![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 02/04/2012 4:53 PM, James Holsenback wrote:
> On 04/02/2012 09:07 AM, Stephen wrote:
>> On 02/04/2012 12:28 PM, Francois Labreque wrote:
>>>
>>> In soviet Canuckistan, this is illegal. They can only do drug testing
>>> ONCE you are employed and ONLY IF it pertains to your duties (e.g.
>>> airline pilot, heavy machinery operator, etc...)
>>
>> But they are good at Curling as Jim will know. ;-)
>>
>
> LOL ... yeah! Just like shuffleboard only substitute ice and a rock ;-)
--
Regards
Stephen
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/1/2012 6:40, Orchid Win7 v1 wrote:
> suspect whoever suggested this doesn't quite comprehend the volume of data
> we're talking about here.
Uh, no, you realize all that traffic is already being examined and routed,
right? It's not like google doesn't have 3 to 5 copies of the entire
internet available in tenths of seconds to anyone in the world, you know?
It's only massive data if you don't automate it. That's why people in the
USA get peeved when the supreme court decides that police affixing a GPS
tracker to your car without telling you isn't any more intrusive than
actually following you around while you drive.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/1/2012 8:43, Warp wrote:
> (it broke the 50% mark of all email traversing
> the internet long time ago)
It broke the 90% mark a long time ago.
> twharts any kind of comprehensive automatic
> traffic analysis of email (or at least makes it impractical and expensive).
Classifying spam isn't difficult. It's just that ISPs don't want to carry
10x as much email data as they need to, and it's hard to track down the source.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/5/2012 6:58 PM, Darren New wrote:
> On 4/1/2012 8:43, Warp wrote:
>> (it broke the 50% mark of all email traversing
>> the internet long time ago)
>
> It broke the 90% mark a long time ago.
>
> > twharts any kind of comprehensive automatic
>> traffic analysis of email (or at least makes it impractical and
>> expensive).
>
> Classifying spam isn't difficult. It's just that ISPs don't want to
> carry 10x as much email data as they need to, and it's hard to track
> down the source.
>
They could go a long way by changing the protocol so you can't "fake"
the source, and the tracking, with respect to how it got there, is kept,
and correctly reported, so that, even if you changed the supposed start
point, somehow, it would be more obvious that the source, as it
traversed the network, wasn't the source being reported. Half the time
email systems consider this information "inconvenient" and actually make
it hard, or impossible, to even look at, never mind actually tell you
that there is a discrepancy of any kind.
If the thing comes from a proxy, its obviously not from where ever it
was sent from in reality. Might need some rules on whether its legal for
the proxy itself to misrepresent itself as a) not in the chain, or b) a
different source. But, once it leaves the proxy, there is still, in
principle, a way to trace back the address, to the server it claims to
come from, thereby finding that there is no way in hell the trace in the
email's own path could match with the claimed source (but, that would
require an automatic traceroute, and even doing that, from some
machines, won't work in cases like Windows, where generating the packets
needed in anything other than the control paths is **not allowed**, as a
possible detected exploit, and where your ISP, modem, or something else,
is denying those control commands).
But, yeah, its hardly "impossible" to at least figure out where the hell
it comes from, and probably easier to use something like that, to ferret
out new "bad" messages, than all the stupid assed, "Lets look at the
content, then panic when legit mail contains X formating, and Y list of
keywords!!!" Hotmail has flagged legit stuff on me, for example, once a
week, at times, as "possibly dangerous", yet, at almost as much of a
regular basis, it has failed to flag idiots trying to cell me viagra...
And, while they suggest to leave the bad emails in there, to better
handle new bad ones, if you have a good one end up in the trap, you can
miss it in "page after page" of invalid ones, simply because having one
good email, on the 50th page, or 800 actual spam messages... really
isn't a viable solution. Its almost better, if you have fairly low
volume, to turn the damn spam trap off, and just delete them yourself.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> Classifying spam isn't difficult.
I've yet to see a single system which can do this reliably. Maybe one
exists, but I haven't seen it.
> It's just that ISPs don't want to
> carry 10x as much email data as they need to, and it's hard to track
> down the source.
This.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> They could go a long way by changing the protocol so you can't "fake"
> the source, and the tracking
Yeah, but that means a breaking change to the mail protocol.
Will. Not. Happen.
Heck, they invented a way to check that the source mail server is
authorised to send mail, and large ISPs manage to screw that up.
(When receiving mail, you're supposed to look up the domain of the
source server and check for an authorisation record in the DNS.
Apparently some doofus thought it would be a good idea to also check the
domain OF THE EMAIL ADDRESS - despite the RFC explicitly saying that you
must not do this...)
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 6-4-2012 6:52, Patrick Elliott wrote:
> On 4/5/2012 6:58 PM, Darren New wrote:
>> On 4/1/2012 8:43, Warp wrote:
>>> (it broke the 50% mark of all email traversing
>>> the internet long time ago)
>>
>> It broke the 90% mark a long time ago.
>>
>> > twharts any kind of comprehensive automatic
>>> traffic analysis of email (or at least makes it impractical and
>>> expensive).
>>
>> Classifying spam isn't difficult. It's just that ISPs don't want to
>> carry 10x as much email data as they need to, and it's hard to track
>> down the source.
>>
> They could go a long way by changing the protocol so you can't "fake"
> the source, and the tracking, with respect to how it got there, is kept,
> and correctly reported, so that, even if you changed the supposed start
> point, somehow, it would be more obvious that the source, as it
> traversed the network, wasn't the source being reported. Half the time
> email systems consider this information "inconvenient" and actually make
> it hard, or impossible, to even look at, never mind actually tell you
> that there is a discrepancy of any kind.
Often I receive mail that was not sent by the person that is in the
from: line. Many people also get mail that claims to be sent by me. I
even get myself mail sent by me often from places that I might wish to
visit, but haven't done so yet.
What I never fully understood is if this is legal or not. I know it is
easy to do, and hard to track down, but I would expect it to be illegal
anyway. Anyone here knows?
--
tip: do not run in an unknown place when it is too dark to see the
floor, unless you prefer to not use uppercase.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> Often I receive mail that was not sent by the person that is in the
> from: line. Many people also get mail that claims to be sent by me. I
> even get myself mail sent by me often from places that I might wish to
> visit, but haven't done so yet.
> What I never fully understood is if this is legal or not. I know it is
> easy to do, and hard to track down, but I would expect it to be illegal
> anyway. Anyone here knows?
Sending an email is like sending a postcard; you write on one side who
it's from, and on the other side who it's to. Most people write who it's
/really/ from, but there's absolutely nothing to stop you pretending to
be anybody you fancy. (Whether the recipient will believe you is another
matter...) People seem to think because it's on a computer it must
somehow be "secure", but it isn't.
Is it illegal? Well, is it illegal to send a postcard claiming to be
from somebody it isn't?
Clearly trying to deceive somebody for financial gain is fraud, which is
illegal no matter which way you try to do it. But is pretending to be
somebody else illegal in itself? I don't know. (And I'd guess it varies
by country anyway.)
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Le 2012-04-06 00:52, Patrick Elliott a écrit :
> On 4/5/2012 6:58 PM, Darren New wrote:
>> On 4/1/2012 8:43, Warp wrote:
>>> (it broke the 50% mark of all email traversing
>>> the internet long time ago)
>>
>> It broke the 90% mark a long time ago.
>>
>> > twharts any kind of comprehensive automatic
>>> traffic analysis of email (or at least makes it impractical and
>>> expensive).
>>
>> Classifying spam isn't difficult. It's just that ISPs don't want to
>> carry 10x as much email data as they need to, and it's hard to track
>> down the source.
>>
> They could go a long way by changing the protocol so you can't "fake"
> the source,
There are many webhosting services that also offer e-mail with their
package. In those cases, the source would always appear fake since the
source would be "mailrelay.webhostingcompany.com" instead of
"mail.francoispetgroomingservices.biz"
> and the tracking, with respect to how it got there, is kept,
It is. Look at the "Received:" lines of the header.
> and correctly reported, so that, even if you changed the supposed start
> point, somehow, it would be more obvious that the source, as it
> traversed the network, wasn't the source being reported.
Internal RFC-1918 addressing and dicrepancies between internal DNS vs.
public DNS names make this impossible.
As an outsider, how can you tell if fred.remoteoffice.mycompany
(10.2.5.14) and pebbles.datacenter.mycompany (10.254.13.56) are valid
sources without knowing the internal e-mail architecture of the company?
> Half the time
> email systems consider this information "inconvenient" and actually make
> it hard, or impossible, to even look at, never mind actually tell you
> that there is a discrepancy of any kind.
>
> If the thing comes from a proxy, its obviously not from where ever it
> was sent from in reality.
There's no such thing as a proxy in e-mail parlance. Only mail relays.
And because most companies and ISPs try to limit the path that e-mails
take to known and trusted sources, you can't get rid of them.
