Xensei logs email, Dranetz Jeffrey L

On Thu, 11 Jan 1996, Jamie McCarthy wrote:

> Xensei-admins wrote:
>
> >I’d be happy to provide any information which would be helpful in
> >determining the exact source of the attack.
>
> Great. Thank you. Ken’s not logged in right now, so I’ll field this one.
>
> Here’s the first line in the sendmail log which netcom provided us with:
>
> Jan 2 07:49:28 mail5 sendmail[4889]: HAA04874:
> from=, size=23926, class=0, pri=53926,
> nrcpts=1, msgid=<[email protected]>, proto=ESMTP,
> relay=xensei2.xensei.com [198.151.175.2]
>
> You can find the full log (un-word-wrapped 🙂 at:
>
> ftp://ftp.almanac.bc.ca/pub/people/d/dranetz.jeffrey.l/netcom-sendmail-log
(Page doesn`t exist)
>
> The remaining lines are logs of the listserv subscriptions being sent to
> Ken and his unsubscribe requests. There are no more logs of forged email
> “from” him, so the above line is all we have to go on at the moment. At
> least as I understand it.
>
> Is the above timestamp and IP number enough to go on?

Hi Jamie,

Yes, that was all I needed, thanks.

Our own sendmail log (relevant portion attached below), shows that the
message “from” [email protected] to Netcom’s listserv account was
sent via our mail server from 205.136.68.38, one of our dynamic dial-up IP
addresses. A cross reference of our dial-up accounting logs (also attached)
shows that this IP address was in fact in use by the Xensei account “jeffd”
at the time this message was received by our server for delivery.

Assuming that our log files are secure, which I believe they are, the only
possibilites would appear to be that either Jeff Dranetz himself generated
the forged message, or that his account was broken into.

As per my earlier message regarding acceptable use, Jeff Dranetz’s account
has been suspended pending further investigation. I’ll let you and Kenneth
know what the final outcome is.

Jan 2 10:52:31 xensei2 sendmail[6930]: KAA06930:
from=, size=24162, class=0, pri=54162, nrcpts=1,
msgid=<[email protected]>, proto=SMTP,
relay=xensei-PPP-0038.xensei.com [205.136.68.38]

Jan 2 10:52:37 xensei2 sendmail[6935]: KAA06930: to=,
delay=00:00:10, mailer=smtp, relay=mail5.netcom.com. [192.100.81.141],
stat=Sent (HAA04874 Message accepted for delivery)

Tue Jan 2 10:52:05 1996
Acct-Session-Id = “17001189”
User-Name = “jeffd”
Client-Id = 198.151.175.10
Client-Port-Id = 14
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 205.136.68.38
Acct-Delay-Time = 0

Tue Jan 2 11:03:52 1996
Acct-Session-Id = “17001189”
User-Name = “jeffd”
Client-Id = 198.151.175.10
Client-Port-Id = 14
Acct-Status-Type = Stop
Acct-Session-Time = 707
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 205.136.68.38
Acct-Delay-Time = 0

Jeff Morris – http://www.xensei.com/users/jeffm/ (Page doesn`t exist)
+———————————————————-+
| The Xensei Corporation |
| Affordable SLIP/PPP Internet Access – Boston South Shore |
| Phone: 617.376.6342 – E-Mail: [email protected] |
| http://www.xensei.com/ (Page doesn`t exist) |
+———————————————————-+
Received: from xensei2.xensei.com (xensei2.xensei.com [198.151.175.2])
by vixa.voyager.net (8.6.11/8.6.11) with ESMTP id QAA17134 for ;
Thu, 11 Jan 1996 16:44:56 -0500
Received: (from xenium@localhost) by xensei2.xensei.com
(8.6.11/Xensei-M1.01/122994-BRC) id QAA02639; Thu, 11 Jan 1996 16:44:47 -0500
X-UIDL: 821396785.000
Date: Thu, 11 Jan 1996 16:44:46 -0500 (EST)
From: Jeff Morris
To: Jamie McCarthy
cc: Xensei Admin List , Ken McVay , Margaret – Netcom Security , Carleton Freenet Postmaster , America On-Line Abuse Manager
Subject: Re: Recent Mail Bombing
In-Reply-To: <[email protected]>
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII