![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/6/2012 2:11 AM, Orchid Win7 v1 wrote:
>> They could go a long way by changing the protocol so you can't "fake"
>> the source, and the tracking
>
> Yeah, but that means a breaking change to the mail protocol.
>
> Will. Not. Happen.
>
> Heck, they invented a way to check that the source mail server is
> authorised to send mail, and large ISPs manage to screw that up.
>
> (When receiving mail, you're supposed to look up the domain of the
> source server and check for an authorisation record in the DNS.
> Apparently some doofus thought it would be a good idea to also check the
> domain OF THE EMAIL ADDRESS - despite the RFC explicitly saying that you
> must not do this...)
Uh.. Why would that make any sense, I mean other than the possibility
that some moron would use a domain that didn't have a record at all, and
thus generate, "Yep, absolutely a complete fake!" Still, if you do check
both, and the two being checked do not come back with the same
information, that is also a sign there is something wrong, its just.. I
really doubt, from your comment, that they did that, instead of
something much stupider. lol
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/7/2012 5:36 AM, Francois Labreque wrote:
> Le 2012-04-06 00:52, Patrick Elliott a écrit :
>> On 4/5/2012 6:58 PM, Darren New wrote:
>>> On 4/1/2012 8:43, Warp wrote:
>>>> (it broke the 50% mark of all email traversing
>>>> the internet long time ago)
>>>
>>> It broke the 90% mark a long time ago.
>>>
>>> > twharts any kind of comprehensive automatic
>>>> traffic analysis of email (or at least makes it impractical and
>>>> expensive).
>>>
>>> Classifying spam isn't difficult. It's just that ISPs don't want to
>>> carry 10x as much email data as they need to, and it's hard to track
>>> down the source.
>>>
>> They could go a long way by changing the protocol so you can't "fake"
>> the source,
>
> There are many webhosting services that also offer e-mail with their
> package. In those cases, the source would always appear fake since the
> source would be "mailrelay.webhostingcompany.com" instead of
> "mail.francoispetgroomingservices.biz"
>
>> and the tracking, with respect to how it got there, is kept,
>
> It is. Look at the "Received:" lines of the header.
>
>> and correctly reported, so that, even if you changed the supposed start
>> point, somehow, it would be more obvious that the source, as it
>> traversed the network, wasn't the source being reported.
>
> Internal RFC-1918 addressing and dicrepancies between internal DNS vs.
> public DNS names make this impossible.
>
> As an outsider, how can you tell if fred.remoteoffice.mycompany
> (10.2.5.14) and pebbles.datacenter.mycompany (10.254.13.56) are valid
> sources without knowing the internal e-mail architecture of the company?
>
Hmm. Yeah, there is that. In theory, this isn't as big an issue with
IPv6, since, in principle, every single device, not just IP connection,
could have its own unique identifier. You could even use MAC for that,
only.. some people got the idea that you should be allowed to screw with
those too, so again... Sigh..
In any case, I am not talking about a "complete" solution, just one that
is marginally less stupid than the ones in existence. Sure, a few "small
businesses" might look bad, but what would you rather get, 500 different
emails from 10.254.23.1, each one with a different domain name, or the
ability to mask out ones that go through 2 other "external" IPs, which
you can surmise makes it a probable fraud, and only have to look at 1-2
emails that come from similar locations.
For the most part, unless something goes **very** wrong in a network, or
a major change happens to its morphology, its not just the endpoint that
can be used to figure where it came from.
