You can't utilize this exploit with a standard a href. You have to use a button of some type.
It's also a big giant tell for mail server admins for dropping spam as it has no legitimate uses.
The object lesson that's been out ever since such e-mail scams started is: always go to the web-site manually and log into your account before submitting any information.
A legitimate company ALWAYS has you log into your account and ALWAYS posts a notice upon logging in telling you what you need to do. And they NEVER use a button as a link to their site.
Yahoo and Hotmail et could just as well add in a rule to delete any e-mail that contains those escape characters and no one using those services will ever get such an e-mail and never lose a legitimate e-mail from it. I'll be adding that rule to my mail server.
Seriously, I hope every spammer and scammer uses this so I never get a spam e-mail in my inbox again.
One more trivial tell to drop crap e-mails from my inbox.
If an e-mail contains the characters "%01@" or "%00@" kill it.
I can't think of any reason why those strings of characters would legitimatly found in an e-mail.
This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.
If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.
So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.
If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.
Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.
Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.
There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.
If you're supposed to pay for something and you take it without paying for it you stole. And stealing makes you a theif.
The only reason it matters if it's physical property or not is in court.
The question for pirates isn't whether or not you're a theif. It's a question of what you stole that determines sentencing. Since for piracy you didn't steal physical property the grounds for forming a sum to cover damages is a lot less firm. Who knows how many copies you made of whatever you stole. If you steal physical property, you owe the price of the property you stole times the number you stole which is an easily determinable amount.
Look up "steal" in Webster and you don't find a differentiation between stealing nonphysical and physical objects. It's simply the illegal aquiring of goods.
The only place you find a differentiation between the two is in a law book. Oh yes, and in posts of people who just like to cut and paste the same thing over and over hoping to get moderated highly.
"Can you explain why you should be paid over and over again - for up to 50 years after your death - for once piece of work ?"
So are you going to require that all investments made by people be yanked and disolved upon their death?
Currently author's have a CHOICE to allow their copyrights to go that far. There's nothing stopping you from only putting works in the public domain or demanding that they be put in the public domain upon your death.
If a content creator wishes their family to be able to benefit from their creation that people still enjoy, that should also be a CHOICE they can make.
Or maybe you should just talk to your parents and other relatives about forgetting about giving you any kind of inheritence.
After all, you didn't earn it.
Inheriting trust funds, bank accounts, interest, IP, businesses, it's all the same. It's giving people things they had no inherent right to. Copyright Law gives people the ability to allow their children to benefit from their labor after their passing for non concrete things.
mySQL got hacked recently (passwords removed, and accounts deleted). I checked the obvious means and found that they hadn't used the hidden door with the "Rape Me" sign on it. That door was renamed and moved anyway. mySQL isn't open to the outside so they had to go through the web-site somehow. My guess is an escalation of permissions hack from an account I gave someone.
mySQL doesn't handle anything worthwhile and PHP is in safe mode. I also pretty know who did it and it wasn't to be malicious. Nothing was deleted.
Nobody has ever hacked into my Windows box even though it runs logged in as an Admin. This also wouldn't be a big deal if mySQL would stop being dense and put in a configuration to define what constitutes localhost. The dreaded 1045 error. Even Mercury Mail and EZMTS have little configuration settings where I can say what IPs and domains == localhost so it doesn't keep sending e-mails to itself. Heck, you can't even set the root user during the install. What should have been a five minute uninstall reinstall of mySQL over WinVNC is now requiring I go down to my ISP and get physical access to the server.
So yes, the only exploits that ever happen on my Windows box do only come through open source products. And I do keep them up to date. They're just a pain to install, poorly documented (readability), and difficult to configure to be usable and secure. The 1045 error of mySQL is common upon install and yet in 4 versions is still there and solutions consist of "try this and hope it works"
Unless you intend to use FORMS for everything, PHP needs to have global variables on. This is just a lesson in paying attention to what those globals are and how to make sure they contain valid values.
You run the spamhole or whatever on port 25 and run the mail server on port 26. The spamhole does it's custom checking and logging while forwarding everything to your actual mail server. Outside it's completely transparent. I use RinetD to allow my mail server (coloed at a second ISP) to work on 2 ports to get around my home ISPs port 25 block.
But yes, I've done such a project myself and it is really quite pointless. There nothing it can do that my mail server can't handle itself. And I don't have a second system running 24/7 that would be worth putting my SpamCan on to see if people are attempting to use my system as a relay.
Highly unlikly considering the entire residential Cox network has outgoing port 25 blocked and I'm sure spammers are aware of that.
I have a web-form and use a simple PHP script that is hard coded to go through my mail server and my mail server requires a valid POP3 login from the username you plan to send e-mails with prior to being able to send e-mails with it. You get a short window of time once validated and even then you must send the e-mails from the same IP that validated the user name. So you can't figure out what e-mail address is being used, send a message from the form and then spam away with that e-mail address remotely.
And on top of that the function that sends the e-mail is seperate of the pop3 function so even if you managed to figure out how the script works, you still couldn't abuse it in any way shape or form. All the security depends on the mail server itself.
And then from my form the script that uses the SMTP/POP3 script can only send messages to a single hardcoded address. It also can't do BCC or CC's. I'm considering doing an anonymous e-mailer with it but I need to work out details before jumping off that cliff.
"that was an extra the customer had to pay for"
That should be an extra the customer has to pay to get ACCESS to. You should be logging regardless. It's just diskspace and if the customer isn't paying you can clear the old logs on a X day basis if nothing exciting is happening.
Setting up a secure form mailer is rediculously easy. And with PHP I can use my script anywhere. I don't need to set up funky permissions. I don't know what formmail is doing that could possibly allow it to be hacked in such a way that an attacker couldn't just go right to the mail server and accomplish.
