On 4/7/2012 20:29, Patrick Elliott wrote:
> but what would you rather get, 500 different
> emails from 10.254.23.1, each one with a different domain name,

You mean, like, google app hosting?

> or the
> ability to mask out ones that go through 2 other "external" IPs, which you
> can surmise makes it a probable fraud, and only have to look at 1-2 emails
> that come from similar locations.

How do you tell there are 500 different emails each with a different domain 
name without looking at them?

> For the most part, unless something goes **very** wrong in a network, or a
> major change happens to its morphology, its not just the endpoint that can
> be used to figure where it came from.

And it isn't. The ISPs do it too. It's just a lot of overhead for small ISPs.

> Instead of even an attempt at a smart solution, what we get is clients that
> hide the routing information, and let the scammers add
> "http://www.wellsfargo.com/accounts" to the "mouse over" for all the damn
> links, so that you either a) copy and paste that (it doesn't copy the real
> address under it), and end up at the legit point, of you click the link, and
> end up at "wells.fargo.scam.robyoublind.ru". In other words, the ***EXACT
> OPPOSITE*** of better security, and threat identification.

None of which has anything to do with where email originated from.

-- 
Darren New, San Diego CA, USA (PST)
   "Oh no! We're out of code juice!"
   "Don't panic. There's beans and filters
    in the cabinet."

Post a reply to this message

On 4/7/2012 20:36, Patrick Elliott wrote:
> On 4/7/2012 2:56 PM, Darren New wrote:
>>> If the thing comes from a proxy, its obviously not from where ever it was
>>> sent from in reality. Might need some rules on whether its legal for the
>>> proxy itself to misrepresent itself as a) not in the chain, or b) a
>>> different source. But, once it leaves the proxy, there is still, in
>>> principle, a way to trace back the address, to the server it claims to
>>> come
>>> from, thereby finding that there is no way in hell the trace in the
>>> email's
>>> own path could match with the claimed source (but, that would require an
>>> automatic traceroute, and even doing that, from some machines, won't
>>> work in
>>> cases like Windows, where generating the packets needed in anything other
>>> than the control paths is **not allowed**, as a possible detected
>>> exploit,
>>> and where your ISP, modem, or something else, is denying those control
>>> commands).
>>
>> I don't think you understand how internet email routing works.
>>
> In principle, it works like any other protocol,

Generally not. There's still store-and-forward nodes, POP nodes, etc. And 
indeed, not that long ago, UUCP nodes, bitnet nodes, TPC nodes, and etc.

> but, in principle, the
> message grows as it goes through each node, since it tracks where its been.

Yes, and generally that works, as long as you realize any initial subset of 
routing hops could be forged.

> That is what exceptions are for. You might still have to check the trap, but
> it would be a "slightly" smarter trap. Right now, the trap tries to rely on
> blacklist data, and keyword identification,

If you want to do it at the ISP level, you can't really do a very good job 
of keyword matching. Maybe you really *do* buy your viagra from an online 
pharmacy. How do you check the trap if some other ISP has thrown away the 
email before it even gets to you?

> "viagra", and if a few other words are there, its flagged, hence the moronic
> fact that those slip through, while Hotmail has **multiple** times actually
> flagged legit emails Origin, about things going on with Star Wars: KOTOR.

And that's the point. For 99.9% of the population, those keywords indicate 
spam. For the 0.1% playing KOTOR, it does not. Hence, the ISP has to process 
each mail message just in case.

-- 
Darren New, San Diego CA, USA (PST)
   "Oh no! We're out of code juice!"
   "Don't panic. There's beans and filters
    in the cabinet."

Post a reply to this message

On 4/8/2012 8:59 AM, Darren New wrote:
>> Instead of even an attempt at a smart solution, what we get is clients
>> that
>> hide the routing information, and let the scammers add
>> "http://www.wellsfargo.com/accounts" to the "mouse over" for all the damn
>> links, so that you either a) copy and paste that (it doesn't copy the
>> real
>> address under it), and end up at the legit point, of you click the
>> link, and
>> end up at "wells.fargo.scam.robyoublind.ru". In other words, the ***EXACT
>> OPPOSITE*** of better security, and threat identification.
>
> None of which has anything to do with where email originated from.
>
Well, no, but its part and parcel to the same bloody problem of figuring 
out what you are looking at, and who sent it. If you can't tell who the 
real sender was, you can't tell what route it took to get to you, and 
all "visible" signs of where the links in it point to seem to be places 
that you expect them to, if it was real... Basically 100% of it is 
stacked against you. If you are lucky, your ISP has a halfway decent 
filter, if you are not, you may be screwed.

Its gotten to the point where, if a company actually has a legit reason 
to contact you, with anything other than product advertisements, you 
can't trust it, unless its a phone call, or they provide an "on their 
site" method of messaging you, and even then, someone could scam you by 
saying, "The is a new message for you at Blah.com, click here to log in 
and read it.", and your still screwed. Using email doesn't require 
healthy paranoia anymore, it requires the real world equivalent of 
locking all the doors, and hiding under the bed, until the guy knocking 
goes away, then going around to every place that might have sent someone 
to talk to you, personally, to see if they sent someone to do so. Or 
worse, yelling at the legit guy from the phone company, because he is 
wearing the wrong color shirt, and your neighbor warned you that someone 
wearing that color shirt was robbing houses (the equivalent of the 
filter falsely marking something legit, and not letting you even look at 
it, to make sure). After all, the guy claiming to be from the phone 
company might have intended to rob you... And, that is just a bloody 
nuts way to live, yet its how we have to deal with anything "official 
looking" in email, if the filters don't trap it, or they do, and 
shouldn't have.

It annoys the hell out of me. Heck, Firebird just did it to me today, 
and don't even know why the hell it marked two messages from blogs as 
spam, other than that its a bit more convoluted to tell Firebird, unlike 
Hotmail, to leave shit alone 'period', if it comes from certain email 
addresses.

Post a reply to this message

On 4/8/2012 9:03 AM, Darren New wrote:
>> That is what exceptions are for. You might still have to check the
>> trap, but
>> it would be a "slightly" smarter trap. Right now, the trap tries to
>> rely on
>> blacklist data, and keyword identification,
>
> If you want to do it at the ISP level, you can't really do a very good
> job of keyword matching. Maybe you really *do* buy your viagra from an
> online pharmacy. How do you check the trap if some other ISP has thrown
> away the email before it even gets to you?
>
Actually, it is done on the ISP level, but its shoved into the "spam" 
folder, when things work right. The problem is, it almost never works 
right. lol

>> "viagra", and if a few other words are there, its flagged, hence the
>> moronic
>> fact that those slip through, while Hotmail has **multiple** times
>> actually
>> flagged legit emails Origin, about things going on with Star Wars: KOTOR.
>
> And that's the point. For 99.9% of the population, those keywords
> indicate spam. For the 0.1% playing KOTOR, it does not. Hence, the ISP
> has to process each mail message just in case.
>
Actually, like most of the "false positives" the criteria going on isn't 
just keywords, its in certain combinations, with some crazy assed 
heuristic, which results it in not being so much as flagged "spam" as, 
"We detected, for no apparent reason, that this might be a threat, so we 
won't even show you the plain text, you have to explicitly say you want 
to see **the whole thing**." Umm, OK... But then, in other cases, you 
let me see enough of the plain text to see whether or not you falsely 
marked it, then let me tell you if its spam, or not. So, why the hell 
the difference?

In other words, "Possible real spam = we will let you tell us if it was 
or not", but, "Possible, non-existent threat = we won't even let you see 
it, until you decide to risk what ever threat we imagined existed, and 
then, if it isn't one, we won't let you tell us to stop doing it, over 
and over again, like we would with mere spam." :head-desk:

Makes no damn sense to me. If it wasn't a threat last time, how the hell 
is it next time, and why in bloody heck... Oh, wait, this is Microsoft, 
so they probably added their email equivalent of, "Are you sure you want 
program.exe to actually do anything?", to the bloody service... lol

Post a reply to this message

On 4/8/2012 13:05, Patrick Elliott wrote:
> Well, no, but its part and parcel to the same bloody problem of figuring out
> what you are looking at, and who sent it.

It's easy to tell what you're looking at. You already have it.

It's impossible to tell who it is from, except in a fairly abstract way like 
"at least one of the people who ought to be keeping their private key 
private has sent this."

> Its gotten to the point where, if a company actually has a legit reason to
> contact you, with anything other than product advertisements, you can't
> trust it, unless its a phone call, or they provide an "on their site" method
> of messaging you, and even then, someone could scam you by saying, "The is a
> new message for you at Blah.com, click here to log in and read it.", and
> your still screwed.

