Fake "Bill Gates" Message Dupes Top Tools 117
yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
Re: (Score:1)
I don't accept cookies.
That's a shame, I was going to offer you a chocolate chip one.
Re: (Score:2)
Accept it for the session then delete it. Some modern browsers even have an option to do this automatically.
Re: (Score:3, Interesting)
The issue isn't who (near as I can tell) as much as it is the commonality of e-mail originating from servers not identified in the e-mail.
Blocking mail like that was a topic of discussion in the 90's but by that time the number of mail servers that no longer resolved to the domains they serviced were large enough that it was useless anymore.
I may not have all my facts straight, but that's my understanding.
Re: (Score:3, Funny)
Right. Much better to delete a message just because it came from LinkedIn.
Re:so? (Score:4, Funny)
You know the famous one doesn't have a monopoly on that name, right?
Well, it would be rather fitting if he did.
Re: (Score:2)
Re: (Score:2)
It would be even more fitting if he simply ate them.
Re: (Score:2)
Yet still more fitting if he filled their pants with hot grits
Re: (Score:3, Interesting)
It wasn't the name he expected to be filtered, but the fact that the email was spoofed, i.e. it appeared to come from a different server than it actually came from.
Re: (Score:2)
Ok, here's an idea.
Why not just hard-block incoming email that is spoofed?
Any message that fibs about its origin is almost by definition deceptive and fraudulent and is pretty safe to block. Those few cases due to misconfigured servers, well sucks to be you, fix the damn configuration.
And people that run email servers should stop pussy-footing around with SOFTFAIL records.
Re:so? (Score:5, Funny)
Okay Michael Bolton.. Your right, why should you have to change, he's the one that sucks...
Re: (Score:2)
They probably add the term "Microsoft" to the filter.
That one definitely has a monopoly, and was one of the costliest scams of the 20th century,
Old news (Score:4, Insightful)
SMTP is broken. Deal with it
Re:Old news (Score:5, Funny)
Yeah I hate the way anybody can just walk past my house and drop stuff in the letterbox. I would be much happier if the federal government vetted everything so I could just fly to Canberra to collect my safe, filtered mail.
Re: (Score:1)
> past my house and drop stuff in the letterbox.
That's not the problem. Indeed, that's an intentional and useful design feature.
The problem with SMTP is that it costs you more to maintain your mailbox than it costs the senders to keep dropping junk in it.
With a better design of mail protocol, advertisers would still be able to send you whatever junk they want, but it would cost them more to send it than it costs you to maintain a mailbox for receiving it. T
Re: (Score:2)
I have talked about this design over and over, finally someone that has caught on to what I have been saying for the past 12 years. Since emails are possible to come from anyone, and usually can be spam, if they had to pay per email, however small the fee, it would leave a trail, and also cost money, so someone with a virus on their computer would get a bill stating they sent 1 million emails, guess what , they WILL do something about that damn virus on their computer...
Also, if the people paying to send ou
Re: (Score:2)
Build it and they will come...
Re: (Score:2, Insightful)
I wouldn't say it is broken; it serves its original purpose quite well. I think it is more a problem of our expectation of privacy and security, neither of which SMTP is capable of providing (at least not without various extensions and hacks bolted on top of it).
Re: (Score:2)
Can't you simply run SMTP over SSL like they do HTTP?
Re: (Score:3, Informative)
So, no, SSL isn't going to solve the problem.
Re: (Score:2)
SPF records, domain keys, etc, can help but can also be more trouble than they're worth some times and don't really prove much of anything anyway, and even those could be forged if you REALLY wanted to by doing a DNS cache poisoning or something.
I think that this illustrates that they are not more trouble than they are worth. Forging a "from" header is trivial, some email clients just let yo enter the "from address". DNS cache poisoning is not. For most people setting up an SPF record is a "one off" operation and with online testing tools [kitterman.com] and online wizards [microsoft.com] is not that difficult.
Re:Old news (Score:5, Informative)
SMTP is not broken. SMTP was never supposed to provide authentication of identity, and nobody with the slightest of technical knowledge has ever expected it too.
That is why anyone who cares uses PGP/GPG.
Re: (Score:2)
I can send you a conventional paper mail and claim to be anyone, and claim to be sending it from anywhere and there is nothing you can do to trace it to me, this has not caused a problem for over 100 years ...signatures help to verify identity
The same thing has always happened with email, but this causes a problem because people strangely expect when it says an email is from harry jones it really is from him PGP/GPG Signatures verify identity ..
