Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Communications Spam IT

Fake "Bill Gates" Message Dupes Top Tools 117

yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
This discussion has been archived. No new comments can be posted.

Fake "Bill Gates" Message Dupes Top Tools

Comments Filter:
  • Old news (Score:4, Insightful)

    by Anonymous Coward on Wednesday January 06, 2010 @05:09PM (#30675726)

    SMTP is broken. Deal with it

    • Re:Old news (Score:5, Funny)

      by MichaelSmith ( 789609 ) on Wednesday January 06, 2010 @05:34PM (#30676052) Homepage Journal

      Yeah I hate the way anybody can just walk past my house and drop stuff in the letterbox. I would be much happier if the federal government vetted everything so I could just fly to Canberra to collect my safe, filtered mail.

      • by jonadab ( 583620 )
        > Yeah I hate the way anybody can just walk
        > past my house and drop stuff in the letterbox.

        That's not the problem. Indeed, that's an intentional and useful design feature.

        The problem with SMTP is that it costs you more to maintain your mailbox than it costs the senders to keep dropping junk in it.

        With a better design of mail protocol, advertisers would still be able to send you whatever junk they want, but it would cost them more to send it than it costs you to maintain a mailbox for receiving it. T
        • I have talked about this design over and over, finally someone that has caught on to what I have been saying for the past 12 years. Since emails are possible to come from anyone, and usually can be spam, if they had to pay per email, however small the fee, it would leave a trail, and also cost money, so someone with a virus on their computer would get a bill stating they sent 1 million emails, guess what , they WILL do something about that damn virus on their computer...

          Also, if the people paying to send ou

        • Build it and they will come...

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I wouldn't say it is broken; it serves its original purpose quite well. I think it is more a problem of our expectation of privacy and security, neither of which SMTP is capable of providing (at least not without various extensions and hacks bolted on top of it).

      • Can't you simply run SMTP over SSL like they do HTTP?

        • Re: (Score:3, Informative)

          by bsDaemon ( 87307 )
          Yes, but encrypting the handshake and the password exchange doesn't have anything to do with the fact that you can forge FROM headers. SPF records, domain keys, etc, can help but can also be more trouble than they're worth some times and don't really prove much of anything anyway, and even those could be forged if you REALLY wanted to by doing a DNS cache poisoning or something.

          So, no, SSL isn't going to solve the problem.
          • by Chrisq ( 894406 )

            SPF records, domain keys, etc, can help but can also be more trouble than they're worth some times and don't really prove much of anything anyway, and even those could be forged if you REALLY wanted to by doing a DNS cache poisoning or something.

            I think that this illustrates that they are not more trouble than they are worth. Forging a "from" header is trivial, some email clients just let yo enter the "from address". DNS cache poisoning is not. For most people setting up an SPF record is a "one off" operation and with online testing tools [kitterman.com] and online wizards [microsoft.com] is not that difficult.

    • Re:Old news (Score:5, Informative)

      by Sir_Lewk ( 967686 ) <sirlewk&gmail,com> on Thursday January 07, 2010 @01:05AM (#30679510)

      SMTP is not broken. SMTP was never supposed to provide authentication of identity, and nobody with the slightest of technical knowledge has ever expected it too.

      That is why anyone who cares uses PGP/GPG.

      • I can send you a conventional paper mail and claim to be anyone, and claim to be sending it from anywhere and there is nothing you can do to trace it to me, this has not caused a problem for over 100 years ...signatures help to verify identity

        The same thing has always happened with email, but this causes a problem because people strangely expect when it says an email is from harry jones it really is from him PGP/GPG Signatures verify identity ..

        Most ways of filtering email do not work in a business environm

  • Now, now! (Score:3, Funny)

    by The Wild Norseman ( 1404891 ) <tw DOT norseman AT gmail DOT com> on Wednesday January 06, 2010 @05:09PM (#30675734)
    You know, Steve Jobs may not be the most likeable fellow around, but that hardly makes it okay to call him a 'tool.'
  • So none of these products compared the actual email address being used with the displayed one in the message? That would seem to me to be about the most obvious security check one could think of with regards to email.

