[Tango-L] milonguero viejo
    Ruddy Zelaya 
    ruddy at milongas.com
       
    Thu Jun 29 22:04:42 EDT 2006
    
    
  
Hola Naifas y Garabos!
Deby Novitz wrote (to Viejo Milonguero):
>>You are not Sergio. It is ohh so easy with the right tools to forge
>>email addresses and headers...bitch slap anyone? (A hacker tool)
Dear Deby (-- hi Deb!!),
  you are correct in that the right tools will allow you to forge addresses and
headers. Spammers do it every day with varying degrees of success. That does
not mean, however, that forged addresses and headers are undetectable,
they just go undetected because most email clients hide them... but the
clues are there.
One can fake any number of items but in the end at least two of those
headers must be true. The first valid sender and the last recipient otherwise
the mail does not get sent and it will not get to its destination. There are
ways to trace these things that I rather not discuss in order not to lead
folks into temptation or to make future "Sergio/Viejo" impersonations easier... :-)
Suffice it to say that the know-how is available on the web to anyone with
a desire to learn and the capacity to understand. You are a smart gal and
in the biz so I'm not telling you anything you don't already know ;-)
Another listeraty (if you pardon the pun) send me a private email stating that
it was possible that "Sergio"s machine is being operated by a remote access
hack and he was willing to help him/her. As proof of the possibility he mentioned
the past correspondence of one "Keith Belltaylor <adiosmuchachos90 at yahoo.com>"  
So, I went out and collected three samples of "Keith"s postings to run some forensics 
on the headers. Lo and behold, "Sergio/Viejo"s IP address [68.70.149.87] was there:
Received: from [68.70.149.87] by web55206.mail.re4.yahoo.com via HTTP; Fri, 16 Jun 2006 08:33:54 -0700 (PDT)
Date: Fri, 16 Jun 2006 08:33:54 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] learning tango
X-Originating-IP: [64.224.219.77]
Received: from [68.70.149.87] by web55213.mail.re4.yahoo.com via HTTP; Fri, 16 Jun 2006 11:25:14 -0700 (PDT)
Date: Fri, 16 Jun 2006 11:25:14 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] Learning versus teaching
X-Originating-IP: [64.224.219.76]
Received: from [68.70.149.87] by web55209.mail.re4.yahoo.com via HTTP; Sat, 24 Jun 2006 07:18:51 -0700 (PDT)
Date: Sat, 24 Jun 2006 07:18:51 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] Spelling
X-Originating-IP: [216.247.37.26]
Notice how the X-Originating-IP tag seems to indicate that the source are all different 
(though one can argue that the first two came from the same machine, just two 
different DHCP sessions) Nevertheless, the last traceable Received address remains
consistent: 68.70.149.87 same as "Sergio/Viejo".  The X-Originating-IP tag is one
of those things that can be spoofed. Hmmm.
Then my eye caught something peculiar. One of "Keith"s messages was addressed not to
Tango-L at mit.edu but to a personal alias (one declared in their own address book):
Received: from [68.70.149.87] by web55209.mail.re4.yahoo.com via HTTP; Sat, 24 Jun 2006 07:18:51 -0700 (PDT)
Date: Sat, 24 Jun 2006 07:18:51 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] Spelling
X-Originating-IP: [216.247.37.26]
Sender: tango-l-bounces at mit.edu
To: "Tango-L1 mit.edu" <tango-l at mit.edu>
Guess who else uses the same alias:
Received: from [68.70.149.87] by web55206.mail.re4.yahoo.com via HTTP; Wed,  28 Jun 2006 16:05:15 -0700 (PDT)
Date: Wed, 28 Jun 2006 16:05:15 -0700 (PDT)
From: "VIEJO.MILONGUERO" <viejo.milonguero at yahoo.com>
Subject: [Tango-L] The problem with UK
Sender: tango-l-bounces at mit.edu
To: "Tango-L1 mit.edu" <tango-l at mit.edu>
What are the odds of that?
I'll leave it to the list to decide whether these are two, three different people or one and the same.
Personally, it does not matter to me. You can call yourself God for all I care (oh, wait, that's 
already taken ;-)  I chose to investigate it only as a mental exercise to see if the spoofer(s) was 
clever enough. 
By the way, there are extremely  good reasons to disguise one's real identity when joining internet 
groups. Using multiple identities in one group, however, demonstrates a disturbing degree of duplicity
that forces me to question everything that the spoofer may say... right or wrong.
With best wishes to all and with malice towards none,
--
ruddy
    
    
More information about the Tango-L
mailing list