Mail server hacked ?

Hi,
I'm a teacher at the university. Recently I recieved, by email,
identical papers from two students:
1. Students A & B don't know each other.
2. Student A did not copy the paper from student B (I know).
3. Problem: Student B's email is dated one day before Student A's
email.

Could it be that student B hacked into to the university's mail server,
copied student A's paper and then sent "his" paper to me, changing the
delivery date one day prior actual to delivery date.

Thanks,

Re: Mail server hacked ?

plg wrote:
> I'm a teacher at the university. Recently I recieved, by email,
> identical papers from two students:
> 1. Students A & B don't know each other.
> 2. Student A did not copy the paper from student B (I know).
> 3. Problem: Student B's email is dated one day before Student A's
> email.

Which header have you used to compare dates?
Have you checked dates in headers appended by mail server? (Received:)

Date in "Date:" header is trivial to fake.

> [...]

--
Andrzej [en:Andrew] Adam Filip anfi@priv.onet.pl anfi@xl.wp.pl

Re: Mail server hacked ?

"plg" wrote in message
news:1112309984.396104.302220@l41g2000cwc.googlegroups.com

> Hi,
> I'm a teacher at the university. Recently I recieved, by email,
> identical papers from two students:
> 1. Students A & B don't know each other.
> 2. Student A did not copy the paper from student B (I know).
> 3. Problem: Student B's email is dated one day before Student A's
> email.
>
> Could it be that student B hacked into to the university's mail
> server, copied student A's paper and then sent "his" paper to me,
> changing the delivery date one day prior actual to delivery date.

It's far more likely that both copied the same article published elsewhere
on the web.

Re: Mail server hacked ?

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.

--=_mimegpg-commodore.email-scan.com-31732-1112315249-0003
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

plg writes:

> Hi,
> I'm a teacher at the university. Recently I recieved, by email,
> identical papers from two students:
> 1. Students A & B don't know each other.
> 2. Student A did not copy the paper from student B (I know).
> 3. Problem: Student B's email is dated one day before Student A's
> email.
>
> Could it be that student B hacked into to the university's mail server,
> copied student A's paper and then sent "his" paper to me, changing the
> delivery date one day prior actual to delivery date.

Yes, it could be. At least I'm not aware of any law of physics that applies
in this universe, and which prohibits this from occuring.

If you want to investigate whether or not this has happened, the facts that
you need to obtain are:

1) The full, entire contents of both messages, in question. That includes
full headers, and, in some cases, the actual contents. If both papers in
question are MS-Word documents, you've won the lottery: MS-Word by default
stuffs a bunch of metadata junk in all documents it spits out. There have
been widely publicised incidents of someone publishing some controversion
MS-Word document on the web (such as, for example, an allegedly independent
analisys that showed that Windows is cheaper than Linux), with further
investigation showing that its metadata indicates that the document had a
ghostwriter, and the ghostwriter had very good reasons for nobody to know
who the real author of the document was ( *cough* Microsoft *cough* ).

2) The precise nature of the security breach, or exploit, that you believe
has occured, and what evidence of that you can show to us.

Sometimes, only #1 will be sufficient. If the messages themselves reveal
the presence of some monkey business, you'll know who's been screwing
around, and #2 won't be needed.

The rule of thumb is that these kinds of cheaters, with very few exceptions,
are typically rather dumb (especially when they're at this particular stage
of their biological lifespan). If someone's smart enough to pull something
like this and cover up all the traces, they're probably smart enough to know
their stuff and they wouldn't even need to demean themselves with this kind
of monkey-business.



--=_mimegpg-commodore.email-scan.com-31732-1112315249-0003
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCTJVxx9p3GYHlUOIRAmi0AJ426tpfzaFsqSElwJe3d8azchgIAwCf fIkj
qXpkMS//7aVAw494h5xFGhg=
=lFwb
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-31732-1112315249-0003--

Re: Mail server hacked ?

> I'm a teacher at the university. Recently I recieved, by email,
> identical papers from two students:
> 1. Students A & B don't know each other.
> 2. Student A did not copy the paper from student B (I know).
> 3. Problem: Student B's email is dated one day before Student A's
> email.
>
> Could it be that student B hacked into to the university's mail server,
> copied student A's paper and then sent "his" paper to me, changing the
> delivery date one day prior actual to delivery date.

First, they both could have grabbed the same document from a mutual source
(whether or not they know each other). For example, the web, or one of
those bums who writes and sells essays to other students. There are
certainly such people advertising their services on our campus.

Also, the date that shows up in the email Date header is only going to
reflect what the sender's clock shows. So if the sending computer has an
incorrectly set clock, that date still gets stamped.

--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/

Re: Mail server hacked ?

All sending and receiving of students' work is done from the
university's web site, were each student/teacher have to login to the
web site first.

The actual mail system is hidden behind asp pages and forms. Thus, I
have no way of telling if the date that appears on my teacher's web
page is from the emails "Received" field or "Date" field.

I could contact the web site's developers on this matter, or get the
email itself (original format) from the site's sys admin, but this
seems like a rather long procedure for the moment considering the fact
that both are outside contractors.

Looking for a simpler solution... someone mentioned it's possible to
check MS-Word documents for ghost writers !!!

Re: Mail server hacked ?

I'm glad to say that both papers are MS-Word documents and that I have
both of them. Now how do I find this ghost writer ?

Re: Mail server hacked ?

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.

--=_mimegpg-commodore.email-scan.com-13723-1112365413-0005
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

plg writes:

> All sending and receiving of students' work is done from the
> university's web site, were each student/teacher have to login to the
> web site first.
>
> The actual mail system is hidden behind asp pages and forms. Thus, I
> have no way of telling if the date that appears on my teacher's web
> page is from the emails "Received" field or "Date" field.
>
> I could contact the web site's developers on this matter, or get the
> email itself (original format) from the site's sys admin, but this
> seems like a rather long procedure for the moment considering the fact
> that both are outside contractors.

Based on recent incidents in the news, there's a distinct possibility that
someone investigated and discovered a bunch of security holes in the
sooper-dooper web-based system that so-called "outside contractors" have
foisted on you.

And I think that it's rather unlikely that these so-called "outside
contractors" would freely admit that they are clueless and don't know how to
design a secure application.

One of many articles on the subject:
http://www.detnews.com/2005/technology/0503/09/tech-111950.h tm

> Looking for a simpler solution... someone mentioned it's possible to
> check MS-Word documents for ghost writers !!!

Google is your friend:

http://www.payneconsulting.com/public/products/ProductDetail .asp?nProductID=21

http://www.sharewareconnection.com/metadataminer-catalogue-p ro.htm

There are probably many other similar tools out there.



--=_mimegpg-commodore.email-scan.com-13723-1112365413-0005
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCTVllx9p3GYHlUOIRAqmUAJ9yvC2RtIqjE7vsXC+hCMoneulxcQCf bPaT
mbtxy3n0xJeOTemjTaMMaj0=
=81rI
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-13723-1112365413-0005--

Re: Mail server hacked ?

Using any of the interrogation methods sanctioned by the US gov't would
yield results. However, I would be suspicious of these results unless you're
certain that terrorists have infiltrated the university or have WMDs.

"plg" wrote in message
news:1112348099.779525.40360@z14g2000cwz.googlegroups.com...
> I'm glad to say that both papers are MS-Word documents and that I have
> both of them. Now how do I find this ghost writer ?
>