    • So none of these products compared the actual email address being used with the displayed one in the message? That would seem to me to be about the most obvious security check one could think of with regards to email.

      Huh? Which one of the "displayed one[s] in the message" must match the From header? And why would you consider it any more secure if there is a match, since the sender can simply insert the same address in the body of the message...

      • by yuna49 ( 905461 ) on Wednesday January 06, 2010 @09:41PM (#30678274)

        I agree. This has to be one of the stupidest articles I've read lately.

        I guess in the author's view if the SMTP envelope sender (the value appearing in the "Return-Path" header at the top of each delivered message) doesn't match the From: address, the message is somehow bogus. Try telling that to the thousands of listserver admins around the world. Many listservers preserve the the original message sender's address in the From field, while redistributing the message with an SMTP sender like owner-listname@example.com. That way if you hit reply, it goes back to the original author and not the list. However bounce messages get sent to the envelope sender, which is usually the listserver admin.

        Automated web processes have the same feature. I'm careful to specify what I want the envelope sender to be and what I want the From to be, and often they are not the same thing at all. I wrote a variety of applications for organizations where an officer can send mail to a membership list using his or her own address as the From. However the envelope sender is usually something like bounces@example.com so that non-delivery messages go there rather than to the actual author.

        I might want to compare the addresses, and maybe give non-matching ones an extra fractional point of spamminess in SpamAssassin, but that's about it. Not delivering messages like these would break an huge portion of the e-mail infrastructure.

        • Similarly companies who do mail shots for clients need this functionality if they're not going to totally confuse end users. Our company uses an external agency to do this on behalf of our clients and it's not feasible to transfer the email domain to allow the third party to send from the "legitimate" address because many of the clients manage their own email server for employee mail - all our mails are opt-in so the users have to specifically request them, it would be ridiculous to tell all those users the

    • by e2d2 ( 115622 ) on Wednesday January 06, 2010 @05:42PM (#30676128)

      Well here's why that's tough. You can't check the email address it comes from typically because that would mean using the VRFY command, which no modern email server has enabled because it would allow spammers to simply poll an SMTP server for addresses and see if they are legit. They simply disable it or send all true responses.

      The next check is DNS, verifying a mail record exists for the domain in question. Here's the problem with that. DNS can be messed up and mail will still function. Say you have a hosted domain but it lacks an mx record. Mail will still go out. So the server on the other end needs to make a choice. Throw it away or pass it through.

      • by Phrogman ( 80473 )

        Okay thanks for the clarification. I know relatively little about email and how it is transmitted/received beyond how to use it :)

      • by jonadab ( 583620 )
        > DNS can be messed up and mail will still function.
        > Say you have a hosted domain but it lacks an mx
        > record. Mail will still go out. So the server on
        > the other end needs to make a choice. Throw it
        > away or pass it through.

        It doesn't have to be a binary choice based on one criterion. You can use a number of different checks (does the envelope sender match the From field, does either of them match the HELO domain, does the HELO domain match the sending IP address, is the message text or HTM
  • by Tsar ( 536185 ) on Wednesday January 06, 2010 @05:15PM (#30675818) Homepage Journal

    "...And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

    Okay, I give up. What can little technology actually do about it? Is that like nanotechnology, but bigger?
    Yes, I was bored. Back to work!

    • I realize you're picking linguistic nits here, but there is actually a serious answer to your question, and it's been known for a long time. If you want some sort of assurance that an email really comes from who it purports to come from, the email infrastructure as commonly deployed won't give you that. However, there are technologies that will.

      PGP is one of them. With PGP, you can sign your message with public key cryptography. If you sign with your private key and upload your public key to a keyserver, th

      • Web of trust is all well and good in small groups, usually of people who know each other in the real world. It might work if you set it up within a small company for instance, but the fail points will always be the people in the web who are allowed to add their own, previously "untrusted" names, because you get back to the real issue - that scammers exploit the lack of verification because it's the easiest way to achieve their aims. If the easiest way to achieve their aims was to win the trust of one of the
  • by schon ( 31600 ) on Wednesday January 06, 2010 @05:18PM (#30675858)

    A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.

