Fake "Bill Gates" Message Dupes Top Tools

yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

Old news

[Anonymous Coward]

SMTP is broken. Deal with it

This is nothing new

[Punto]

SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

The Limits of Security

[Jonas Buyl]

Whoever thinks this is a big issue should evaluate how much security we can expect from computers. Scams like this can be pulled off by sending IRL mail as well and are equally hard to detect by humans. Why should we expect an automated algorithm to be able to detect it? Scams like this are only going to stop when every move you make on the Internet can be tracked down straight back to you. We're getting closer and closer to a decision: Privacy or security. What's Slashdot's pick?

This is research? Where's the beef?

[NeumannCons]

So the "researcher" sends an email pretending to be B. Gates and the message got through? OMG! Seriously, where's the "phishing" part? Did he have them click on a link? What was the success rate of that? Linkedin is fairly safe - there's not a whole lot of sensitive information there (unless past work history is "sensitive) - it doesn't ask you for your SSN, address, credit card no, etc. Asking a victim to supply that info to join someones linkedin group would surely raise suspicion and alert people that it's a fake. There's no real meat to the article here. Either the reporter reporting on this story has missed an important part of the story (likely) or the researcher has just discovered that you can email anyone and pretend to be anyone.

All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.

Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.

What a crap story

[bloodhawk]

Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.

LOLWUT?

[argent]

What's the point of this? If you send someone an email, they'll get it? God, I hope so! That used to be the norm before spammers poisoned the well.

I don't think that word means...

[Alerius]

what you think it means.

Phishing attacks would presumably be trying to get some otherwise secured info from the victim. What would the victim of this attack provide in response to this email? Credit card info? Online banking credentials? Warcraft account info? sheesh. As someone above stated, the guy sent an email and it got through. No news there. This isn't phishing, it's spam. And not even good spam. I would bet more people would be trying to buy cheap viagra than join Bill's Linkedin.

Re:Pretty much anything from linkedin is spam.

[sco08y]

I've been on LinkedIn since 2006. It's really gone downhill.

Networking is a fine thing to do and makes sense, at least given that HR departments don't actually do their job. Unfortunately, there is a large contingent of markety types who seem to think that networking and motivational crap can completely take the place of actually doing work. And they are dominating LinkedIn right now.

Re:Old news

[Anonymous Coward]

I wouldn't say it is broken; it serves its original purpose quite well. I think it is more a problem of our expectation of privacy and security, neither of which SMTP is capable of providing (at least not without various extensions and hacks bolted on top of it).

The article is a wank / PR press release, but ....

[dhammabum]

Dark Reading (ooh, spooky) as is their wont, lists no actual details so we don't know what the guy actually did. But mail clients in general are pretty hopeless at interpreting "who" a message is from. There are several fields that can be used - the actual sending address (the "mail from: " in the SMTP exchange), Reply-to:, From: Sender:. There is no agreed prioritisation that I know of as to what actually goes in the "From" that we see in the client...

I once had a weird circumstance where messages from a mail script I wrote using the MIME::Entity perl module were being received as from "nobody". I hadn't specified the sender field in the entity mail object and the module thoughtfully provided one for me, using the owner of the process running the script. So even though the reply-to and from fields were correctly set, I got a number of calls about who this nobody was....

One can prevent spoofed email using filters, etc, at least with Unix/Linux-based mail transfer agents, presumably this can also be done with MS Exchange. So the breathless report that 100% of the spoofed messages got through just indicates the low priority spoofing has in those administrators' minds.