne:185852:981001095851]

Course my ability to predict behaviour of an X400 based system in
event of a forgery attempt involving it is limited not having used
one, but the above to me indicates that the originator may have
intentionally made it look as if Andy Brown had faked the message.

Course then again, maybe Andy really did send it you. The subject 'Is
L.D: back?' would be referring to L. Detweiller a certain person who
got into a few arguments some years back on the crypto lists. LD was
suspected of being behind some remailer and mailing list attacks, as
well as being a frequent poster at the time who was suspected of using
multiple nyms. Periodically someone who gets into arguments is
accused/suspected of being LD.

Adam

• Next message: Adam Back: "Re: hard to ban 'crypto holes' (Re: Crypto export....)"
• Previous message: Black Unicorn: "RE: hard to ban 'crypto holes' (Re: Crypto export....)"
• In reply to: mgraffam@idsi.net: "RE: hard to ban 'crypto holes' (Re: Crypto export....)"