    Any casual glance would show that it was spam.

    Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.

    Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation

    WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!

    Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.

    • Re: (Score:3, Insightful)

      by sco08y ( 615665 )

      I've been on LinkedIn since 2006. It's really gone downhill.

      Networking is a fine thing to do and makes sense, at least given that HR departments don't actually do their job. Unfortunately, there is a large contingent of markety types who seem to think that networking and motivational crap can completely take the place of actually doing work. And they are dominating LinkedIn right now.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        LinkedIn has ALWAYS been crappy, in my opinion.

        I got an invitation to join this wonderful networking site years ago. I checked out the site. My top competitor was on there, and he had befriended a bunch of clients. I grabbed them, and called the clients, and landed business with several of them. My competitor didn't know what hit him.

        Yeah, watch out who you share your Outlook Contact list with. Geez, that should be a guarded secret, not a free-for-all posted on the internet!

        • by hany ( 3601 )

          I assume those people got better deal from you so I guess it was not bad for them that your competitor shared his contact list. :)

    • I think you are being a bit harsh on Linkedin. Yeah, there is some spam. Spam is everywhere. However, in this economy, corporations are turning to LinkedIn as a recruiting tool.

      When a company posts a position on Monster and Careerbuilder (I get spam from both by the way), they are flooded with resumes. The situation is so bad that their human resources departments don't have the resources to sort through them all. They therefore use LinkedIn as a search tool for candidates without opening themselves
      • by schon ( 31600 )

        I think you are being a bit harsh on Linkedin.

        Then you don't understand what happened.

        Yeah, there is some spam. Spam is everywhere.

        So that makes it OK to steal my bandwidth and annoy me? Fuck that!

        However, in this economy, corporations are turning to LinkedIn as a recruiting tool.

        Besides "fuck them", this statement shows that you don't understand what happened.

        Linkedin sent me email from a known spammer. This was not "recruitment", it was spam.

        There is spam on other sites as well

        Name them. Name one that will send you OBVIOUS spam, even when you tell them it's spam and you don't want to receive it, just because they want you to join their service.

        it doesn't mean those sites are worthless.

        Yes, it does. The first time it happened, I can understand it.

        • Yes, it does. The first time it happened, I can understand it. But they sent me a reminder that I didn't accept a spammer's spam after I reported it as spam - that makes them 100% worthless.

          Or...it means there was a hole in their system, and instead of taking a moment to send an email to their tech department, you just decided to throw away the baby with the bath water.

          I'm not sure what causes it, but the all or nothing approach, and holier than thou belief system that pervades the web is a little saddening

        • So that makes it OK to steal my bandwidth and annoy me? Fuck that!

          Yeah, "stealing" that oh so precious 5Kb of bandwidth.

          Linkedin sent me email from a known spammer. This was not "recruitment", it was spam.

          By your logic every time I get a friend request from a random person and Facebook sends me a message that is spam.

          Name them. Name one that will send you OBVIOUS spam, even when you tell them it's spam and you don't want to receive it, just because they want you to join their service.

          Lets see (granted, this is biased based on the mail I have received):

          A) Scholarship "search" sites
          B) Random colleges in the middle of nowhere
          C) Any random software program that wants you to "register"

          Of course, none of this mail makes it into my real mailbox because I have 2 main E-mail accounts, one is my personal e-mail th

    • by socz ( 1057222 )
      Yep I've gotten the same exact thing several times before spamming them entirely. I started asking around if anyone had requested me to join and it turns out only 1 close friend is signed up on it! So no one I really care about (that I know of) is on it. And you're right, they're helping the spammers spam, that's the worst part!
    • Re: (Score:2, Interesting)

      by DonCarlos ( 222830 )

      Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.

      Don't be silly. It's looks a sort of bug in LinkedIn - they aparently do not remove pending requests from user's queue even the request sender was reported by that user as a spammer. Simple as that.

