Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake "Bill Gates" Message Dupes Top Tools

Posted by timothy on from the top-tools-are-working-on-it-top-tools dept.

yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

32 of 117 comments (clear)

  1. Old news by Anonymous Coward · · Score: 4, Insightful

    SMTP is broken. Deal with it

    1. Re:Old news by MichaelSmith · · Score: 4, Funny

      Yeah I hate the way anybody can just walk past my house and drop stuff in the letterbox. I would be much happier if the federal government vetted everything so I could just fly to Canberra to collect my safe, filtered mail.

      --
      http://michaelsmith.id.au
    2. Re:Old news by Anonymous Coward · · Score: 2, Insightful

      I wouldn't say it is broken; it serves its original purpose quite well. I think it is more a problem of our expectation of privacy and security, neither of which SMTP is capable of providing (at least not without various extensions and hacks bolted on top of it).

    3. Re:Old news by bsDaemon · · Score: 2, Informative

      Yes, but encrypting the handshake and the password exchange doesn't have anything to do with the fact that you can forge FROM headers. SPF records, domain keys, etc, can help but can also be more trouble than they're worth some times and don't really prove much of anything anyway, and even those could be forged if you REALLY wanted to by doing a DNS cache poisoning or something.

      So, no, SSL isn't going to solve the problem.

    4. Re:Old news by Sir_Lewk · · Score: 4, Informative

      SMTP is not broken. SMTP was never supposed to provide authentication of identity, and nobody with the slightest of technical knowledge has ever expected it too.

      That is why anyone who cares uses PGP/GPG.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  2. Now, now! by The+Wild+Norseman · · Score: 3, Funny

    You know, Steve Jobs may not be the most likeable fellow around, but that hardly makes it okay to call him a 'tool.'

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
  3. Little technology by Tsar · · Score: 4, Funny

    "...And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

    Okay, I give up. What can little technology actually do about it? Is that like nanotechnology, but bigger?
    Yes, I was bored. Back to work!

  4. Re:so? by earnest+murderer · · Score: 2, Interesting

    The issue isn't who (near as I can tell) as much as it is the commonality of e-mail originating from servers not identified in the e-mail.

    Blocking mail like that was a topic of discussion in the 90's but by that time the number of mail servers that no longer resolved to the domains they serviced were large enough that it was useless anymore.

    I may not have all my facts straight, but that's my understanding.

    --
    Platform advocacy is like choosing a favorite severely developmentally disabled child.
  5. Pretty much anything from linkedin is spam. by schon · · Score: 4, Informative

    A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.

    Any casual glance would show that it was spam.

    Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.

    Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation

    WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!

    Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.

    1. Re:Pretty much anything from linkedin is spam. by sco08y · · Score: 2, Insightful

      I've been on LinkedIn since 2006. It's really gone downhill.

      Networking is a fine thing to do and makes sense, at least given that HR departments don't actually do their job. Unfortunately, there is a large contingent of markety types who seem to think that networking and motivational crap can completely take the place of actually doing work. And they are dominating LinkedIn right now.

    2. Re:Pretty much anything from linkedin is spam. by Anonymous Coward · · Score: 3, Funny

      LinkedIn has ALWAYS been crappy, in my opinion.

      I got an invitation to join this wonderful networking site years ago. I checked out the site. My top competitor was on there, and he had befriended a bunch of clients. I grabbed them, and called the clients, and landed business with several of them. My competitor didn't know what hit him.

      Yeah, watch out who you share your Outlook Contact list with. Geez, that should be a guarded secret, not a free-for-all posted on the internet!

    3. Re:Pretty much anything from linkedin is spam. by DonCarlos · · Score: 2, Interesting

      Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.

      Don't be silly. It's looks a sort of bug in LinkedIn - they aparently do not remove pending requests from user's queue even the request sender was reported by that user as a spammer. Simple as that.

      --
      Marcin
  6. This is nothing new by Punto · · Score: 5, Insightful

    SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

    --

    --
    Stay tuned for some shock and awe coming right up after this messages!

    1. Re:This is nothing new by Hal_Porter · · Score: 3, Funny

      The postal service has a website too.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:This is nothing new by grizdog · · Score: 2, Informative

      SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

      Actually, in the US, this is illegal, and it does get enforced. No one but the US Government is allowed to put something inside your mailbox, and you will probably find out if you try distributing leaflets for a commercial enterprise or political campaign. It may be illegal to forge an email, but that's different from delivering it.

  7. Re:so? by John+Hasler · · Score: 2, Funny

    Right. Much better to delete a message just because it came from LinkedIn.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  8. Re:so? by corbettw · · Score: 3, Funny

    You know the famous one doesn't have a monopoly on that name, right?

    Well, it would be rather fitting if he did.

    --
    God invented whiskey so the Irish would not rule the world.
  9. Re:so? by kbielefe · · Score: 2, Interesting

    It wasn't the name he expected to be filtered, but the fact that the email was spoofed, i.e. it appeared to come from a different server than it actually came from.

    --
    This space intentionally left blank.
  10. The Limits of Security by Jonas+Buyl · · Score: 4, Insightful

    Whoever thinks this is a big issue should evaluate how much security we can expect from computers. Scams like this can be pulled off by sending IRL mail as well and are equally hard to detect by humans. Why should we expect an automated algorithm to be able to detect it? Scams like this are only going to stop when every move you make on the Internet can be tracked down straight back to you. We're getting closer and closer to a decision: Privacy or security. What's Slashdot's pick?

  11. This is research? Where's the beef? by NeumannCons · · Score: 5, Insightful

    So the "researcher" sends an email pretending to be B. Gates and the message got through? OMG! Seriously, where's the "phishing" part? Did he have them click on a link? What was the success rate of that? Linkedin is fairly safe - there's not a whole lot of sensitive information there (unless past work history is "sensitive) - it doesn't ask you for your SSN, address, credit card no, etc. Asking a victim to supply that info to join someones linkedin group would surely raise suspicion and alert people that it's a fake. There's no real meat to the article here. Either the reporter reporting on this story has missed an important part of the story (likely) or the researcher has just discovered that you can email anyone and pretend to be anyone.

    All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.

    Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.

  12. What a crap story by bloodhawk · · Score: 5, Insightful

    Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

    secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.

    1. Re:What a crap story by sco08y · · Score: 4, Funny

      If computers could magically detect bullshit the way this journalist thinks they ought to be able to, I'd have them filtering the goddamned newspaper.

  13. LOLWUT? by argent · · Score: 2, Insightful

    What's the point of this? If you send someone an email, they'll get it? God, I hope so! That used to be the norm before spammers poisoned the well.

  14. I don't think that word means... by Alerius · · Score: 2, Insightful
    what you think it means.

    Phishing attacks would presumably be trying to get some otherwise secured info from the victim. What would the victim of this attack provide in response to this email? Credit card info? Online banking credentials? Warcraft account info? sheesh. As someone above stated, the guy sent an email and it got through. No news there. This isn't phishing, it's spam. And not even good spam. I would bet more people would be trying to buy cheap viagra than join Bill's Linkedin.

  15. Re:Checking Actual Email Address with Displayed? by e2d2 · · Score: 5, Interesting

    Well here's why that's tough. You can't check the email address it comes from typically because that would mean using the VRFY command, which no modern email server has enabled because it would allow spammers to simply poll an SMTP server for addresses and see if they are legit. They simply disable it or send all true responses.

    The next check is DNS, verifying a mail record exists for the domain in question. Here's the problem with that. DNS can be messed up and mail will still function. Say you have a hosted domain but it lacks an mx record. Mail will still go out. So the server on the other end needs to make a choice. Throw it away or pass it through.

  16. Re:so? by QuantumRiff · · Score: 4, Funny

    Okay Michael Bolton.. Your right, why should you have to change, he's the one that sucks...

    --

    What are we going to do tonight Brain?
  17. Re:This is research? Where's the beef? by socz · · Score: 2, Funny

    Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.

    Wow you're lucky! In Mexico, Bill Gates was about to close down hotmail.mx but thanks to everyone forwarding that e-mail MS saw that people used it and prevented its closure! Too bad they didn't have a chance at that prize...

    --
    My abilities are only limited by my imagination
  18. Re:Research no, risky possibly? by BigSlowTarget · · Score: 2, Interesting

    Actually I think this might just be against the law and the researcher may have painted a big bullseye on his wallet for any one of these people who think they've been 'harmed' by believing they were actually invited by Bill Gates.

    There are a lot of stupid internet laws out there and I'm sure the prosecutors/"victims" like nothing more than someone who provides all the evidence in a nice research report ready for prosecution.

  19. Not too obvious.. by cmacb · · Score: 2, Funny

    Bill Gates has indicated you are a fellow group member of Microsoft Security. I'd like to add you to my professional network on LinkedIn. - B. Gates.

    Oh, that would have fooled me. It would have been more tricky if they'd added something like:

    Oh, and I'm also inviting you to the other special interests groups I follow: "Committee for Prevention of Bloat in Operating Systems", and "Six Forty K. It's Enough for Anyone". I look forward to seeing you on LinkedIN and if you are ever in the Seattle area, stop by for a brew.

  20. The article is a wank / PR press release, but .... by dhammabum · · Score: 2, Insightful

    Dark Reading (ooh, spooky) as is their wont, lists no actual details so we don't know what the guy actually did. But mail clients in general are pretty hopeless at interpreting "who" a message is from. There are several fields that can be used - the actual sending address (the "mail from: " in the SMTP exchange), Reply-to:, From: Sender:. There is no agreed prioritisation that I know of as to what actually goes in the "From" that we see in the client...

    I once had a weird circumstance where messages from a mail script I wrote using the MIME::Entity perl module were being received as from "nobody". I hadn't specified the sender field in the entity mail object and the module thoughtfully provided one for me, using the owner of the process running the script. So even though the reply-to and from fields were correctly set, I got a number of calls about who this nobody was....

    One can prevent spoofed email using filters, etc, at least with Unix/Linux-based mail transfer agents, presumably this can also be done with MS Exchange. So the breathless report that 100% of the spoofed messages got through just indicates the low priority spoofing has in those administrators' minds.

    --
    I am not a robot. I am a unicorn.
  21. Re:Checking Actual Email Address with Displayed? by yuna49 · · Score: 4, Informative

    I agree. This has to be one of the stupidest articles I've read lately.

    I guess in the author's view if the SMTP envelope sender (the value appearing in the "Return-Path" header at the top of each delivered message) doesn't match the From: address, the message is somehow bogus. Try telling that to the thousands of listserver admins around the world. Many listservers preserve the the original message sender's address in the From field, while redistributing the message with an SMTP sender like owner-listname@example.com. That way if you hit reply, it goes back to the original author and not the list. However bounce messages get sent to the envelope sender, which is usually the listserver admin.

    Automated web processes have the same feature. I'm careful to specify what I want the envelope sender to be and what I want the From to be, and often they are not the same thing at all. I wrote a variety of applications for organizations where an officer can send mail to a membership list using his or her own address as the From. However the envelope sender is usually something like bounces@example.com so that non-delivery messages go there rather than to the actual author.

    I might want to compare the addresses, and maybe give non-matching ones an extra fractional point of spamminess in SpamAssassin, but that's about it. Not delivering messages like these would break an huge portion of the e-mail infrastructure.

  22. Re:TrueDomain by Bronster · · Score: 2, Informative

    http://blog.fastmail.fm/2010/01/06/truedomain-anti-phishing-and-email-authentication/

    describes the way Truedomain operates. We run a milter which applies X-Truedomain-* headers (view source on those messages - you'll see that even the Logo image is added a per-message basis as a Base64 encoded header)

    We're also planning to colour messages from known senders (in your address book) and offer a link to the address book entry that caused them to be trusted, as well as labelling messages that have gone entirely through a trusted path. I added a bunch of extra headers to the list that Cyrus caches on the fast metadata drives to support all this just last week! We've been beta testing Truedomain for a while on one of our incoming MX servers, and it's now applied to all incoming email.