|
![](/i/fill.gif) |
On 4/7/2012 5:36 AM, Francois Labreque wrote:
> Le 2012-04-06 00:52, Patrick Elliott a écrit :
>> On 4/5/2012 6:58 PM, Darren New wrote:
>>> On 4/1/2012 8:43, Warp wrote:
>>>> (it broke the 50% mark of all email traversing
>>>> the internet long time ago)
>>>
>>> It broke the 90% mark a long time ago.
>>>
>>> > twharts any kind of comprehensive automatic
>>>> traffic analysis of email (or at least makes it impractical and
>>>> expensive).
>>>
>>> Classifying spam isn't difficult. It's just that ISPs don't want to
>>> carry 10x as much email data as they need to, and it's hard to track
>>> down the source.
>>>
>> They could go a long way by changing the protocol so you can't "fake"
>> the source,
>
> There are many webhosting services that also offer e-mail with their
> package. In those cases, the source would always appear fake since the
> source would be "mailrelay.webhostingcompany.com" instead of
> "mail.francoispetgroomingservices.biz"
>
>> and the tracking, with respect to how it got there, is kept,
>
> It is. Look at the "Received:" lines of the header.
>
>> and correctly reported, so that, even if you changed the supposed start
>> point, somehow, it would be more obvious that the source, as it
>> traversed the network, wasn't the source being reported.
>
> Internal RFC-1918 addressing and dicrepancies between internal DNS vs.
> public DNS names make this impossible.
>
> As an outsider, how can you tell if fred.remoteoffice.mycompany
> (10.2.5.14) and pebbles.datacenter.mycompany (10.254.13.56) are valid
> sources without knowing the internal e-mail architecture of the company?
>
Hmm. Yeah, there is that. In theory, this isn't as big an issue with
IPv6, since, in principle, every single device, not just IP connection,
could have its own unique identifier. You could even use MAC for that,
only.. some people got the idea that you should be allowed to screw with
those too, so again... Sigh..
In any case, I am not talking about a "complete" solution, just one that
is marginally less stupid than the ones in existence. Sure, a few "small
businesses" might look bad, but what would you rather get, 500 different
emails from 10.254.23.1, each one with a different domain name, or the
ability to mask out ones that go through 2 other "external" IPs, which
you can surmise makes it a probable fraud, and only have to look at 1-2
emails that come from similar locations.
For the most part, unless something goes **very** wrong in a network, or
a major change happens to its morphology, its not just the endpoint that
can be used to figure where it came from.
Instead of even an attempt at a smart solution, what we get is clients
that hide the routing information, and let the scammers add
"http://www.wellsfargo.com/accounts" to the "mouse over" for all the
damn links, so that you either a) copy and paste that (it doesn't copy
the real address under it), and end up at the legit point, of you click
the link, and end up at "wells.fargo.scam.robyoublind.ru". In other
words, the ***EXACT OPPOSITE*** of better security, and threat
identification.
Post a reply to this message
|
![](/i/fill.gif) |