  • by Punto ( 100573 ) <puntob@gm[ ].com ['ail' in gap]> on Wednesday January 06, 2010 @05:19PM (#30675882) Homepage

    SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

    • Its OT but I had a moment of cognitive dissonance the other week when I opened a letter addressed to my wife's business from google. Never before had I seen their logo on paper. It took a moment to take in what I was seeing.

    • Re: (Score:3, Informative)

      by grizdog ( 1224414 )

      SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

      Actually, in the US, this is illegal, and it does get enforced. No one but the US Government is allowed to put something inside your mailbox, and you will probably find out if you try distributing leaflets for a commercial enterprise or political campaign. It may be illegal to forge an email, but that's different from delivering it.

      • by Punto ( 100573 )

        That doesn't change the fact that I can walk up to your mailbox and leave an envelope with a fake return address, because your mailbox doesn't have a magical "government employee detector" that only allows mail delivery from certain people. It's not something that is built into the system; the law works on a completely different level. Just like SMTP, which allows anyone to deliver mails, and then people implement security measures on different layers (like spam filters, digital signatures, etc).

    • SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

      Technically, putting anything into a mailbox (not for them to pick up, but as a delivery), is illegal, with a fine of up to $300 per item plus postage. It seems this is only illegal if you don't put postage on the letter though.

      Crimes and Criminal Procedure - 18 USC Section 1725

      Legal Research Home > US Lawyer > Crimes and Criminal Procedure > Crimes and Criminal Procedure -

      18 USC Section 1725

      01/19/04

      Sec. 1725. Postage unpaid on deposited mail matter

      Whoever knowingly and willfully deposits any mailable matter such as statements of accounts, circulars, sale bills, or other like matter, on which no postage has been paid, in any letter box established, approved, or accepted by the Postal Service for the receipt or delivery of mail matter on any mail route with intent to avoid payment of lawful postage thereon, shall for each such offense be fined under this title. AMENDMENTS 1994 - Pub. L. 103-322 substituted "fined under this title" for "fined not more than $300". 1970 - Pub. L. 91-375 substituted "Postal Service" for "Postmaster General". EFFECTIVE DATE OF 1970 AMENDMENT Amendment by Pub. L. 91-375 effective within 1 year after Aug. 12, 1970, on date established therefor by Board of Governors of United States Postal Service and published by it in Federal Register, see section 15(a) of Pub. L. 91-375, set out as an Effective Date note preceding section 101 of Title 39, Postal Service.

  • by Jonas Buyl ( 1425319 ) on Wednesday January 06, 2010 @05:24PM (#30675948)
    Whoever thinks this is a big issue should evaluate how much security we can expect from computers. Scams like this can be pulled off by sending IRL mail as well and are equally hard to detect by humans. Why should we expect an automated algorithm to be able to detect it? Scams like this are only going to stop when every move you make on the Internet can be tracked down straight back to you. We're getting closer and closer to a decision: Privacy or security. What's Slashdot's pick?
    • Why do we have to pick? We could just have a secure messaging system that encrypts and signs messages for intended recipients. If you can read it, congratulations, it's from who it says it's from (unless they hacked the endpoint, of course--but that's a good deal better than what we have now, innit?).

      Ah, but if only we had such a system. ahemcoughcoughwavecoughcough

  • Why would anyone expect the client to be able to filter out phishing attacks, unless it's looking up against some centralized DB?

  • by NeumannCons ( 798322 ) on Wednesday January 06, 2010 @05:27PM (#30675982) Homepage
    So the "researcher" sends an email pretending to be B. Gates and the message got through? OMG! Seriously, where's the "phishing" part? Did he have them click on a link? What was the success rate of that? Linkedin is fairly safe - there's not a whole lot of sensitive information there (unless past work history is "sensitive) - it doesn't ask you for your SSN, address, credit card no, etc. Asking a victim to supply that info to join someones linkedin group would surely raise suspicion and alert people that it's a fake. There's no real meat to the article here. Either the reporter reporting on this story has missed an important part of the story (likely) or the researcher has just discovered that you can email anyone and pretend to be anyone.