Most ways of filtering email do not work in a business environm
Now, now! (Score:3, Funny)
Checking Actual Email Address with Displayed? (Score:2)
So none of these products compared the actual email address being used with the displayed one in the message? That would seem to me to be about the most obvious security check one could think of with regards to email.
Re: (Score:2)
Huh? Which one of the "displayed one[s] in the message" must match the From header? And why would you consider it any more secure if there is a match, since the sender can simply insert the same address in the body of the message...
Re:Checking Actual Email Address with Displayed? (Score:5, Informative)
I agree. This has to be one of the stupidest articles I've read lately.
I guess in the author's view if the SMTP envelope sender (the value appearing in the "Return-Path" header at the top of each delivered message) doesn't match the From: address, the message is somehow bogus. Try telling that to the thousands of listserver admins around the world. Many listservers preserve the the original message sender's address in the From field, while redistributing the message with an SMTP sender like owner-listname@example.com. That way if you hit reply, it goes back to the original author and not the list. However bounce messages get sent to the envelope sender, which is usually the listserver admin.
Automated web processes have the same feature. I'm careful to specify what I want the envelope sender to be and what I want the From to be, and often they are not the same thing at all. I wrote a variety of applications for organizations where an officer can send mail to a membership list using his or her own address as the From. However the envelope sender is usually something like bounces@example.com so that non-delivery messages go there rather than to the actual author.
I might want to compare the addresses, and maybe give non-matching ones an extra fractional point of spamminess in SpamAssassin, but that's about it. Not delivering messages like these would break an huge portion of the e-mail infrastructure.
Re: (Score:2)
Similarly companies who do mail shots for clients need this functionality if they're not going to totally confuse end users. Our company uses an external agency to do this on behalf of our clients and it's not feasible to transfer the email domain to allow the third party to send from the "legitimate" address because many of the clients manage their own email server for employee mail - all our mails are opt-in so the users have to specifically request them, it would be ridiculous to tell all those users the
Re:Checking Actual Email Address with Displayed? (Score:5, Interesting)
Well here's why that's tough. You can't check the email address it comes from typically because that would mean using the VRFY command, which no modern email server has enabled because it would allow spammers to simply poll an SMTP server for addresses and see if they are legit. They simply disable it or send all true responses.
The next check is DNS, verifying a mail record exists for the domain in question. Here's the problem with that. DNS can be messed up and mail will still function. Say you have a hosted domain but it lacks an mx record. Mail will still go out. So the server on the other end needs to make a choice. Throw it away or pass it through.
Re: (Score:2)
Okay thanks for the clarification. I know relatively little about email and how it is transmitted/received beyond how to use it :)
Re: (Score:1)
> Say you have a hosted domain but it lacks an mx
> record. Mail will still go out. So the server on
> the other end needs to make a choice. Throw it
> away or pass it through.
It doesn't have to be a binary choice based on one criterion. You can use a number of different checks (does the envelope sender match the From field, does either of them match the HELO domain, does the HELO domain match the sending IP address, is the message text or HTM
Little technology (Score:5, Funny)
"...And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
Okay, I give up. What can little technology actually do about it? Is that like nanotechnology, but bigger?
Yes, I was bored. Back to work!
Re: (Score:2)
I realize you're picking linguistic nits here, but there is actually a serious answer to your question, and it's been known for a long time. If you want some sort of assurance that an email really comes from who it purports to come from, the email infrastructure as commonly deployed won't give you that. However, there are technologies that will.
PGP is one of them. With PGP, you can sign your message with public key cryptography. If you sign with your private key and upload your public key to a keyserver, th
Re: (Score:2)
Pretty much anything from linkedin is spam. (Score:5, Informative)
A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.
Any casual glance would show that it was spam.
Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.
Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation
WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!
Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.
Re: (Score:3, Insightful)
I've been on LinkedIn since 2006. It's really gone downhill.
Networking is a fine thing to do and makes sense, at least given that HR departments don't actually do their job. Unfortunately, there is a large contingent of markety types who seem to think that networking and motivational crap can completely take the place of actually doing work. And they are dominating LinkedIn right now.
Re: (Score:3, Funny)
LinkedIn has ALWAYS been crappy, in my opinion.
I got an invitation to join this wonderful networking site years ago. I checked out the site. My top competitor was on there, and he had befriended a bunch of clients. I grabbed them, and called the clients, and landed business with several of them. My competitor didn't know what hit him.
Yeah, watch out who you share your Outlook Contact list with. Geez, that should be a guarded secret, not a free-for-all posted on the internet!
Re: (Score:2)
I assume those people got better deal from you so I guess it was not bad for them that your competitor shared his contact list. :)
Re: (Score:2)
When a company posts a position on Monster and Careerbuilder (I get spam from both by the way), they are flooded with resumes. The situation is so bad that their human resources departments don't have the resources to sort through them all. They therefore use LinkedIn as a search tool for candidates without opening themselves
Re: (Score:2)
I think you are being a bit harsh on Linkedin.
Then you don't understand what happened.
Yeah, there is some spam. Spam is everywhere.
So that makes it OK to steal my bandwidth and annoy me? Fuck that!
However, in this economy, corporations are turning to LinkedIn as a recruiting tool.
Besides "fuck them", this statement shows that you don't understand what happened.
Linkedin sent me email from a known spammer. This was not "recruitment", it was spam.
There is spam on other sites as well
Name them. Name one that will send you OBVIOUS spam, even when you tell them it's spam and you don't want to receive it, just because they want you to join their service.
it doesn't mean those sites are worthless.
Yes, it does. The first time it happened, I can understand it.
Re: (Score:2)
Or...it means there was a hole in their system, and instead of taking a moment to send an email to their tech department, you just decided to throw away the baby with the bath water.
I'm not sure what causes it, but the all or nothing approach, and holier than thou belief system that pervades the web is a little saddening
Re: (Score:2)
So that makes it OK to steal my bandwidth and annoy me? Fuck that!
Yeah, "stealing" that oh so precious 5Kb of bandwidth.
Linkedin sent me email from a known spammer. This was not "recruitment", it was spam.
By your logic every time I get a friend request from a random person and Facebook sends me a message that is spam.
Name them. Name one that will send you OBVIOUS spam, even when you tell them it's spam and you don't want to receive it, just because they want you to join their service.
Lets see (granted, this is biased based on the mail I have received):
A) Scholarship "search" sites
B) Random colleges in the middle of nowhere
C) Any random software program that wants you to "register"
Of course, none of this mail makes it into my real mailbox because I have 2 main E-mail accounts, one is my personal e-mail th
Re: (Score:1)
Re: (Score:2, Interesting)
Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.
Don't be silly. It's looks a sort of bug in LinkedIn - they aparently do not remove pending requests from user's queue even the request sender was reported by that user as a spammer. Simple as that.
This is nothing new (Score:5, Insightful)
SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).
Re: (Score:2)
Its OT but I had a moment of cognitive dissonance the other week when I opened a letter addressed to my wife's business from google. Never before had I seen their logo on paper. It took a moment to take in what I was seeing.
Re: (Score:3, Funny)
The postal service has a website too.
Re: (Score:2)
Never before had I seen their logo on paper
You've never printed out a map from GoogleMaps?
No.
Re: (Score:3, Informative)
SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).
Actually, in the US, this is illegal, and it does get enforced. No one but the US Government is allowed to put something inside your mailbox, and you will probably find out if you try distributing leaflets for a commercial enterprise or political campaign. It may be illegal to forge an email, but that's different from delivering it.
Re: (Score:2)
That doesn't change the fact that I can walk up to your mailbox and leave an envelope with a fake return address, because your mailbox doesn't have a magical "government employee detector" that only allows mail delivery from certain people. It's not something that is built into the system; the law works on a completely different level. Just like SMTP, which allows anyone to deliver mails, and then people implement security measures on different layers (like spam filters, digital signatures, etc).
Re: (Score:1)
SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).
Technically, putting anything into a mailbox (not for them to pick up, but as a delivery), is illegal, with a fine of up to $300 per item plus postage. It seems this is only illegal if you don't put postage on the letter though.
Crimes and Criminal Procedure - 18 USC Section 1725
Legal Research Home > US Lawyer > Crimes and Criminal Procedure > Crimes and Criminal Procedure -
18 USC Section 1725
01/19/04
Sec. 1725. Postage unpaid on deposited mail matter
Whoever knowingly and willfully deposits any mailable matter such as statements of accounts, circulars, sale bills, or other like matter, on which no postage has been paid, in any letter box established, approved, or accepted by the Postal Service for the receipt or delivery of mail matter on any mail route with intent to avoid payment of lawful postage thereon, shall for each such offense be fined under this title. AMENDMENTS 1994 - Pub. L. 103-322 substituted "fined under this title" for "fined not more than $300". 1970 - Pub. L. 91-375 substituted "Postal Service" for "Postmaster General". EFFECTIVE DATE OF 1970 AMENDMENT Amendment by Pub. L. 91-375 effective within 1 year after Aug. 12, 1970, on date established therefor by Board of Governors of United States Postal Service and published by it in Federal Register, see section 15(a) of Pub. L. 91-375, set out as an Effective Date note preceding section 101 of Title 39, Postal Service.
