Slashdot Mirror
Fake "Bill Gates" Message Dupes Top Tools
yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
I didn't RTFA, but I'd be pissed if my email server filtered out someone's email just because they had the name "Bill Gates". You know the famous one doesn't have a monopoly on that name, right?
SMTP is broken. Deal with it
You know, Steve Jobs may not be the most likeable fellow around, but that hardly makes it okay to call him a 'tool.'
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
So none of these products compared the actual email address being used with the displayed one in the message? That would seem to me to be about the most obvious security check one could think of with regards to email.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
"...And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
Okay, I give up. What can little technology actually do about it? Is that like nanotechnology, but bigger?
Yes, I was bored. Back to work!
A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.
Any casual glance would show that it was spam.
Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.
Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation
WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!
Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.
SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).
--
Stay tuned for some shock and awe coming right up after this messages!
Whoever thinks this is a big issue should evaluate how much security we can expect from computers. Scams like this can be pulled off by sending IRL mail as well and are equally hard to detect by humans. Why should we expect an automated algorithm to be able to detect it? Scams like this are only going to stop when every move you make on the Internet can be tracked down straight back to you. We're getting closer and closer to a decision: Privacy or security. What's Slashdot's pick?
Why would anyone expect the client to be able to filter out phishing attacks, unless it's looking up against some centralized DB?
rooooar
So the "researcher" sends an email pretending to be B. Gates and the message got through? OMG! Seriously, where's the "phishing" part? Did he have them click on a link? What was the success rate of that? Linkedin is fairly safe - there's not a whole lot of sensitive information there (unless past work history is "sensitive) - it doesn't ask you for your SSN, address, credit card no, etc. Asking a victim to supply that info to join someones linkedin group would surely raise suspicion and alert people that it's a fake. There's no real meat to the article here. Either the reporter reporting on this story has missed an important part of the story (likely) or the researcher has just discovered that you can email anyone and pretend to be anyone.
All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.
Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.
It not only duped the top tools, it also duped the software that those big tools were running as well!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.
secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.
What's the point of this? If you send someone an email, they'll get it? God, I hope so! That used to be the norm before spammers poisoned the well.
Phishing attacks would presumably be trying to get some otherwise secured info from the victim. What would the victim of this attack provide in response to this email? Credit card info? Online banking credentials? Warcraft account info? sheesh. As someone above stated, the guy sent an email and it got through. No news there. This isn't phishing, it's spam. And not even good spam. I would bet more people would be trying to buy cheap viagra than join Bill's Linkedin.
I'm amazed the "researcher" didn't already know this, especially that "tools" such as Outlook would not catch them. Outlook is an email CLIENT.
This "spoofing" has been going on for a long time now, and often for legitimate means like: Mass-email marketing companies, online retailers (email this item to a friend!) and even online news like yahoo/google. Spoofing an email address isn't considered a no-no.
Proper email security software will see these though. What you do with them is up to you (send them for junk, or tag them)..I'd be amazed if anyone quarantines or deletes.
Social Engineering will always (probably) work..If someone calls a user and tells them to open the doors, and said user does so, there's only so much admins can do, other then find out who opened the doors.
ps..Outlook express??? I mean, seriously? LMAO
Something like policyd-weight would have blocked that mail without big issues. Spoofing a message is nothing new and nothing special. I block gazillions of them per day. What is the big deal?
Email is broken; bootstrapping garbage like SPF, DomainKeys, SenderID, or whatever you want to it is not going to fix it. The entire thing needs to be scrapped and rebuilt.
Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.
I noticed this too. Although the summary chooses to mention a few Microsoft products and Cisco Ironport, here is the list from the article:
Microsoft and Cisco products, including users with GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's Email Security appliance, LinuxMail with greylisting, Opera Mail, and Mozilla Thunderbird,iPhone, BlackBerry, and Palm Pre
Not quite 100%, but it looks like most.
Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.
Wow you're lucky! In Mexico, Bill Gates was about to close down hotmail.mx but thanks to everyone forwarding that e-mail MS saw that people used it and prevented its closure! Too bad they didn't have a chance at that prize...
My abilities are only limited by my imagination
despite the dumb concept of the initial "exploitz", i like the next step stated in tfa:
"The next part we're going to dive into is applying browser, Adobe, and JavaScript exploits..."
really?
so let me get this straight.
in order to make your security firm noticed, you're going to demonstrate existing security concerns and exploit them?
yes, this is who i'd want to go with for my company security. oh yes.
i have a good idea, i'm going to get a new IT job and show how vulnerable the systems are to being knocked offline by unplugging the wires from the back of each machine. yes. then i will make more money because i show a new exploitz and can write an article about it showing how unsecured the computers are. yes. i am the famous now! yes!
This shouldn't have been on /.! ... the same applies to anything in this world including virus/worm/trojan checkers, any other spam/email/whatever. ... ... always.