Instead of even an attempt at a smart solution, what we get is clients
that hide the routing information, and let the scammers add
"http://www.wellsfargo.com/accounts" to the "mouse over" for all the
damn links, so that you either a) copy and paste that (it doesn't copy
the real address under it), and end up at the legit point, of you click
the link, and end up at "wells.fargo.scam.robyoublind.ru". In other
words, the ***EXACT OPPOSITE*** of better security, and threat
identification.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/7/2012 2:56 PM, Darren New wrote:
>> If the thing comes from a proxy, its obviously not from where ever it was
>> sent from in reality. Might need some rules on whether its legal for the
>> proxy itself to misrepresent itself as a) not in the chain, or b) a
>> different source. But, once it leaves the proxy, there is still, in
>> principle, a way to trace back the address, to the server it claims to
>> come
>> from, thereby finding that there is no way in hell the trace in the
>> email's
>> own path could match with the claimed source (but, that would require an
>> automatic traceroute, and even doing that, from some machines, won't
>> work in
>> cases like Windows, where generating the packets needed in anything other
>> than the control paths is **not allowed**, as a possible detected
>> exploit,
>> and where your ISP, modem, or something else, is denying those control
>> commands).
>
> I don't think you understand how internet email routing works.
>
In principle, it works like any other protocol, but, in principle, the
message grows as it goes through each node, since it tracks where its
been. Its also possible to route it specifically, but that is *way* over
most people's heads.
>> But, yeah, its hardly "impossible" to at least figure out where the
>> hell it
>> comes from,
>
> It really is, if you want to do it reliably without breaking all email
> systems currently deployed.
>
That is what exceptions are for. You might still have to check the trap,
but it would be a "slightly" smarter trap. Right now, the trap tries to
rely on blacklist data, and keyword identification, using programs that
are, fundamentally, quite stupid (as in not even using halfway decent
AI, which might have some limited capacity to guess whether the word
viagra is someone trying to sell it to you, or your friend, telling you
about needing to go to the hospital, because they took too much of it.
All the program knows is "viagra", and if a few other words are there,
its flagged, hence the moronic fact that those slip through, while
Hotmail has **multiple** times actually flagged legit emails Origin,
about things going on with Star Wars: KOTOR.
From a human perspective, that the later seems to be a possibly threat,
while the former changes less than 1-2 words, between emails, but always
makes it through the filters, is just... WTF?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/7/2012 20:29, Patrick Elliott wrote:
> but what would you rather get, 500 different
> emails from 10.254.23.1, each one with a different domain name,
You mean, like, google app hosting?
> or the
> ability to mask out ones that go through 2 other "external" IPs, which you
> can surmise makes it a probable fraud, and only have to look at 1-2 emails
> that come from similar locations.
How do you tell there are 500 different emails each with a different domain
name without looking at them?
> For the most part, unless something goes **very** wrong in a network, or a
> major change happens to its morphology, its not just the endpoint that can
> be used to figure where it came from.
And it isn't. The ISPs do it too. It's just a lot of overhead for small ISPs.
> Instead of even an attempt at a smart solution, what we get is clients that
> hide the routing information, and let the scammers add
> "http://www.wellsfargo.com/accounts" to the "mouse over" for all the damn
> links, so that you either a) copy and paste that (it doesn't copy the real
> address under it), and end up at the legit point, of you click the link, and
> end up at "wells.fargo.scam.robyoublind.ru". In other words, the ***EXACT
> OPPOSITE*** of better security, and threat identification.
None of which has anything to do with where email originated from.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/7/2012 20:36, Patrick Elliott wrote:
> On 4/7/2012 2:56 PM, Darren New wrote:
>>> If the thing comes from a proxy, its obviously not from where ever it was
>>> sent from in reality. Might need some rules on whether its legal for the
>>> proxy itself to misrepresent itself as a) not in the chain, or b) a
>>> different source. But, once it leaves the proxy, there is still, in
>>> principle, a way to trace back the address, to the server it claims to
>>> come
>>> from, thereby finding that there is no way in hell the trace in the
>>> email's
>>> own path could match with the claimed source (but, that would require an
>>> automatic traceroute, and even doing that, from some machines, won't
>>> work in
>>> cases like Windows, where generating the packets needed in anything other
>>> than the control paths is **not allowed**, as a possible detected
>>> exploit,
>>> and where your ISP, modem, or something else, is denying those control
>>> commands).