Mod parent thick as two short planks (Score:2)
What? Someone other than a postal worker placing a letter in your (house's) mailbox, addressed to you, is mail fraud? I do not think mail fraud [wikipedia.org] is what you think it is. Did you even read what you wrote, or what you replied to?
What if the person was a postal worker but not a delivery agent?
What if the person was a delivery agent but your house is not on his route?
What if the person was a delivery agent but it's 3 in the morning?
I'm sure all the Bill Gates in the world would love to know that according to you
Re: (Score:2)
He'd be arrested. The city bans ALL junk mail like fliers and crap between 8pm and 7am. ANY delivery at 3am is going to get you a conversation with the cops over here.
Re: (Score:2)
What if the person was a delivery agent but it's 3 in the morning?
He'd be arrested. The city bans ALL junk mail like fliers and crap between 8pm and 7am. ANY delivery at 3am is going to get you a conversation with the cops over here.
What city?
What happens if I'm hand-delivering a letter that isn't a flier and isn't junk mail? Do I still get harassed for no reason?
Re: (Score:2)
>>>What if the person was a delivery agent but it's 3 in the morning?
>>He'd be arrested. The city bans ALL junk mail like fliers and crap between 8pm and 7am. ANY delivery at 3am is going to get you a conversation with the cops over here.
>What city?
>What happens if I'm hand-delivering a letter that isn't a flier and isn't junk mail? Do I still get harassed for no reason?
If you're trying to hand-deliver a letter at 3 in the morning, you'd better call ahead of time. Parcels and
Re: (Score:1, Offtopic)
If you're trying to hand-deliver a letter at 3 in the morning, you'd better call ahead of time.
What? And wake people up? Isn't it much more polite to just leave the letter in their box so that they can get to it when they're ready?
It's not for "no reason" any more than not allowing people to run circular saws at 5am is "no reason." People have a right to live in peace, and that means no circulars or other crap dumped in their mailbox or on their porch after 8pm in most municipalities - we demanded the laws be passed in city council specifically to deal with the mountain of useless crap advertisers want us to pay to recycle.
Whoa whoa whoa! For a second there I thought you said there was a law against using a circular saw at 5AM. If true, that's ridiculously outrageous.
As for the rest, I am not talking about delivering a package or receiving junk mail. I am talking about me, let's say a love sick young man, hand delivering a note to a young lady's mailbox at an ungodly hour (because that's when
Re: (Score:2)
There IS a law against using power tools before 7am - and ALL heavy equipment - in my municipality, an in most others. Ditto for any sort of construction work. The only exceptions are emergency work and civic and utility maintenance crews - and the utilities have to apply for a permit. there's nothing worse than some idiot doing their "home improvements" through midnight on a week-night when kids have to sleep, or starting at 6 am on a Sunday morning when all us normal "heathens" want to just sleep in un
Re: (Score:2)
The email jab notwithstanding, chances are that for most people a call would be less appreciated than a silent drop-off of a note.
I'm all for stopping bad actors, but someone disturbing you with power tools is just insensitive and need not have the law thrown at him.I bet you're a member of a home-owner's association, too, and like to make sure your neighbor's lawn is a regulation height! Behavior should be at least grossly overbearing before the law is involved. Passing broad laws to target specific sorts
Re: (Score:2)
Fortunately, thre's no such thing as a home-owner association up here. You can paint your door whatever colour you want, you can sit nekked in your back yard as long as there's a privacy fence, you can hang up your laundry on a clothesline, or park an ugly car on your lawn or a boat in your driveway if that floats your boat. What you CAN'T do is disturb the peaceable enjoyment of other people. Your rights stop where others begin.
And dropping off notes at 3am gets a lot of people's dogs barking ... and
Re: (Score:2)
Home owner's associates would tend to claim that being an eyesore is disturbing the peace of others.
I'm willing to believe that there was a serious issue which was solved by passing these laws, but I don't think it could possibly be the right solution to the problem. There's nothing inherently harmful in dropping off a note at 3AM, given that not everybody has dogs. Punishing people for acting in good faith is never a good idea. Fining people for behaving in an average way is not a good idea. I'm sure your
Re: (Score:2)
That's your problem - we don't have "home-owners associations" up here. Maybe you should pass a law to ban them.
How about this - There's nothing inherently harmful in shooting into an open window, seeing as most rooms are unoccupied. Doesn't work. Even if there's zero probability of harm, you simply don't
Re: (Score:2)
Home owner's associates would tend to claim that being an eyesore is disturbing the peace of others.
That's your problem - we don't have "home-owners associations" up here. Maybe you should pass a law to ban them.
I agree, and I'd love to. Some people seem to want them, though I've never met one who will admit to it. FYI, your municipal laws are acting a lot like home owner's association rules in that one is not permitted to opt out (except by being told "don't live there") and the rules themselves are arbitrary and draconian.
There is NO reason to be dropping notes off in people's mailboxes at 3am.
I already outlined a scenario in which someone might without having any evil intent.
If that person doesn't have a dog, the neighbours across the street, or next door, do. Plus, you're trespassing, same as the local public security guy can't go into the driveway after dark to check for up-to-date car registrations or other issues
It's certainly not trespassing. What's the mailbox there for if no one is permitted to access it? The whole po
Re: (Score:2)
And I already showed that it not only is criminal trespass, not just here, but probably where you live as well. Try that on a dark night in much of the USA and see how quickly you get your head blown off.
The Limits of Security (Score:4, Insightful)
Re: (Score:2)
Why do we have to pick? We could just have a secure messaging system that encrypts and signs messages for intended recipients. If you can read it, congratulations, it's from who it says it's from (unless they hacked the endpoint, of course--but that's a good deal better than what we have now, innit?).
Ah, but if only we had such a system. ahemcoughcoughwavecoughcough
Outlook Express? (Score:1)
Why would anyone expect the client to be able to filter out phishing attacks, unless it's looking up against some centralized DB?
Re: (Score:1)
Because the web mail services all do it?
This is research? Where's the beef? (Score:5, Insightful)
All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.
Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.
Re: (Score:2, Funny)
Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.
Wow you're lucky! In Mexico, Bill Gates was about to close down hotmail.mx but thanks to everyone forwarding that e-mail MS saw that people used it and prevented its closure! Too bad they didn't have a chance at that prize...
Re:Research no, risky possibly? (Score:3, Interesting)
Actually I think this might just be against the law and the researcher may have painted a big bullseye on his wallet for any one of these people who think they've been 'harmed' by believing they were actually invited by Bill Gates.
There are a lot of stupid internet laws out there and I'm sure the prosecutors/"victims" like nothing more than someone who provides all the evidence in a nice research report ready for prosecution.
What's even worse... (Score:2)
What a crap story (Score:5, Insightful)
secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.
Re:What a crap story (Score:5, Funny)
If computers could magically detect bullshit the way this journalist thinks they ought to be able to, I'd have them filtering the goddamned newspaper.
Re: (Score:2)
Re: (Score:2)
No magic required. Just a mail system that doesn't make it so easy to forge a return address. Like a lot of tech that dates back to the pre-commercial internet, SMTP takes too much on trust.
Re: (Score:2)
It would be really quiet here in Slashdot too.
More than just MS products (Score:1)
Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.
I noticed this too. Although the summary chooses to mention a few Microsoft products and Cisco Ironport, here is the list from the article:
Microsoft and Cisco products, including users with GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's
Re: (Score:1)
Re: (Score:1)
I don't see how they could've excluded Google. I use Outlook+Exchange, Gmail, and Yahoo mail on a regular basis (work, personal, shopping) and Gmail is the gold standard. Outlook and Yahoo are a joke.
Re: (Score:2)
Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.
New here? Best way to get to the front page of Slashdot is to bash Microsoft.
Re: (Score:1)
You know the reason - Slashdot is EXTREMELY biased against Microsoft to the point of irrationality at times. Gets rather tiring at times, but hey, every source of media has some bias (except perhaps Reuters).
LOLWUT? (Score:3, Insightful)
What's the point of this? If you send someone an email, they'll get it? God, I hope so! That used to be the norm before spammers poisoned the well.
I don't think that word means... (Score:2, Insightful)
Phishing attacks would presumably be trying to get some otherwise secured info from the victim. What would the victim of this attack provide in response to this email? Credit card info? Online banking credentials? Warcraft account info? sheesh. As someone above stated, the guy sent an email and it got through. No news there. This isn't phishing, it's spam. And not even good spam. I would bet more people would be trying to buy cheap viagra than join Bill's Linkedin.
