Slashdot Mirror
Fake "Bill Gates" Message Dupes Top Tools
yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
SMTP is broken. Deal with it
You know, Steve Jobs may not be the most likeable fellow around, but that hardly makes it okay to call him a 'tool.'
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
"...And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
Okay, I give up. What can little technology actually do about it? Is that like nanotechnology, but bigger?
Yes, I was bored. Back to work!
A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.
Any casual glance would show that it was spam.
Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.
Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation
WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!
Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.
SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).
--
Stay tuned for some shock and awe coming right up after this messages!
You know the famous one doesn't have a monopoly on that name, right?
Well, it would be rather fitting if he did.
God invented whiskey so the Irish would not rule the world.
Whoever thinks this is a big issue should evaluate how much security we can expect from computers. Scams like this can be pulled off by sending IRL mail as well and are equally hard to detect by humans. Why should we expect an automated algorithm to be able to detect it? Scams like this are only going to stop when every move you make on the Internet can be tracked down straight back to you. We're getting closer and closer to a decision: Privacy or security. What's Slashdot's pick?
So the "researcher" sends an email pretending to be B. Gates and the message got through? OMG! Seriously, where's the "phishing" part? Did he have them click on a link? What was the success rate of that? Linkedin is fairly safe - there's not a whole lot of sensitive information there (unless past work history is "sensitive) - it doesn't ask you for your SSN, address, credit card no, etc. Asking a victim to supply that info to join someones linkedin group would surely raise suspicion and alert people that it's a fake. There's no real meat to the article here. Either the reporter reporting on this story has missed an important part of the story (likely) or the researcher has just discovered that you can email anyone and pretend to be anyone.
All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.
Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.
Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.
secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.
Well here's why that's tough. You can't check the email address it comes from typically because that would mean using the VRFY command, which no modern email server has enabled because it would allow spammers to simply poll an SMTP server for addresses and see if they are legit. They simply disable it or send all true responses.
The next check is DNS, verifying a mail record exists for the domain in question. Here's the problem with that. DNS can be messed up and mail will still function. Say you have a hosted domain but it lacks an mx record. Mail will still go out. So the server on the other end needs to make a choice. Throw it away or pass it through.
Okay Michael Bolton.. Your right, why should you have to change, he's the one that sucks...
What are we going to do tonight Brain?
I agree. This has to be one of the stupidest articles I've read lately.
I guess in the author's view if the SMTP envelope sender (the value appearing in the "Return-Path" header at the top of each delivered message) doesn't match the From: address, the message is somehow bogus. Try telling that to the thousands of listserver admins around the world. Many listservers preserve the the original message sender's address in the From field, while redistributing the message with an SMTP sender like owner-listname@example.com. That way if you hit reply, it goes back to the original author and not the list. However bounce messages get sent to the envelope sender, which is usually the listserver admin.
Automated web processes have the same feature. I'm careful to specify what I want the envelope sender to be and what I want the From to be, and often they are not the same thing at all. I wrote a variety of applications for organizations where an officer can send mail to a membership list using his or her own address as the From. However the envelope sender is usually something like bounces@example.com so that non-delivery messages go there rather than to the actual author.
I might want to compare the addresses, and maybe give non-matching ones an extra fractional point of spamminess in SpamAssassin, but that's about it. Not delivering messages like these would break an huge portion of the e-mail infrastructure.