>>
>> I don't think you understand how internet email routing works.
>>
> In principle, it works like any other protocol,
Generally not. There's still store-and-forward nodes, POP nodes, etc. And
indeed, not that long ago, UUCP nodes, bitnet nodes, TPC nodes, and etc.
> but, in principle, the
> message grows as it goes through each node, since it tracks where its been.
Yes, and generally that works, as long as you realize any initial subset of
routing hops could be forged.
> That is what exceptions are for. You might still have to check the trap, but
> it would be a "slightly" smarter trap. Right now, the trap tries to rely on
> blacklist data, and keyword identification,
If you want to do it at the ISP level, you can't really do a very good job
of keyword matching. Maybe you really *do* buy your viagra from an online
pharmacy. How do you check the trap if some other ISP has thrown away the
email before it even gets to you?
> "viagra", and if a few other words are there, its flagged, hence the moronic
> fact that those slip through, while Hotmail has **multiple** times actually
> flagged legit emails Origin, about things going on with Star Wars: KOTOR.
And that's the point. For 99.9% of the population, those keywords indicate
spam. For the 0.1% playing KOTOR, it does not. Hence, the ISP has to process
each mail message just in case.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/8/2012 8:59 AM, Darren New wrote:
>> Instead of even an attempt at a smart solution, what we get is clients
>> that
>> hide the routing information, and let the scammers add
>> "http://www.wellsfargo.com/accounts" to the "mouse over" for all the damn
>> links, so that you either a) copy and paste that (it doesn't copy the
>> real
>> address under it), and end up at the legit point, of you click the
>> link, and
>> end up at "wells.fargo.scam.robyoublind.ru". In other words, the ***EXACT
>> OPPOSITE*** of better security, and threat identification.
>
> None of which has anything to do with where email originated from.
>
Well, no, but its part and parcel to the same bloody problem of figuring
out what you are looking at, and who sent it. If you can't tell who the
real sender was, you can't tell what route it took to get to you, and
all "visible" signs of where the links in it point to seem to be places
that you expect them to, if it was real... Basically 100% of it is
stacked against you. If you are lucky, your ISP has a halfway decent
filter, if you are not, you may be screwed.
Its gotten to the point where, if a company actually has a legit reason
to contact you, with anything other than product advertisements, you
can't trust it, unless its a phone call, or they provide an "on their
site" method of messaging you, and even then, someone could scam you by
saying, "The is a new message for you at Blah.com, click here to log in
and read it.", and your still screwed. Using email doesn't require
healthy paranoia anymore, it requires the real world equivalent of
locking all the doors, and hiding under the bed, until the guy knocking
goes away, then going around to every place that might have sent someone
to talk to you, personally, to see if they sent someone to do so. Or
worse, yelling at the legit guy from the phone company, because he is
wearing the wrong color shirt, and your neighbor warned you that someone
wearing that color shirt was robbing houses (the equivalent of the
filter falsely marking something legit, and not letting you even look at
it, to make sure). After all, the guy claiming to be from the phone
company might have intended to rob you... And, that is just a bloody
nuts way to live, yet its how we have to deal with anything "official
looking" in email, if the filters don't trap it, or they do, and
shouldn't have.
It annoys the hell out of me. Heck, Firebird just did it to me today,
and don't even know why the hell it marked two messages from blogs as
spam, other than that its a bit more convoluted to tell Firebird, unlike
Hotmail, to leave shit alone 'period', if it comes from certain email
addresses.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/8/2012 9:03 AM, Darren New wrote:
>> That is what exceptions are for. You might still have to check the
>> trap, but
>> it would be a "slightly" smarter trap. Right now, the trap tries to
>> rely on
>> blacklist data, and keyword identification,
>
> If you want to do it at the ISP level, you can't really do a very good
> job of keyword matching. Maybe you really *do* buy your viagra from an
> online pharmacy. How do you check the trap if some other ISP has thrown
> away the email before it even gets to you?
