Carolyn P. Meinel Hall of Shame
Hacking Guide Errata

> Vol. 1 Number 5

> First, let's check out the return email address:
>        finger
> We get:
>        []
>        finger: Connection timed out
> There are several possible reasons for this. One is that the systems
> administrator for has disabled the finger port. Another is that
> is inactive. It could be on a host computer that is turned off,
> or maybe just an orphan. 

If an admin disables finger, it will not return the message "Connection
timed out". It will return "Connection refused".

> This should get us to a screen that would ask us to give user name and
> password. The result is:
>        Trying ...
>        telnet: connect: Connection timed out
> OK, now we know that people can't remotely log in to So it sure
> looks as if it was an unlikely place for the author of this spam to have
> really sent this email.

"Connection timed out" is NOT the answer it gives if you aren't allowed
to connect to the machine. "Connection refused" is what you would see.
It is also very likely that a user could send all the mail in the world, but 
disable incoming telnet connections on port 23. One is not related to the 

> Another valid domain! So this is a reasonably ingenious forgery. The culprit
> could have sent email from any of, or We know
> is highly unlikely because we can't get even the login port to
> work. But we still have and as suspected homes for this spammer.

Or that could be a machine that isn't currently connected to
the internet, which seems reasonable after "Connection timed out" messages.
Perhaps they use PPP or SLIP for some hours of the day.

> Presumably one of the people reading email sent to these addresses will use
> the email message id number to look up who forged this email. Once the
> culprit is discovered, he or she usually is kicked out of the ISP. 

No. Unless there are numerous complaints, they typically won't be kicked
off their ISP. If you are the first complaint, they will get nothing
more than a warning.

The reactions of the ISP are ususally spelled out in your "Acceptable 
Use" policies you get when you first sign up. Perhaps these should be read.