Currently, my log analizer is custom made and logs all formmail attempts sorted by IP. It used to be pretty bad. So much so that I reported a number of people. That's died down now though since they've finally realized I don't have formmail on my server in any form. I don't even have Perl installed on my server anymore. PHP only.
It gobbles up any e-mail sent on port 25 and logs everything from the e-mail itself, all the headers and the originating IP. It doesn't care where the e-mail claims it's comming from or where it's supposed to go.
I'm not sure why this is an "open" project since Spam Can was thrown together in VB in about an hour. The most difficult part was getting it to go to the system tray.
The obvious problem is that you can't run this and a real mail server at the same time. And real mail servers (like Mercury Mail) can already do catch alls.
And if you're not running a real e-mail server, why run a fake one to waste your own bandwidth? Good luck convincing millions of people to run these (without having a tell that spammers can look for) making looking for open relays not feasible.
Spammers also already know right where to get a valid relay; They get a nice e-mail from the infected machine.
tend to use proper english and other tells that crap spammers don't. I have no problem with spam that's sent that follows rules. It makes filters much more effective.
I had a problem with spammers sending spam with popunders. I added in a rule to Mercury to delete any message that contained the line "script langage=javascript." BAM. No more of those. In fact, I'd really appreciate if all spammers would use Java-script in their messages.
Don't like Yahoo spamming you? Guess what? They follow rules and guidlines for their messages. All you have to do is figure out what tells their messages have and configure your mail server to block any messages that match those tells.
No, this isn't going to fix the whole spam problem but at least it's making it easier to block.
I don't get any e-mails with the ADV: in the subject either. More spammers should follow that rule. "Legitimate" spammers do follow that rule. So I really don't care if the government gives them an out. My mail filter can handle them just fine without legistlation.
It's the idiots that invent new combinations of words and letters that are a problem. We need legislation to be able to go after those we can as well as techical means and social means to get them to knock it off.
There are laws about litter, too. That hasn't solved the litter problem but it helps a bit. And just like litter, everyone needs to do their part with spam. Maybe we should take a hint from Singapore and start caneing people who spam.
Not doing anything because it's not 100% is just silly. There is no silver bullet for spam. It's nice to know that Congress has the sense to at least make some kind of dent. On top of legislation we also need technical solutions and social solutions.
Pretending we should just focus on one solution is going to accomplish exactly zero.
From a home system to his mail server, nothing get's encrypted. ISPs that block port 25 forward the requests through their system and to his mail server where it's actually sent out. HIS mail server encrypts the message. Reciving servers then check the message based on the HELO or whatever. It only traces it back to the mail server it alledgedly came from. Not the person who sent the e-mail.
Even if the ISP is for some reason taking over the whole job of sending the e-mail, it's very trivial to set up RinetD (or similar) on the server to forward a second port to the SMTP server. That's what I use. I then set up my mail accounts that are for my domains to send mail to the SMTP server on the alternate port.
If he's trying to run a mail server on his own system behind a port 25 block he's breaking his AUP.
This doesn't negativly affect anyone who's running their own mail server. It only affects people who don't know how to configure a server.
"It does infringe on your rights as a public citizen"
You still havn't told me exactly what right you're talking about. As far as anyone knows it's the 20th Amendment to the CONSUMER States of America because you've certainly failed to indicate where in the constitution of the UNITED States of America, this right exists.
Since apparently this is going over your head: the Constitution of the CONSUMER States of America is the collection of rights that consumers ignorantly throw around when confronted by a business about what they can and can't do and what the business owes them while in their establishment.
As soon as you document which right is being infringed, you have no point. You're just throwing words around that don't mean anything.
"I have a right"
Prove it.
"No, you give up no rights when you enter a private establishment"
You give up the right to free speech. To peacfully assemble. The right to bear arms (try bringing a gun into a store). You can be searched (ever been to an airport?).
Etc. Your rights apply to GOVERNMENT institutions. A police officer can't infringe on your rights but a store owner is more than free to while on his property.
So what the fuck are you talking about?
Pull your "I Have a Right" speech with the judge and see how far you get. You couldn't even provide documentation for this right when asked.
Must be like the 20th Amendment to the Constitution of the Consumer States of America.
A theater is PRIVATE property. You check your rights at the door.
Are you going to fight for your "right" to not have to wear a shirt or shoes and still get service?
You can't carry recording devices of any form into professional sports games either.
If you have a phone with a camera, keep it in your pocket (turned off) and if security spots you, don't be an ass whinning about imaginary rights. Give them the phone and pick it up on your way out.
I realize this is a Geek news site so we're not all up to speed on recording devices and sports but cellphones with cameras have been banned from any and all professional sports games. College games they still allow photography. You can thank the advertising industry for such bans.
There was a Canon commercial for a high end digital camera and the guy taking pictures at a football game. Pretty bad advertising considering that very expensive camera would be confiscated if you took it anywhere near an NFL game.
It's not surprising they're cracking down in the same manner on theaters now.
"So, as another poster asked, what happens if you forget to take your camcorder OUT of your car when you go to the drive-in (and yes, there are still drive-ins in California)?"
You explain to the nice security guard that you had no intention of using it to film anything and if they ask, you hand it over to them to hold it for you until you're ready to leave.
Same as they do with sports games.
This is a non-issue.
"is sufficent to create the possiblity of arrest and prosecution"
That's a definite maybe.
If you're in such a situation, don't be an ass and cooperate. They're not out to get you. They're out to prevent you from recording anything. Big difference.
One involves a box in the office to hold your phone while you watch the movie. The other involves a judge and 12 of your new friends.
I don't know what your speeds are but I had a non-artificially capped 640/256Kbit business DSL line for $70 a month. Cox wanted to charge $200 or so for a line that was only 50% faster up and artificially capped. Since I was (and still am) running a very large web-site it's the upstream speed that matters. Cox also caps the upload amount at a rediculous 7.5GB. Compare that to the 50GB+ I was doing with my DSL line. It was nearly saturated when I went to colo.