Scammers have been tricking people since 1000's of years always trying to "stay ahead" of what people have learned
There are many sales people who will sell you something you don't need and most of people who bought the stuff walk away "happy" not realizing the where scammed "legitimately"
Any of us need to learn/see when we are getting scammed
to code or not to code, that is the question.
Be afraid!
To blog is sublime
Bill G. really is my LinkedIn buddy. In fact, he's going to send me a cashier's check for $1M as soon as I reimburse him for the bank fee. So there.
Actually I think this might just be against the law and the researcher may have painted a big bullseye on his wallet for any one of these people who think they've been 'harmed' by believing they were actually invited by Bill Gates.
There are a lot of stupid internet laws out there and I'm sure the prosecutors/"victims" like nothing more than someone who provides all the evidence in a nice research report ready for prosecution.
Oh, that would have fooled me. It would have been more tricky if they'd added something like:
Dark Reading (ooh, spooky) as is their wont, lists no actual details so we don't know what the guy actually did. But mail clients in general are pretty hopeless at interpreting "who" a message is from. There are several fields that can be used - the actual sending address (the "mail from: " in the SMTP exchange), Reply-to:, From: Sender:. There is no agreed prioritisation that I know of as to what actually goes in the "From" that we see in the client...
I once had a weird circumstance where messages from a mail script I wrote using the MIME::Entity perl module were being received as from "nobody". I hadn't specified the sender field in the entity mail object and the module thoughtfully provided one for me, using the owner of the process running the script. So even though the reply-to and from fields were correctly set, I got a number of calls about who this nobody was....
One can prevent spoofed email using filters, etc, at least with Unix/Linux-based mail transfer agents, presumably this can also be done with MS Exchange. So the breathless report that 100% of the spoofed messages got through just indicates the low priority spoofing has in those administrators' minds.
I am not a robot. I am a unicorn.
I use Fastmail.fm (a fantastic service) for my e-mail and I noticed something new in my inbox yesterday. Little icons now appear next to messages from LinkedIn, Facebook, etc. to indicate that the origin of the message has been verified through some new service called Truedomain. Anybody know the technical details?
Ask me about my sig!
Its not your fault. Lack of education is a problem these days.
Did you even read the report? Everyone who participated knew it was a fake "SPOOFED" email with phishing links. THe intent was to determine if the email security systems could identify the attack.
What? Someone other than a postal worker placing a letter in your (house's) mailbox, addressed to you, is mail fraud? I do not think mail fraud is what you think it is. Did you even read what you wrote, or what you replied to?
What if the person was a postal worker but not a delivery agent?
What if the person was a delivery agent but your house is not on his route?
What if the person was a delivery agent but it's 3 in the morning?
I'm sure all the Bill Gates in the world would love to know that according to you, if they live in, or move to the US, they should change their name to avoid committing mail fraud every time they send an item by post. Does that apply to all duplicate names or just those you happen to like?
You're an idiot (and I must be bored on holiday if I'm responding to ObviousTroll). Next time at least make SOMETHING in your troll plausible!
linkedin.com text = "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"
That is ~all and not -all. So linkedin is happy with any IP sending mail in their name. It will only cause a soft fail and no MTA should reject the message as fake. It's hardly the fault of mail clients here.
What - we didn't already know this? Erf...c'mon, wake up...
YankDownUnder Veni, Vidi, volo in domum redire
Not to mention, it was written back in October.
Regardless, anyone that deals with spam on any level knows that targeted attacks (spear phishing...who the hell coined that?) are *not* the primary focus of appliances like the Ironport. Being an Ironport admin I know from experience with both Ironport and Puremessage (PerlMX) that the priority of these devices is to focus on QUANTITY. The volume of messages coming into a firm or company is more important than the targeted individual, not to mention that the target should exercise a little discretion and common sense when opening an email message coming from *anyone*, especially someone (in)famous like Bill Gates.
Local mail reader programs (and spam admins with time on their hands) are the front lines for targeted email attacks. Just like a good suit of armor, any good firewall design uses multiple devices to prevent penetration. The same thing holds true with email, and the targeted attack that gets past the first layer of security (routing MTA or spam appliance) should be handled by the second layer (the Mail Server) or the third layer (the desktop client).
From my own personal experience, custom rulesets are created on the Ironport or the Outlook/Lotus Notes client and the targeted attack is usually dealt with "after the fact". Its unfortunate that it gets done that way, but coming from a firm that used to handle millions of messages a day, the frequency of targeted attacks based on volume were insignificant. Either way, this is nothing new. It's like discovering the moon.
-Phil
To avoid corruption, one must remain dishonest.
None of the products in question make any pretense of validating "spoofed" addresses. And by "spoofed" we mean only that the originating address does not match the server used to send the email. Whcih is a commonplace and valid scenario for many people who outsource web site hosting and email.
What this "article" is really about: "Look at me, I can state the obvious! Come read my site!"
Looking a little closer at the about page, I see what: "The InformationWeek Business Technology Network is a network of market-leading Web sites that provide technology buyers with the information, perspective, and tools they need to make the right decisions for their businesses. "