    All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.

    Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.
    • Re: (Score:2, Funny)

      by socz ( 1057222 )

      Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.

      Wow you're lucky! In Mexico, Bill Gates was about to close down hotmail.mx but thanks to everyone forwarding that e-mail MS saw that people used it and prevented its closure! Too bad they didn't have a chance at that prize...

    • Actually I think this might just be against the law and the researcher may have painted a big bullseye on his wallet for any one of these people who think they've been 'harmed' by believing they were actually invited by Bill Gates.

      There are a lot of stupid internet laws out there and I'm sure the prosecutors/"victims" like nothing more than someone who provides all the evidence in a nice research report ready for prosecution.

  • It not only duped the top tools, it also duped the software that those big tools were running as well!
  • What a crap story (Score:5, Insightful)

    by bloodhawk ( 813939 ) on Wednesday January 06, 2010 @05:29PM (#30676006)
    Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

    secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.
    • by sco08y ( 615665 ) on Wednesday January 06, 2010 @05:47PM (#30676196)

      If computers could magically detect bullshit the way this journalist thinks they ought to be able to, I'd have them filtering the goddamned newspaper.

      • That's the extra blank page that prints out after a document once in a while.
      • by fm6 ( 162816 )

        No magic required. Just a mail system that doesn't make it so easy to forge a return address. Like a lot of tech that dates back to the pre-commercial internet, SMTP takes too much on trust.

      • by weicco ( 645927 )

        It would be really quiet here in Slashdot too.

    • Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

      I noticed this too. Although the summary chooses to mention a few Microsoft products and Cisco Ironport, here is the list from the article:


      Microsoft and Cisco products, including users with GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's

    • I don't see how they could've excluded Google. I use Outlook+Exchange, Gmail, and Yahoo mail on a regular basis (work, personal, shopping) and Gmail is the gold standard. Outlook and Yahoo are a joke.

    • Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

      New here? Best way to get to the front page of Slashdot is to bash Microsoft.

    • by GF678 ( 1453005 )

      Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

      You know the reason - Slashdot is EXTREMELY biased against Microsoft to the point of irrationality at times. Gets rather tiring at times, but hey, every source of media has some bias (except perhaps Reuters).

  • LOLWUT? (Score:3, Insightful)

    by argent ( 18001 ) <peter&slashdot,2006,taronga,com> on Wednesday January 06, 2010 @05:35PM (#30676066) Homepage Journal

    What's the point of this? If you send someone an email, they'll get it? God, I hope so! That used to be the norm before spammers poisoned the well.

  • what you think it means.

    Phishing attacks would presumably be trying to get some otherwise secured info from the victim. What would the victim of this attack provide in response to this email? Credit card info? Online banking credentials? Warcraft account info? sheesh. As someone above stated, the guy sent an email and it got through. No news there. This isn't phishing, it's spam. And not even good spam. I would bet more people would be trying to buy cheap viagra than join Bill's Linkedin.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      That's ok, we didn't expect you to read the article:

      "He used his own phishing framework tool, called User Attack Framework, which automated the "attack," helped him track the success of the phish, and captured information about the "victim" once the person clicked on the "invite" and was sent to the phishing site, such as his IP address, user ID, location, browser, operating system, and other Website statistics."

      "He also plans to go the next step and apply browser and other exploits to the phony phishing si

  • This shouldn't have been on /.!
    Scammers have been tricking people since 1000's of years always trying to "stay ahead" of what people have learned ... the same applies to anything in this world including virus/worm/trojan checkers, any other spam/email/whatever.
    There are many sales people who will sell you something you don't need and most of people who bought the stuff walk away "happy" not realizing the where scammed "legitimately" ...
    Any of us need to learn/see when we are getting scammed ... always.

  • by cmacb ( 547347 ) on Wednesday January 06, 2010 @08:06PM (#30677576) Homepage Journal

    Bill Gates has indicated you are a fellow group member of Microsoft Security. I'd like to add you to my professional network on LinkedIn. - B. Gates.

    Oh, that would have fooled me. It would have been more tricky if they'd added something like:

    Oh, and I'm also inviting you to the other special interests groups I follow: "Committee for Prevention of Bloat in Operating Systems", and "Six Forty K. It's Enough for Anyone". I look forward to seeing you on LinkedIN and if you are ever in the Seattle area, stop by for a brew.

  • Dark Reading (ooh, spooky) as is their wont, lists no actual details so we don't know what the guy actually did. But mail clients in general are pretty hopeless at interpreting "who" a message is from. There are several fields that can be used - the actual sending address (the "mail from: " in the SMTP exchange), Reply-to:, From: Sender:. There is no agreed prioritisation that I know of as to what actually goes in the "From" that we see in the client...

    I once had a weird circumstance where messages from a m

  • I use Fastmail.fm (a fantastic service) for my e-mail and I noticed something new in my inbox yesterday. Little icons now appear next to messages from LinkedIn, Facebook, etc. to indicate that the origin of the message has been verified through some new service called Truedomain. Anybody know the technical details?

    • Re: (Score:3, Informative)

      by Bronster ( 13157 )

      http://blog.fastmail.fm/2010/01/06/truedomain-anti-phishing-and-email-authentication/ [fastmail.fm]

      describes the way Truedomain operates. We run a milter which applies X-Truedomain-* headers (view source on those messages - you'll see that even the Logo image is added a per-message basis as a Base64 encoded header)

      We're also planning to colour messages from known senders (in your address book) and offer a link to the address book entry that caused them to be trusted, as well as labelling messages that have gone entirely

      • We run a milter which applies X-Truedomain-* headers (view source on those messages - you'll see that even the Logo image is added a per-message basis as a Base64 encoded header)

        So what happens when I spoof the X-Truedomain headers? It seems that this solution just pushes the verification off to someone else, but doesn't actually solve the problem.

        I read your link, which really only says, "Truedomain does the verification and we trust Truedomain." No details. So I looked at the Truedomain [truedomain.net] web site. It is

        • by Bronster ( 13157 )

          http://en.wikipedia.org/wiki/Milter [wikipedia.org]

          It's a standard technical name for an API, which is why I can say it with a straight face rather than obfuscate around it. The package is called truedomain-milter, for obvious reasons.

          If you spoof the headers they'll be dropped on receipt. Note that the message still has to pass DKIM or SPF as well.

          Now - if you upload a spoofed message via IMAP you can fool our web interface, but the only person who's going to see that is you or someone else who's shared your folders.

          And

  • by oglueck ( 235089 )

    linkedin.com text = "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"

    That is ~all and not -all. So linkedin is happy with any IP sending mail in their name. It will only cause a soft fail and no MTA should reject the message as fake. It's hardly the fault of mail clients here.

    • by Chrisq ( 894406 )
      I wish more mail clients would issue a warning when SPF returns SOFTFAIL. So many people use the ~all just in case they ever want another machine to send emails and forget to update their DNS that a warning would be nice. Of course more people should bite the bullet and use -all
  • What - we didn't already know this? Erf...c'mon, wake up...
  • Not to mention, it was written back in October.

    Regardless, anyone that deals with spam on any level knows that targeted attacks (spear phishing...who the hell coined that?) are *not* the primary focus of appliances like the Ironport. Being an Ironport admin I know from experience with both Ironport and Puremessage (PerlMX) that the priority of these devices is to focus on QUANTITY. The volume of messages coming into a firm or company is more important than the targeted individual, not to mention that the ta

  • None of the products in question make any pretense of validating "spoofed" addresses. And by "spoofed" we mean only that the originating address does not match the server used to send the email. Whcih is a commonplace and valid scenario for many people who outsource web site hosting and email.

    What this "article" is really about: "Look at me, I can state the obvious! Come read my site!"

    Looking a little closer at the about page, I see what: "The InformationWeek Business Technology Network is a network

I do not fear computers. I fear the lack of them. -- Isaac Asimov

Working...