Qwest couldn't get me a faster line either due to my distance to the telco.
I now pay $175 a month for 30GB of transfer (+$2 per GB over) for a 10Mbit colo line at the ISP I had the DSL account through. I've had to All Access Pass more to keep the transfer amounts down but I'm working on alternate ways to bring in funds so I can open it up a bit.
I also switched my home internet connection to Cox (and got digital telephone) since Cox is a better deal for typical internet use.
If you're running a server you may want to consider that road. Colo packages tend to be cheaper and far faster.
I use a custom version of WinVNC so it's not too terrible maintaining it. Having the server physically accessible 24/7 was nice.
"The only reason we aren't conquered by some more unified people is because we have nuclear weapons"
Have a t-shirt
front side: "I Took on the Government and All I Got Was This Lousy T-Shirt" backside: "Property of Guantanimo Bay"
The reason we're not going to be attacked any time soon (even though reasons abound in many people's minds) is because the people who want us gone are people who refuse to use violence.
I can just imagine all the anti-war people starting a war against the US.
Clinton threw money at problems and failed to solve anything. Us giving the Taliban money prior to 9/11 was residue from Clinton. Bush's administration finally put that idiotic plan to rest.
Since diplomacy and money have failed now we're trying the tried and true method of control called an ass kicking.
All the democrates have done so far is bitch about what a terrible job Bush is doing. Unless they can come up with a brilliant idea to solve these problems they claim exist (especially in Iraq) I'll be voting for Bush.
I can deal with Bush for four more years if it means Iraq doesn't have to deal with another Saddam any time soon. I'd rather give Bush 4 more years to finish up his plan than bring in some new guy with no plan and no clue what to do.
They invest in more security, more friendly service (to keep the would be theives busy and make them know they're being watched), and throw people out (or just make them so uncomfortable from all the attention they leave).
There's nothing wrong with Radio Shack's business. It's simply that it's so easy to steal from them with all those little parts they sell.
A stealing customer is not a customer. Better to throw those 15% out WHILE looking for ways to lower the theft rate. I don't think Radio Shack is going to put individual IC type parts is huge boxes any time soon.
"I havn't figured out how to make you stop stealing yet so go ahead."
Brilliant plan. You have to attack the problem from all angles.
The RIAA (aside from that whole illegal search and seizure thing preventing them from being able to do anything if they wanted to) had no bones to pick with people who share between friends. Because then it actually is sharing.
Calling rampant piracy "sharing" is just dense. Yes they're very heavy handed about it but that doesn't make piracy any less illegal.
It's like flicking lit matches around your house and then standing outside crying and whining and wondering why it burnt down.
Keep your "illegal" activities to yourself.
"I got your file! And you can't get me! Oh look, there's another!"
Some people are so freakin dense.
When you're pirating on a very public and very popular P2P app you're just asking to get some silver braclets.
While you're at it, why don't you go rob a bank in broad daylight with a nice neon colored hat and smile at the camera.
Brilliant job posting on a PUBLIC FORUM WITH YOUR TRACKABLE INFORMATION that you're a very dedicated and loaded pirate.
If your boss doesn't fire you, you should just quit before he gets a phone call.
I occassionally get e-mails whining that I charge for access to much of my site (you're free to browse every file I have though). Many subscription sites get the same flak. What people don't realize is that it costs money (often lots of it) to run a web-site. Unless someone wants to donate several thousand to my site, it's going to remain a mostly subscription site.
It's the same way with OpenSource vs ClosedSource. I recognize that some things could just as well be free. As a result a lot of source code I write gets posted for free on my web-site for anyone to use. However I also recognize that free don't pay the bills so I keep some things to myself.
Namely complete projects. Many completed projects get their source code released but a couple are completely closed except for a few pieces (Ogg Vorbis with DirectSound class, for example). It would be possible (and possibly beneficial) to release parts of your code under your own custom license or the BSD license if you don't plan on licensing the technology.
Namely one that recognizes that it is intended for use in a single closed commerical product. Anyone else may use it for NON-commerical purposes as long as the source remains open. Otherwise they have to license it from you.
But, contrary to what some may say, Open Source is not the be all solution. But neither is closed source. Again, I would recommend going through your project to see what could opened and then have it out there while still working on it internally. Anything that isn't unqiue should be the first to consider opening up.
Open Source essentially reduces programmers to street performers with a very select few seeing any money (much less livable wages) from their efforts. Namely the people who organize the project.
There are a lot of people working on Linux and very few of them are getting any checks in the mail. Even fewer can live off the checks they do get.
"That is inconsiderate, disrespectful, and flamebait--especially since blocking port 25 has not prevented spam at all."
Didn't you tell me it only took a moment to think to realize *I* was wrong?
I gave you five minutes. Don't tell me you're going to cry now.
"especially since blocking port 25 has not prevented spam at all."
It's blocked 100% of spam that would have originated from servers running on computers connected to an ISP that blocks port 25.
It's very effective. What did you expect? That spam would dissapeaar?
Should you just litter since you not littering doesn't accomplish anything in the grand scheme of things anyway?
"If the guy next door starts sending spam from his computer then it's easy enough for the ISP to start watching/tracking him without blocking port 25."
Once he's sent out the e-mails the damage has been done. It's a PREVENTATIVE measure.
Again, stop crying and realize that the moment you took to _know_ *I* was wrong wasn't enough time to really think about what the block is trying to accomplish to realize it's a very effective measure.
You didn't even know the uses and limitations of IP spoofing. What makes you think I think you have any credibility in this regard?
Especially considering I'm behind a port 25 block and think it's a great idea and that more residential connections should have that port blocked.
Just like littering, no one person solves the whole problem. Everyone just does their part. Cox is a major ISP and it's one that is of no use to spammers. That is a major accomplishment.
E-mail sent through my mail server will be tracked to my mail server. If there's a problem I have logs (and invoices for payment) to track down the person responsible. I can also just cut them off.
The same as would happen at the ISP level. They have your records if they need to find you. And they can cut you off. ISPs are now just cutting everyone off who isn't paying for the ability to have an unrestricted connection.
Sending spam from your IP will get you in trouble but it also has the potential to make the ISP look like it's spam friendly, get it on blacklists and all kinds of other nasty things. No one will mistake Cox or any other port 25 blocking ISP for being spam friendly.
It's not about getting the spammer. It's about PREVENTING spam in the first place.
You can't spoof an IP connection for anything more than one way communication. SMTP requires two way communication. Spoofing the IP for that purpose results in no mail sent. The word you're looking for is "proxy."
And how does not blocking port 25 prevent using proxies to spam anonymously?
If you don't want the ISP monitoring your e-mail usage use a third party e-mail server that accepts connections on an alternate port or find a new ISP or pay for the ability to have port 25 open.
"To me this has sounded good but never adds up if you spend a moment thinking about it."
I have Cox and they block port 25 going out which makes sense. However, I run an on-line business and need to use my own e-mail addresses for my domains. That server is colocated at another ISP. The solution? Port fowarding on the server side. RinetD makes it really simple to forward port X to port 25. So now on my side e-mail goes out on port 28 and in on port 25. Server side recieves mail on ports 28 and 25 and sends mail out on port 25.
So the problem is solved with my mail server but what about other e-mail servers that people subscribe to?
It boils down simply to responsibility. Cox and other port 25 blocking ISPs don't want to be responsible for your mail server. Not *all* ISPs should block port 25. *All* ISPs should have guidelines for when to block port 25. Homeusers, fine. They can deal with having to use their ISP given e-mail address. If they need to send mail through another mail server they should contact that mail server and ask them to do a port forward.
If they want to take responsibility for what you e-mail through their system they can open up a secondary port.
The ISP has made their decision and the answer is "no." The only people inconvienenced by this are people who intended to run an e-mail server on a residential line (ISPs always have non/less restricted account types for businesses) and I'm not feeling a pity party comming on for those people. If you want to run a business, you pay the price or find someone else. Qwest DSL doesn't block any ports and using a business line with them I used to run the entire business out of house. Their limitation is speed which is why I moved to colo and got a cheap residential connection for my own use and handling the business remotely.
And if you don't want to pay the price (I'm not about to spend hundreds a month to two ISPs just so that one of them lets me send e-mails to the other without a port forwarder) find an e-mail hosting company (like me) that has an additional port to get your e-mails out through.
The port 25 block is to prevent e-mail servers from being run on a residential line. Port forwarding on the server side doesn't break that rule. I'm not running a server on my residential line.
Maybe someone else has an argument why blocking port 25 is wrong and evil in any and all cases but I can't come up with it.
All ISPs should block port 25 in at least some circumstances. The first circumstance to consider should be residential. It's very trivial to allow port blocked customers to use a 3rd party e-mail server running under circumstances that allow port 25 to be open.
in the US those protestors were (if they were peaceful) wrongfully arrested and have grounds to sue the city/state and win. It wouldn't take much to find a lawyer who would take the case for free (no money up front) if they don't have a lawyer friend in their mist already.
The person in China has no such laws to fall back on. As far as China is concerned she was 100% legally arrested.
Guatanamo holds FOREIGN prisoners. Not citizens. I can register www.fuckbush.com and unless I encourage violence against him (or anyone for that matter) there's not jack shit I can be arrested for.
The reason Guantanamo holds *FOREIGN* prisoners is because they don't have the same rights we as citizens do. Just because you're on American soil doesn't make you a citizen with all the rights and priviages that entails.
I don't know all the details on Guantanimo so I'm not going to argue that those prisioners should or should not be there. I don't know why 99.9999999% of prisoners are in jail I just assume there's a good reason. I'd have to argue that on a case by case basis.
But I'm not going to pretend that the US is like China in this regard. China is arresting it's OWN CITIZENS for speaking out against it allowing exactly zero legal recourse. The US is arresting FOREIGN people for doing whatever. If someone in guantanemo was arrested for no good reason I'm not going to argue they should be there. But calling the US a police state is just dense.
It's amazing the kind of stuff I put on my web-site without fearing for my freedom. Mein Kampf, the Communist Manifesto, every historically banned book I could find, all kinds of other political documents like the Declaration of Independence. All in two sections call "Politics as Usual" and "The Library." And I have governments from all over the world visiting my web-site. therabbithole.icarusindie.com
The were moved from the main www.icarusindie.com for business reasons and conflicting interests with certain groups I belong to. Not because I got letters from the government. But because I got e-mails from CITIZENS who thought some of the stuff was a little over the top (and too easy to accidently stumble across) and I happen to agree but I don't believe in censorship so I compromised. Google, the fanstastic beast it is, has already reindexed everything so it's business as usual. Except that those who don't want to see the "darker" side of icarusindie.com will never accidently stumble across it.
It's amazing what you can "get away with" in the US. And imagine what a dream it must be for a Chinese citizen when in the US it's a reality that people sue the police, their counties, cities, states and even take the Supreme Court to court over matters...and WIN.
That certainly is some kind of police state we have here where CITIZENS can sue the government and WIN.
Slashdot Mirror
You can't utilize this exploit with a standard a href. You have to use a button of some type.
It's also a big giant tell for mail server admins for dropping spam as it has no legitimate uses.
The object lesson that's been out ever since such e-mail scams started is: always go to the web-site manually and log into your account before submitting any information.
A legitimate company ALWAYS has you log into your account and ALWAYS posts a notice upon logging in telling you what you need to do. And they NEVER use a button as a link to their site.
Yahoo and Hotmail et could just as well add in a rule to delete any e-mail that contains those escape characters and no one using those services will ever get such an e-mail and never lose a legitimate e-mail from it. I'll be adding that rule to my mail server.
Seriously, I hope every spammer and scammer uses this so I never get a spam e-mail in my inbox again.
Ben
One more trivial tell to drop crap e-mails from my inbox.
If an e-mail contains the characters "%01@" or "%00@" kill it.
I can't think of any reason why those strings of characters would legitimatly found in an e-mail.
This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.
If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.
So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.
If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.
Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.
Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.
There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.
Ben
If you're supposed to pay for something and you take it without paying for it you stole. And stealing makes you a theif.
The only reason it matters if it's physical property or not is in court.
The question for pirates isn't whether or not you're a theif. It's a question of what you stole that determines sentencing. Since for piracy you didn't steal physical property the grounds for forming a sum to cover damages is a lot less firm. Who knows how many copies you made of whatever you stole. If you steal physical property, you owe the price of the property you stole times the number you stole which is an easily determinable amount.
Look up "steal" in Webster and you don't find a differentiation between stealing nonphysical and physical objects. It's simply the illegal aquiring of goods.
The only place you find a differentiation between the two is in a law book. Oh yes, and in posts of people who just like to cut and paste the same thing over and over hoping to get moderated highly.
"Can you explain why you should be paid over and over again - for up to 50 years after your death - for once piece of work ?"
So are you going to require that all investments made by people be yanked and disolved upon their death?
Currently author's have a CHOICE to allow their copyrights to go that far. There's nothing stopping you from only putting works in the public domain or demanding that they be put in the public domain upon your death.
If a content creator wishes their family to be able to benefit from their creation that people still enjoy, that should also be a CHOICE they can make.
Or maybe you should just talk to your parents and other relatives about forgetting about giving you any kind of inheritence.
After all, you didn't earn it.
Inheriting trust funds, bank accounts, interest, IP, businesses, it's all the same. It's giving people things they had no inherent right to. Copyright Law gives people the ability to allow their children to benefit from their labor after their passing for non concrete things.
Ben
Apache, PHP, mySQL on Windows 2000.
mySQL got hacked recently (passwords removed, and accounts deleted). I checked the obvious means and found that they hadn't used the hidden door with the "Rape Me" sign on it. That door was renamed and moved anyway. mySQL isn't open to the outside so they had to go through the web-site somehow. My guess is an escalation of permissions hack from an account I gave someone.
mySQL doesn't handle anything worthwhile and PHP is in safe mode. I also pretty know who did it and it wasn't to be malicious. Nothing was deleted.
Nobody has ever hacked into my Windows box even though it runs logged in as an Admin. This also wouldn't be a big deal if mySQL would stop being dense and put in a configuration to define what constitutes localhost. The dreaded 1045 error. Even Mercury Mail and EZMTS have little configuration settings where I can say what IPs and domains == localhost so it doesn't keep sending e-mails to itself. Heck, you can't even set the root user during the install. What should have been a five minute uninstall reinstall of mySQL over WinVNC is now requiring I go down to my ISP and get physical access to the server.
So yes, the only exploits that ever happen on my Windows box do only come through open source products. And I do keep them up to date. They're just a pain to install, poorly documented (readability), and difficult to configure to be usable and secure. The 1045 error of mySQL is common upon install and yet in 4 versions is still there and solutions consist of "try this and hope it works"
Unless you intend to use FORMS for everything, PHP needs to have global variables on. This is just a lesson in paying attention to what those globals are and how to make sure they contain valid values.
Ben
You run the spamhole or whatever on port 25 and run the mail server on port 26. The spamhole does it's custom checking and logging while forwarding everything to your actual mail server. Outside it's completely transparent. I use RinetD to allow my mail server (coloed at a second ISP) to work on 2 ports to get around my home ISPs port 25 block.
But yes, I've done such a project myself and it is really quite pointless. There nothing it can do that my mail server can't handle itself. And I don't have a second system running 24/7 that would be worth putting my SpamCan on to see if people are attempting to use my system as a relay.
Highly unlikly considering the entire residential Cox network has outgoing port 25 blocked and I'm sure spammers are aware of that.
Ben
I have a web-form and use a simple PHP script that is hard coded to go through my mail server and my mail server requires a valid POP3 login from the username you plan to send e-mails with prior to being able to send e-mails with it. You get a short window of time once validated and even then you must send the e-mails from the same IP that validated the user name. So you can't figure out what e-mail address is being used, send a message from the form and then spam away with that e-mail address remotely.
And on top of that the function that sends the e-mail is seperate of the pop3 function so even if you managed to figure out how the script works, you still couldn't abuse it in any way shape or form. All the security depends on the mail server itself.
And then from my form the script that uses the SMTP/POP3 script can only send messages to a single hardcoded address. It also can't do BCC or CC's. I'm considering doing an anonymous e-mailer with it but I need to work out details before jumping off that cliff.
"that was an extra the customer had to pay for"
That should be an extra the customer has to pay to get ACCESS to. You should be logging regardless. It's just diskspace and if the customer isn't paying you can clear the old logs on a X day basis if nothing exciting is happening.
Setting up a secure form mailer is rediculously easy. And with PHP I can use my script anywhere. I don't need to set up funky permissions. I don't know what formmail is doing that could possibly allow it to be hacked in such a way that an attacker couldn't just go right to the mail server and accomplish.
Currently, my log analizer is custom made and logs all formmail attempts sorted by IP. It used to be pretty bad. So much so that I reported a number of people. That's died down now though since they've finally realized I don't have formmail on my server in any form. I don't even have Perl installed on my server anymore. PHP only.
Ben
Spam Can
It gobbles up any e-mail sent on port 25 and logs everything from the e-mail itself, all the headers and the originating IP. It doesn't care where the e-mail claims it's comming from or where it's supposed to go.
I'm not sure why this is an "open" project since Spam Can was thrown together in VB in about an hour. The most difficult part was getting it to go to the system tray.
The obvious problem is that you can't run this and a real mail server at the same time. And real mail servers (like Mercury Mail) can already do catch alls.
And if you're not running a real e-mail server, why run a fake one to waste your own bandwidth? Good luck convincing millions of people to run these (without having a tell that spammers can look for) making looking for open relays not feasible.
Spammers also already know right where to get a valid relay; They get a nice e-mail from the infected machine.
Ben
it will be good for everything BUT the desktop.
Ben
tend to use proper english and other tells that crap spammers don't. I have no problem with spam that's sent that follows rules. It makes filters much more effective.
I had a problem with spammers sending spam with popunders. I added in a rule to Mercury to delete any message that contained the line "script langage=javascript." BAM. No more of those. In fact, I'd really appreciate if all spammers would use Java-script in their messages.
Don't like Yahoo spamming you? Guess what? They follow rules and guidlines for their messages. All you have to do is figure out what tells their messages have and configure your mail server to block any messages that match those tells.
No, this isn't going to fix the whole spam problem but at least it's making it easier to block.
I don't get any e-mails with the ADV: in the subject either. More spammers should follow that rule. "Legitimate" spammers do follow that rule. So I really don't care if the government gives them an out. My mail filter can handle them just fine without legistlation.
It's the idiots that invent new combinations of words and letters that are a problem. We need legislation to be able to go after those we can as well as techical means and social means to get them to knock it off.
There are laws about litter, too. That hasn't solved the litter problem but it helps a bit. And just like litter, everyone needs to do their part with spam. Maybe we should take a hint from Singapore and start caneing people who spam.
Not doing anything because it's not 100% is just silly. There is no silver bullet for spam. It's nice to know that Congress has the sense to at least make some kind of dent. On top of legislation we also need technical solutions and social solutions.
Pretending we should just focus on one solution is going to accomplish exactly zero.
Ben
From a home system to his mail server, nothing get's encrypted. ISPs that block port 25 forward the requests through their system and to his mail server where it's actually sent out. HIS mail server encrypts the message. Reciving servers then check the message based on the HELO or whatever. It only traces it back to the mail server it alledgedly came from. Not the person who sent the e-mail.
Even if the ISP is for some reason taking over the whole job of sending the e-mail, it's very trivial to set up RinetD (or similar) on the server to forward a second port to the SMTP server. That's what I use. I then set up my mail accounts that are for my domains to send mail to the SMTP server on the alternate port.
If he's trying to run a mail server on his own system behind a port 25 block he's breaking his AUP.
This doesn't negativly affect anyone who's running their own mail server. It only affects people who don't know how to configure a server.
Ben
"do you know what the fuck you're talking about"
Can you read? "Consumer States of America"
"It does infringe on your rights as a public citizen"
You still havn't told me exactly what right you're talking about. As far as anyone knows it's the 20th Amendment to the CONSUMER States of America because you've certainly failed to indicate where in the constitution of the UNITED States of America, this right exists.
Since apparently this is going over your head: the Constitution of the CONSUMER States of America is the collection of rights that consumers ignorantly throw around when confronted by a business about what they can and can't do and what the business owes them while in their establishment.
As soon as you document which right is being infringed, you have no point. You're just throwing words around that don't mean anything.
"I have a right"
Prove it.
"No, you give up no rights when you enter a private establishment"
You give up the right to free speech. To peacfully assemble. The right to bear arms (try bringing a gun into a store). You can be searched (ever been to an airport?).
Etc. Your rights apply to GOVERNMENT institutions. A police officer can't infringe on your rights but a store owner is more than free to while on his property.
So what the fuck are you talking about?
Pull your "I Have a Right" speech with the judge and see how far you get. You couldn't even provide documentation for this right when asked.
You just ASSUME it exists.
Ben
Must be like the 20th Amendment to the Constitution of the Consumer States of America.
A theater is PRIVATE property. You check your rights at the door.
Are you going to fight for your "right" to not have to wear a shirt or shoes and still get service?
You can't carry recording devices of any form into professional sports games either.
If you have a phone with a camera, keep it in your pocket (turned off) and if security spots you, don't be an ass whinning about imaginary rights. Give them the phone and pick it up on your way out.
This is not an issue. At all.
Ben
I realize this is a Geek news site so we're not all up to speed on recording devices and sports but cellphones with cameras have been banned from any and all professional sports games. College games they still allow photography. You can thank the advertising industry for such bans.
There was a Canon commercial for a high end digital camera and the guy taking pictures at a football game. Pretty bad advertising considering that very expensive camera would be confiscated if you took it anywhere near an NFL game.
It's not surprising they're cracking down in the same manner on theaters now.
"So, as another poster asked, what happens if you forget to take your camcorder OUT of your car when you go to the drive-in (and yes, there are still drive-ins in California)?"
You explain to the nice security guard that you had no intention of using it to film anything and if they ask, you hand it over to them to hold it for you until you're ready to leave.
Same as they do with sports games.
This is a non-issue.
"is sufficent to create the possiblity of arrest and prosecution"
That's a definite maybe.
If you're in such a situation, don't be an ass and cooperate. They're not out to get you. They're out to prevent you from recording anything. Big difference.
One involves a box in the office to hold your phone while you watch the movie. The other involves a judge and 12 of your new friends.
Ben
I don't know what your speeds are but I had a non-artificially capped 640/256Kbit business DSL line for $70 a month. Cox wanted to charge $200 or so for a line that was only 50% faster up and artificially capped. Since I was (and still am) running a very large web-site it's the upstream speed that matters. Cox also caps the upload amount at a rediculous 7.5GB. Compare that to the 50GB+ I was doing with my DSL line. It was nearly saturated when I went to colo.
Qwest couldn't get me a faster line either due to my distance to the telco.
I now pay $175 a month for 30GB of transfer (+$2 per GB over) for a 10Mbit colo line at the ISP I had the DSL account through. I've had to All Access Pass more to keep the transfer amounts down but I'm working on alternate ways to bring in funds so I can open it up a bit.
I also switched my home internet connection to Cox (and got digital telephone) since Cox is a better deal for typical internet use.
If you're running a server you may want to consider that road. Colo packages tend to be cheaper and far faster.
I use a custom version of WinVNC so it's not too terrible maintaining it. Having the server physically accessible 24/7 was nice.
Ben
out of pity.
Have you ever considered a career as a straight man?
Ben
"The only reason we aren't conquered by some more unified people is because we have nuclear weapons"
Have a t-shirt
front side: "I Took on the Government and All I Got Was This Lousy T-Shirt"
backside: "Property of Guantanimo Bay"
The reason we're not going to be attacked any time soon (even though reasons abound in many people's minds) is because the people who want us gone are people who refuse to use violence.
I can just imagine all the anti-war people starting a war against the US.
Clinton threw money at problems and failed to solve anything. Us giving the Taliban money prior to 9/11 was residue from Clinton. Bush's administration finally put that idiotic plan to rest.
Since diplomacy and money have failed now we're trying the tried and true method of control called an ass kicking.
All the democrates have done so far is bitch about what a terrible job Bush is doing. Unless they can come up with a brilliant idea to solve these problems they claim exist (especially in Iraq) I'll be voting for Bush.
I can deal with Bush for four more years if it means Iraq doesn't have to deal with another Saddam any time soon. I'd rather give Bush 4 more years to finish up his plan than bring in some new guy with no plan and no clue what to do.
Ben
They invest in more security, more friendly service (to keep the would be theives busy and make them know they're being watched), and throw people out (or just make them so uncomfortable from all the attention they leave).
There's nothing wrong with Radio Shack's business. It's simply that it's so easy to steal from them with all those little parts they sell.
A stealing customer is not a customer. Better to throw those 15% out WHILE looking for ways to lower the theft rate. I don't think Radio Shack is going to put individual IC type parts is huge boxes any time soon.
"I havn't figured out how to make you stop stealing yet so go ahead."
Brilliant plan. You have to attack the problem from all angles.
Not just blame the victim as you suggest.
Ben
to post that admission of guilt with a link to his company's web-site. In case the RIAA ever wanted to pursue the matter.
Maybe we'll find out if he's a hero sooner than later.
Ben
The RIAA (aside from that whole illegal search and seizure thing preventing them from being able to do anything if they wanted to) had no bones to pick with people who share between friends. Because then it actually is sharing.
Calling rampant piracy "sharing" is just dense. Yes they're very heavy handed about it but that doesn't make piracy any less illegal.
It's like flicking lit matches around your house and then standing outside crying and whining and wondering why it burnt down.
Keep your "illegal" activities to yourself.
"I got your file! And you can't get me! Oh look, there's another!"
Some people are so freakin dense.
When you're pirating on a very public and very popular P2P app you're just asking to get some silver braclets.
While you're at it, why don't you go rob a bank in broad daylight with a nice neon colored hat and smile at the camera.
Brilliant job posting on a PUBLIC FORUM WITH YOUR TRACKABLE INFORMATION that you're a very dedicated and loaded pirate.
If your boss doesn't fire you, you should just quit before he gets a phone call.
"Anonymous Coward"
Learn it, love it, embrace it.
Ben
I occassionally get e-mails whining that I charge for access to much of my site (you're free to browse every file I have though). Many subscription sites get the same flak. What people don't realize is that it costs money (often lots of it) to run a web-site. Unless someone wants to donate several thousand to my site, it's going to remain a mostly subscription site.
It's the same way with OpenSource vs ClosedSource. I recognize that some things could just as well be free. As a result a lot of source code I write gets posted for free on my web-site for anyone to use. However I also recognize that free don't pay the bills so I keep some things to myself.
Namely complete projects. Many completed projects get their source code released but a couple are completely closed except for a few pieces (Ogg Vorbis with DirectSound class, for example). It would be possible (and possibly beneficial) to release parts of your code under your own custom license or the BSD license if you don't plan on licensing the technology.
Namely one that recognizes that it is intended for use in a single closed commerical product. Anyone else may use it for NON-commerical purposes as long as the source remains open. Otherwise they have to license it from you.
But, contrary to what some may say, Open Source is not the be all solution. But neither is closed source. Again, I would recommend going through your project to see what could opened and then have it out there while still working on it internally. Anything that isn't unqiue should be the first to consider opening up.
Open Source essentially reduces programmers to street performers with a very select few seeing any money (much less livable wages) from their efforts. Namely the people who organize the project.
There are a lot of people working on Linux and very few of them are getting any checks in the mail. Even fewer can live off the checks they do get.
Ben
"That is inconsiderate, disrespectful, and flamebait--especially since blocking port 25 has not prevented spam at all."
Didn't you tell me it only took a moment to think to realize *I* was wrong?
I gave you five minutes. Don't tell me you're going to cry now.
"especially since blocking port 25 has not prevented spam at all."
It's blocked 100% of spam that would have originated from servers running on computers connected to an ISP that blocks port 25.
It's very effective. What did you expect? That spam would dissapeaar?
Should you just litter since you not littering doesn't accomplish anything in the grand scheme of things anyway?
"If the guy next door starts sending spam from his computer then it's easy enough for the ISP to start watching/tracking him without blocking port 25."
Once he's sent out the e-mails the damage has been done. It's a PREVENTATIVE measure.
Again, stop crying and realize that the moment you took to _know_ *I* was wrong wasn't enough time to really think about what the block is trying to accomplish to realize it's a very effective measure.
You didn't even know the uses and limitations of IP spoofing. What makes you think I think you have any credibility in this regard?
Especially considering I'm behind a port 25 block and think it's a great idea and that more residential connections should have that port blocked.
Just like littering, no one person solves the whole problem. Everyone just does their part. Cox is a major ISP and it's one that is of no use to spammers. That is a major accomplishment.
Again, take five minutes and THEN respond.
These "moments" you take obviously aren't enough.
Ben
E-mail sent through my mail server will be tracked to my mail server. If there's a problem I have logs (and invoices for payment) to track down the person responsible. I can also just cut them off.
The same as would happen at the ISP level. They have your records if they need to find you. And they can cut you off. ISPs are now just cutting everyone off who isn't paying for the ability to have an unrestricted connection.
Sending spam from your IP will get you in trouble but it also has the potential to make the ISP look like it's spam friendly, get it on blacklists and all kinds of other nasty things. No one will mistake Cox or any other port 25 blocking ISP for being spam friendly.
It's not about getting the spammer. It's about PREVENTING spam in the first place.
You can't spoof an IP connection for anything more than one way communication. SMTP requires two way communication. Spoofing the IP for that purpose results in no mail sent. The word you're looking for is "proxy."
And how does not blocking port 25 prevent using proxies to spam anonymously?
If you don't want the ISP monitoring your e-mail usage use a third party e-mail server that accepts connections on an alternate port or find a new ISP or pay for the ability to have port 25 open.
"To me this has sounded good but never adds up if you spend a moment thinking about it."
Next time, try 5 minutes.
Ben
I have Cox and they block port 25 going out which makes sense. However, I run an on-line business and need to use my own e-mail addresses for my domains. That server is colocated at another ISP. The solution? Port fowarding on the server side. RinetD makes it really simple to forward port X to port 25. So now on my side e-mail goes out on port 28 and in on port 25. Server side recieves mail on ports 28 and 25 and sends mail out on port 25.
So the problem is solved with my mail server but what about other e-mail servers that people subscribe to?
It boils down simply to responsibility. Cox and other port 25 blocking ISPs don't want to be responsible for your mail server. Not *all* ISPs should block port 25. *All* ISPs should have guidelines for when to block port 25. Homeusers, fine. They can deal with having to use their ISP given e-mail address. If they need to send mail through another mail server they should contact that mail server and ask them to do a port forward.
If they want to take responsibility for what you e-mail through their system they can open up a secondary port.
The ISP has made their decision and the answer is "no." The only people inconvienenced by this are people who intended to run an e-mail server on a residential line (ISPs always have non/less restricted account types for businesses) and I'm not feeling a pity party comming on for those people. If you want to run a business, you pay the price or find someone else. Qwest DSL doesn't block any ports and using a business line with them I used to run the entire business out of house. Their limitation is speed which is why I moved to colo and got a cheap residential connection for my own use and handling the business remotely.
And if you don't want to pay the price (I'm not about to spend hundreds a month to two ISPs just so that one of them lets me send e-mails to the other without a port forwarder) find an e-mail hosting company (like me) that has an additional port to get your e-mails out through.
The port 25 block is to prevent e-mail servers from being run on a residential line. Port forwarding on the server side doesn't break that rule. I'm not running a server on my residential line.
Maybe someone else has an argument why blocking port 25 is wrong and evil in any and all cases but I can't come up with it.
All ISPs should block port 25 in at least some circumstances. The first circumstance to consider should be residential. It's very trivial to allow port blocked customers to use a 3rd party e-mail server running under circumstances that allow port 25 to be open.
Ben
And they want their monkey back.
They saw what happened to Godzilla.
Ben
in the US those protestors were (if they were peaceful) wrongfully arrested and have grounds to sue the city/state and win. It wouldn't take much to find a lawyer who would take the case for free (no money up front) if they don't have a lawyer friend in their mist already.
The person in China has no such laws to fall back on. As far as China is concerned she was 100% legally arrested.
Guatanamo holds FOREIGN prisoners. Not citizens. I can register www.fuckbush.com and unless I encourage violence against him (or anyone for that matter) there's not jack shit I can be arrested for.
The reason Guantanamo holds *FOREIGN* prisoners is because they don't have the same rights we as citizens do. Just because you're on American soil doesn't make you a citizen with all the rights and priviages that entails.
I don't know all the details on Guantanimo so I'm not going to argue that those prisioners should or should not be there. I don't know why 99.9999999% of prisoners are in jail I just assume there's a good reason. I'd have to argue that on a case by case basis.
But I'm not going to pretend that the US is like China in this regard. China is arresting it's OWN CITIZENS for speaking out against it allowing exactly zero legal recourse. The US is arresting FOREIGN people for doing whatever. If someone in guantanemo was arrested for no good reason I'm not going to argue they should be there. But calling the US a police state is just dense.
It's amazing the kind of stuff I put on my web-site without fearing for my freedom. Mein Kampf, the Communist Manifesto, every historically banned book I could find, all kinds of other political documents like the Declaration of Independence. All in two sections call "Politics as Usual" and "The Library." And I have governments from all over the world visiting my web-site. therabbithole.icarusindie.com
The were moved from the main www.icarusindie.com for business reasons and conflicting interests with certain groups I belong to. Not because I got letters from the government. But because I got e-mails from CITIZENS who thought some of the stuff was a little over the top (and too easy to accidently stumble across) and I happen to agree but I don't believe in censorship so I compromised. Google, the fanstastic beast it is, has already reindexed everything so it's business as usual. Except that those who don't want to see the "darker" side of icarusindie.com will never accidently stumble across it.
It's amazing what you can "get away with" in the US. And imagine what a dream it must be for a Chinese citizen when in the US it's a reality that people sue the police, their counties, cities, states and even take the Supreme Court to court over matters...and WIN.
That certainly is some kind of police state we have here where CITIZENS can sue the government and WIN.
Ben