Re: (Score:1, Informative)
That's ok, we didn't expect you to read the article:
"He used his own phishing framework tool, called User Attack Framework, which automated the "attack," helped him track the success of the phish, and captured information about the "victim" once the person clicked on the "invite" and was sent to the phishing site, such as his IP address, user ID, location, browser, operating system, and other Website statistics."
"He also plans to go the next step and apply browser and other exploits to the phony phishing si
This is no news. (Score:1)
This shouldn't have been on /.! ... the same applies to anything in this world including virus/worm/trojan checkers, any other spam/email/whatever. ... ... always.
Scammers have been tricking people since 1000's of years always trying to "stay ahead" of what people have learned
There are many sales people who will sell you something you don't need and most of people who bought the stuff walk away "happy" not realizing the where scammed "legitimately"
Any of us need to learn/see when we are getting scammed
E-mail messages get delivered! (Score:2)
Be afraid!
Re: (Score:1)
ROTFLOL.
Thank you, this made my day!
Not too obvious.. (Score:3, Funny)
Oh, that would have fooled me. It would have been more tricky if they'd added something like:
The article is a wank / PR press release, but .... (Score:2, Insightful)
Dark Reading (ooh, spooky) as is their wont, lists no actual details so we don't know what the guy actually did. But mail clients in general are pretty hopeless at interpreting "who" a message is from. There are several fields that can be used - the actual sending address (the "mail from: " in the SMTP exchange), Reply-to:, From: Sender:. There is no agreed prioritisation that I know of as to what actually goes in the "From" that we see in the client...
I once had a weird circumstance where messages from a m
TrueDomain (Score:2)
I use Fastmail.fm (a fantastic service) for my e-mail and I noticed something new in my inbox yesterday. Little icons now appear next to messages from LinkedIn, Facebook, etc. to indicate that the origin of the message has been verified through some new service called Truedomain. Anybody know the technical details?
Re: (Score:3, Informative)
http://blog.fastmail.fm/2010/01/06/truedomain-anti-phishing-and-email-authentication/ [fastmail.fm]
describes the way Truedomain operates. We run a milter which applies X-Truedomain-* headers (view source on those messages - you'll see that even the Logo image is added a per-message basis as a Base64 encoded header)
We're also planning to colour messages from known senders (in your address book) and offer a link to the address book entry that caused them to be trusted, as well as labelling messages that have gone entirely
Re: (Score:2)
So what happens when I spoof the X-Truedomain headers? It seems that this solution just pushes the verification off to someone else, but doesn't actually solve the problem.
I read your link, which really only says, "Truedomain does the verification and we trust Truedomain." No details. So I looked at the Truedomain [truedomain.net] web site. It is
Re: (Score:2)
http://en.wikipedia.org/wiki/Milter [wikipedia.org]
It's a standard technical name for an API, which is why I can say it with a straight face rather than obfuscate around it. The package is called truedomain-milter, for obvious reasons.
If you spoof the headers they'll be dropped on receipt. Note that the message still has to pass DKIM or SPF as well.
Now - if you upload a spoofed message via IMAP you can fool our web interface, but the only person who's going to see that is you or someone else who's shared your folders.
And
SPF (Score:2)
linkedin.com text = "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"
That is ~all and not -all. So linkedin is happy with any IP sending mail in their name. It will only cause a soft fail and no MTA should reject the message as fake. It's hardly the fault of mail clients here.
Re: (Score:2)
Eh? (Score:1)
This article simply states the obvious. (Score:1)
Not to mention, it was written back in October.
Regardless, anyone that deals with spam on any level knows that targeted attacks (spear phishing...who the hell coined that?) are *not* the primary focus of appliances like the Ironport. Being an Ironport admin I know from experience with both Ironport and Puremessage (PerlMX) that the priority of these devices is to focus on QUANTITY. The volume of messages coming into a firm or company is more important than the targeted individual, not to mention that the ta
Oh, come on. (Score:2)
None of the products in question make any pretense of validating "spoofed" addresses. And by "spoofed" we mean only that the originating address does not match the server used to send the email. Whcih is a commonplace and valid scenario for many people who outsource web site hosting and email.
What this "article" is really about: "Look at me, I can state the obvious! Come read my site!"
Looking a little closer at the about page, I see what: "The InformationWeek Business Technology Network is a network