This isn't a new problem. The only reason it gets attention now is that it's 
trivially easy to do this sort of phishing on a grand scale. But it's not 
different than any of the other con games played throughout history.

-- 
Darren New, San Diego CA, USA (PST)
   "Oh no! We're out of code juice!"
   "Don't panic. There's beans and filters
    in the cabinet."

Post a reply to this message

On 4/8/2012 3:20 PM, Darren New wrote:
> On 4/8/2012 13:05, Patrick Elliott wrote:
>> Well, no, but its part and parcel to the same bloody problem of
>> figuring out
>> what you are looking at, and who sent it.
>
> It's easy to tell what you're looking at. You already have it.
>
> It's impossible to tell who it is from, except in a fairly abstract way
> like "at least one of the people who ought to be keeping their private
> key private has sent this."
>
If it was that trivial, people wouldn't keep falling for it. Just saying.

Post a reply to this message

On 4/9/2012 13:42, Patrick Elliott wrote:
> On 4/8/2012 3:20 PM, Darren New wrote:
>> On 4/8/2012 13:05, Patrick Elliott wrote:
>>> Well, no, but its part and parcel to the same bloody problem of
>>> figuring out
>>> what you are looking at, and who sent it.
>>
>> It's easy to tell what you're looking at. You already have it.
>>
>> It's impossible to tell who it is from, except in a fairly abstract way
>> like "at least one of the people who ought to be keeping their private
>> key private has sent this."
>>
> If it was that trivial, people wouldn't keep falling for it. Just saying.

You misunderstand. It's easy to look at an email message and tell what it 
says. It's very hard to look at an email message and tell what human it's 
from. That latter part is the primary cause of people "falling for it." If 
you could solve the latter problem, the former problem would drop to 
background radiation levels.

-- 
Darren New, San Diego CA, USA (PST)
   "Oh no! We're out of code juice!"
   "Don't panic. There's beans and filters
    in the cabinet."

Post a reply to this message

On 4/10/2012 5:48 PM, Darren New wrote:
> On 4/9/2012 13:42, Patrick Elliott wrote:
>> On 4/8/2012 3:20 PM, Darren New wrote:
>>> On 4/8/2012 13:05, Patrick Elliott wrote:
>>>> Well, no, but its part and parcel to the same bloody problem of
>>>> figuring out
>>>> what you are looking at, and who sent it.
>>>
>>> It's easy to tell what you're looking at. You already have it.
>>>
>>> It's impossible to tell who it is from, except in a fairly abstract way
>>> like "at least one of the people who ought to be keeping their private
>>> key private has sent this."
>>>
>> If it was that trivial, people wouldn't keep falling for it. Just saying.
>
> You misunderstand. It's easy to look at an email message and tell what
> it says. It's very hard to look at an email message and tell what human
> it's from. That latter part is the primary cause of people "falling for
> it." If you could solve the latter problem, the former problem would
> drop to background radiation levels.
>
Yep, that is the issue, definitely.

Post a reply to this message

On 4/1/2012 7:42 AM, James Holsenback wrote:
> http://www.bbc.co.uk/news/uk-politics-17576745
>
> http://www.whitehouse.gov/the-press-office/2011/12/31/statement-president-hr-1540
>
>
> http://www.fastcompany.com/1826121/employers-want-your-facebook-password-now
>
>
> Boy the more I read stories like this, the more I'm convinced that
> privacy and personal freedom is a thing of the past. Governments and now
> employers seem to be marching lock step, and arm in arm all over things
> that up until /were/ deemed scared. Why don't they just go ahead and
> implant a chip in our necks and be done with it :-(

When I sign up for an on-line service, many of them specifically require 
that I keep my password confidential from all other parties.  This user 
agreement is a binding contract.

I am wondering whether any jurisdictions permit an employer to require 
an applicant to breach a contract as a condition of employment.  That is 
probably illegal in many places.

Regards,
John

Post a reply to this message

On 5/22/2012 5:26 PM, John VanSickle wrote:
>
> When I sign up for an on-line service, many of them specifically require
> that I keep my password confidential from all other parties. This user
> agreement is a binding contract.
>
> I am wondering whether any jurisdictions permit an employer to require
> an applicant to breach a contract as a condition of employment. That is
> probably illegal in many places.
>

I'm sort of waiting for a company to get sued for exactly this reason.

Post a reply to this message