> Might need some rules on whether its legal for
> the proxy itself to misrepresent itself as a) not in the chain, or b) a
> different source.
How should a machine with an internal DNS name of
pebbles.datacenter.mycompany and an IP address of 10.254.13.56 which
gets natted by the outside firewall to 209.209.209.209 (and which
resolves to mx.mycompany.com) represent itself?
> But, once it leaves the proxy, there is still, in
> principle, a way to trace back the address, to the server it claims to
> come from,
Not if the server is behind a firewall (which is should be), or if is
used RFC-1918 IP addressing (which it should).
> thereby finding that there is no way in hell the trace in the
> email's own path could match with the claimed source (but, that would
> require an automatic traceroute, and even doing that, from some
> machines, won't work in cases like Windows, where generating the packets
> needed in anything other than the control paths is **not allowed**, as a
> possible detected exploit, and where your ISP, modem, or something else,
> is denying those control commands).
>
There are various tricks used by mail relays to try and assert the true
identity of a mail-relay that contacts them, such as doing DNS lookups
and reveser lookups to make sure they match the SMTP "HELO" command,
verifying that the machine is a valid MX record for the domain it claims
to represent, etc... But as stated above, these can sometimes prevent
valid e-mails from small businesses that don't have their own e-mail
infrastructure from being delivered.
> But, yeah, its hardly "impossible" to at least figure out where the hell
> it comes from, and probably easier to use something like that, to ferret
> out new "bad" messages, than all the stupid assed, "Lets look at the
> content, then panic when legit mail contains X formating, and Y list of
> keywords!!!" Hotmail has flagged legit stuff on me, for example, once a
> week, at times, as "possibly dangerous", yet, at almost as much of a
> regular basis, it has failed to flag idiots trying to cell me viagra...
> And, while they suggest to leave the bad emails in there, to better
> handle new bad ones, if you have a good one end up in the trap, you can
> miss it in "page after page" of invalid ones, simply because having one
> good email, on the 50th page, or 800 actual spam messages... really
> isn't a viable solution. Its almost better, if you have fairly low
> volume, to turn the damn spam trap off, and just delete them yourself.
While it would potentially cut down on the phishing e-mails, even if you
did manage to make sure that the source was real, there's no way to
programatically determine if an e-mail that says "get viagra at 80% off"
that comes from online.farmacia.cr is something you're interested in or not.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/5/2012 21:52, Patrick Elliott wrote:
> They could go a long way by changing the protocol so you can't "fake" the
> source, and the tracking, with respect to how it got there, is kept, and
> correctly reported,
It is, assuming that you don't have a corrupted routing node. The basic
problem is getting everyone to switch to a brand new email protocol all at
once, and getting everyone to support your tracking proposal.
The received-by header isn't something you can completely forge.
> so that, even if you changed the supposed start point,
> somehow, it would be more obvious that the source, as it traversed the
> network, wasn't the source being reported. Half the time email systems
> consider this information "inconvenient" and actually make it hard, or
> impossible, to even look at, never mind actually tell you that there is a
> discrepancy of any kind.
Nah. The received-by headers are always carried along in the email. They're
just not that useful because they weren't secure from the beginning, so if
you reject all mail from insecure mail exchanges, you'll cut people off.
> If the thing comes from a proxy, its obviously not from where ever it was
> sent from in reality. Might need some rules on whether its legal for the
> proxy itself to misrepresent itself as a) not in the chain, or b) a
> different source. But, once it leaves the proxy, there is still, in
> principle, a way to trace back the address, to the server it claims to come
> from, thereby finding that there is no way in hell the trace in the email's
> own path could match with the claimed source (but, that would require an
> automatic traceroute, and even doing that, from some machines, won't work in
> cases like Windows, where generating the packets needed in anything other
> than the control paths is **not allowed**, as a possible detected exploit,
> and where your ISP, modem, or something else, is denying those control
> commands).
I don't think you understand how internet email routing works.
> But, yeah, its hardly "impossible" to at least figure out where the hell it
> comes from,
It really is, if you want to do it reliably without breaking all email
systems currently deployed.
> and probably easier to use something like that, to ferret out
> new "bad" messages,
Sure. You first. Just reject all email that doesn't come from your new
protocol, and see how that works out for you.
> Its almost better, if you
> have fairly low volume, to turn the damn spam trap off, and just delete them
> yourself.
Annnnnd... you just answered your own question. The system has to be as
reliable as the delivery is in the first place.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |