Fake "Bill Gates" Message Dupes Top Tools 117
yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
Pretty much anything from linkedin is spam. (Score:5, Informative)
A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.
Any casual glance would show that it was spam.
Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.
Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation
WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!
Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.
Re:I don't think that word means... (Score:1, Informative)
That's ok, we didn't expect you to read the article:
"He used his own phishing framework tool, called User Attack Framework, which automated the "attack," helped him track the success of the phish, and captured information about the "victim" once the person clicked on the "invite" and was sent to the phishing site, such as his IP address, user ID, location, browser, operating system, and other Website statistics."
"He also plans to go the next step and apply browser and other exploits to the phony phishing site. "The next part we're going to dive into is applying browser, Adobe, and JavaScript exploits," he says. "Now can we then get their credentials and exploit their client machine?""
Re:Checking Actual Email Address with Displayed? (Score:5, Informative)
I agree. This has to be one of the stupidest articles I've read lately.
I guess in the author's view if the SMTP envelope sender (the value appearing in the "Return-Path" header at the top of each delivered message) doesn't match the From: address, the message is somehow bogus. Try telling that to the thousands of listserver admins around the world. Many listservers preserve the the original message sender's address in the From field, while redistributing the message with an SMTP sender like owner-listname@example.com. That way if you hit reply, it goes back to the original author and not the list. However bounce messages get sent to the envelope sender, which is usually the listserver admin.
Automated web processes have the same feature. I'm careful to specify what I want the envelope sender to be and what I want the From to be, and often they are not the same thing at all. I wrote a variety of applications for organizations where an officer can send mail to a membership list using his or her own address as the From. However the envelope sender is usually something like bounces@example.com so that non-delivery messages go there rather than to the actual author.
I might want to compare the addresses, and maybe give non-matching ones an extra fractional point of spamminess in SpamAssassin, but that's about it. Not delivering messages like these would break an huge portion of the e-mail infrastructure.
Re:Old news (Score:3, Informative)
So, no, SSL isn't going to solve the problem.
Re:Old news (Score:5, Informative)
SMTP is not broken. SMTP was never supposed to provide authentication of identity, and nobody with the slightest of technical knowledge has ever expected it too.
That is why anyone who cares uses PGP/GPG.
Re:TrueDomain (Score:3, Informative)
http://blog.fastmail.fm/2010/01/06/truedomain-anti-phishing-and-email-authentication/ [fastmail.fm]
describes the way Truedomain operates. We run a milter which applies X-Truedomain-* headers (view source on those messages - you'll see that even the Logo image is added a per-message basis as a Base64 encoded header)
We're also planning to colour messages from known senders (in your address book) and offer a link to the address book entry that caused them to be trusted, as well as labelling messages that have gone entirely through a trusted path. I added a bunch of extra headers to the list that Cyrus caches on the fast metadata drives to support all this just last week! We've been beta testing Truedomain for a while on one of our incoming MX servers, and it's now applied to all incoming email.
Re:This is nothing new (Score:3, Informative)
SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).
Actually, in the US, this is illegal, and it does get enforced. No one but the US Government is allowed to put something inside your mailbox, and you will probably find out if you try distributing leaflets for a commercial enterprise or political campaign. It may be illegal to forge an email, but that's different from delivering it.