[Tango-L] milonguero viejo-"TLI"

joanneprochaska@aol.com joanneprochaska at aol.com
Fri Jun 30 09:00:06 EDT 2006 

 
 Now THIS is fascinating to me...like CSI...let's call it TLI  for Tango-L Investigation!   Hey, it helps to educate us "web-challenged" listros.  Anything to help keep us on the straight and narrow is a good thing!
Joanne Pogros
Tango Cleveland
Ohio
-----Original Message-----
From: Ruddy Zelaya <ruddy at milongas.com>
To: Tango-L at mit.edu
Cc: ruddy at milongas.com
Sent: Thu, 29 Jun 2006 20:04:42 -0600
Subject: Re: [Tango-L] milonguero viejo


Hola Naifas y Garabos!

Deby Novitz wrote (to Viejo Milonguero):
>>You are not Sergio. It is ohh so easy with the right tools to forge
>>email addresses and headers...bitch slap anyone? (A hacker tool)

Dear Deby (-- hi Deb!!),
  you are correct in that the right tools will allow you to forge addresses and
headers. Spammers do it every day with varying degrees of success. That does
not mean, however, that forged addresses and headers are undetectable,
they just go undetected because most email clients hide them... but the
clues are there.

One can fake any number of items but in the end at least two of those
headers must be true. The first valid sender and the last recipient otherwise
the mail does not get sent and it will not get to its destination. There are
ways to trace these things that I rather not discuss in order not to lead
folks into temptation or to make future "Sergio/Viejo" impersonations easier... 
:-)
Suffice it to say that the know-how is available on the web to anyone with
a desire to learn and the capacity to understand. You are a smart gal and
in the biz so I'm not telling you anything you don't already know ;-)

Another listeraty (if you pardon the pun) send me a private email stating that
it was possible that "Sergio"s machine is being operated by a remote access
hack and he was willing to help him/her. As proof of the possibility he 
mentioned
the past correspondence of one "Keith Belltaylor <adiosmuchachos90 at yahoo.com>"  
So, I went out and collected three samples of "Keith"s postings to run some 
forensics 
on the headers. Lo and behold, "Sergio/Viejo"s IP address [68.70.149.87] was 
there:

Received: from [68.70.149.87] by web55206.mail.re4.yahoo.com via HTTP; Fri, 16 
Jun 2006 08:33:54 -0700 (PDT)
Date: Fri, 16 Jun 2006 08:33:54 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] learning tango
X-Originating-IP: [64.224.219.77]

Received: from [68.70.149.87] by web55213.mail.re4.yahoo.com via HTTP; Fri, 16 
Jun 2006 11:25:14 -0700 (PDT)
Date: Fri, 16 Jun 2006 11:25:14 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] Learning versus teaching
X-Originating-IP: [64.224.219.76]

Received: from [68.70.149.87] by web55209.mail.re4.yahoo.com via HTTP; Sat, 24 
Jun 2006 07:18:51 -0700 (PDT)
Date: Sat, 24 Jun 2006 07:18:51 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] Spelling
X-Originating-IP: [216.247.37.26]

Notice how the X-Originating-IP tag seems to indicate that the source are all 
different 
(though one can argue that the first two came from the same machine, just two 
different DHCP sessions) Nevertheless, the last traceable Received address 
remains
consistent: 68.70.149.87 same as "Sergio/Viejo".  The X-Originating-IP tag is 
one
of those things that can be spoofed. Hmmm.

Then my eye caught something peculiar. One of "Keith"s messages was addressed 
not to
Tango-L at mit.edu but to a personal alias (one declared in their own address 
book):

Received: from [68.70.149.87] by web55209.mail.re4.yahoo.com via HTTP; Sat, 24 
Jun 2006 07:18:51 -0700 (PDT)
Date: Sat, 24 Jun 2006 07:18:51 -0700 (PDT)
From: Keith Belltaylor <adiosmuchachos90 at yahoo.com>
Subject: [Tango-L] Spelling
X-Originating-IP: [216.247.37.26]
Sender: tango-l-bounces at mit.edu
To: "Tango-L1 mit.edu" <tango-l at mit.edu>

Guess who else uses the same alias:

Received: from [68.70.149.87] by web55206.mail.re4.yahoo.com via HTTP; Wed,  28 
Jun 2006 16:05:15 -0700 (PDT)
Date: Wed, 28 Jun 2006 16:05:15 -0700 (PDT)
From: "VIEJO.MILONGUERO" <viejo.milonguero at yahoo.com>
Subject: [Tango-L] The problem with UK
Sender: tango-l-bounces at mit.edu
To: "Tango-L1 mit.edu" <tango-l at mit.edu>

What are the odds of that?

I'll leave it to the list to decide whether these are two, three different 
people or one and the same.
Personally, it does not matter to me. You can call yourself God for all I care 
(oh, wait, that's 
already taken ;-)  I chose to investigate it only as a mental exercise to see if 
the spoofer(s) was 
clever enough. 
By the way, there are extremely  good reasons to disguise one's real identity 
when joining internet 
groups. Using multiple identities in one group, however, demonstrates a 
disturbing degree of duplicity
that forces me to question everything that the spoofer may say... right or 
wrong.

With best wishes to all and with malice towards none,
--
ruddy

_______________________________________________
Tango-L mailing list
Tango-L at mit.edu
http://mailman.mit.edu/mailman/listinfo/tango-l
________________________________________________________________________
Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.

More information about the Tango-L mailing list