>
Actually, it is done on the ISP level, but its shoved into the "spam"
folder, when things work right. The problem is, it almost never works
right. lol
>> "viagra", and if a few other words are there, its flagged, hence the
>> moronic
>> fact that those slip through, while Hotmail has **multiple** times
>> actually
>> flagged legit emails Origin, about things going on with Star Wars: KOTOR.
>
> And that's the point. For 99.9% of the population, those keywords
> indicate spam. For the 0.1% playing KOTOR, it does not. Hence, the ISP
> has to process each mail message just in case.
>
Actually, like most of the "false positives" the criteria going on isn't
just keywords, its in certain combinations, with some crazy assed
heuristic, which results it in not being so much as flagged "spam" as,
"We detected, for no apparent reason, that this might be a threat, so we
won't even show you the plain text, you have to explicitly say you want
to see **the whole thing**." Umm, OK... But then, in other cases, you
let me see enough of the plain text to see whether or not you falsely
marked it, then let me tell you if its spam, or not. So, why the hell
the difference?
In other words, "Possible real spam = we will let you tell us if it was
or not", but, "Possible, non-existent threat = we won't even let you see
it, until you decide to risk what ever threat we imagined existed, and
then, if it isn't one, we won't let you tell us to stop doing it, over
and over again, like we would with mere spam." :head-desk:
Makes no damn sense to me. If it wasn't a threat last time, how the hell
is it next time, and why in bloody heck... Oh, wait, this is Microsoft,
so they probably added their email equivalent of, "Are you sure you want
program.exe to actually do anything?", to the bloody service... lol
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/8/2012 13:05, Patrick Elliott wrote:
> Well, no, but its part and parcel to the same bloody problem of figuring out
> what you are looking at, and who sent it.
It's easy to tell what you're looking at. You already have it.
It's impossible to tell who it is from, except in a fairly abstract way like
"at least one of the people who ought to be keeping their private key
private has sent this."
> Its gotten to the point where, if a company actually has a legit reason to
> contact you, with anything other than product advertisements, you can't
> trust it, unless its a phone call, or they provide an "on their site" method
> of messaging you, and even then, someone could scam you by saying, "The is a
> new message for you at Blah.com, click here to log in and read it.", and
> your still screwed.
This isn't a new problem. The only reason it gets attention now is that it's
trivially easy to do this sort of phishing on a grand scale. But it's not
different than any of the other con games played throughout history.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/8/2012 3:20 PM, Darren New wrote:
> On 4/8/2012 13:05, Patrick Elliott wrote:
>> Well, no, but its part and parcel to the same bloody problem of
>> figuring out
>> what you are looking at, and who sent it.
>
> It's easy to tell what you're looking at. You already have it.
>
> It's impossible to tell who it is from, except in a fairly abstract way
> like "at least one of the people who ought to be keeping their private
> key private has sent this."
>
If it was that trivial, people wouldn't keep falling for it. Just saying.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 4/9/2012 13:42, Patrick Elliott wrote:
> On 4/8/2012 3:20 PM, Darren New wrote:
>> On 4/8/2012 13:05, Patrick Elliott wrote:
>>> Well, no, but its part and parcel to the same bloody problem of
>>> figuring out
>>> what you are looking at, and who sent it.
>>
>> It's easy to tell what you're looking at. You already have it.
>>
>> It's impossible to tell who it is from, except in a fairly abstract way
>> like "at least one of the people who ought to be keeping their private
>> key private has sent this."
>>
> If it was that trivial, people wouldn't keep falling for it. Just saying.
You misunderstand. It's easy to look at an email message and tell what it
says. It's very hard to look at an email message and tell what human it's
from. That latter part is the primary cause of people "falling for it." If
you could solve the latter problem, the former problem would drop to
background radiation levels.
--
Darren New, San Diego CA, USA (PST)
"Oh no! We're out of code juice!"
"Don't panic. There's beans and filters
in the cabinet."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |