×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fake "Bill Gates" Message Dupes Top Tools

timothy posted more than 4 years ago | from the top-tools-are-working-on-it-top-tools dept.

Security 117

yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved: "A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

117 comments

so? (0, Redundant)

spiffmastercow (1001386) | more than 4 years ago | (#30675682)

I didn't RTFA, but I'd be pissed if my email server filtered out someone's email just because they had the name "Bill Gates". You know the famous one doesn't have a monopoly on that name, right?

Re:so? (0, Troll)

babaloo (259815) | more than 4 years ago | (#30675738)

I can't RTFA if I don't accept cookies.

Re:so? (0)

Anonymous Coward | more than 4 years ago | (#30676842)

Don't worry, it's just more propaganda about how they're all out to get you, just like eeeeeeeveryone else is. You're right to be utterly paranoid. We all laughed at you, but soon you'll be the one laughing.

fnord fnord fnord.

Re:so? (1)

csartanis (863147) | more than 4 years ago | (#30681712)

Accept it for the session then delete it. Some modern browsers even have an option to do this automatically.

Re:so? (2, Interesting)

earnest murderer (888716) | more than 4 years ago | (#30675856)

The issue isn't who (near as I can tell) as much as it is the commonality of e-mail originating from servers not identified in the e-mail.

Blocking mail like that was a topic of discussion in the 90's but by that time the number of mail servers that no longer resolved to the domains they serviced were large enough that it was useless anymore.

I may not have all my facts straight, but that's my understanding.

Re:so? (3, Funny)

corbettw (214229) | more than 4 years ago | (#30675916)

You know the famous one doesn't have a monopoly on that name, right?

Well, it would be rather fitting if he did.

Re:so? (2, Interesting)

kbielefe (606566) | more than 4 years ago | (#30675926)

It wasn't the name he expected to be filtered, but the fact that the email was spoofed, i.e. it appeared to come from a different server than it actually came from.

Re:so? (1)

shentino (1139071) | more than 4 years ago | (#30678236)

Ok, here's an idea.

Why not just hard-block incoming email that is spoofed?

Any message that fibs about its origin is almost by definition deceptive and fraudulent and is pretty safe to block. Those few cases due to misconfigured servers, well sucks to be you, fix the damn configuration.

And people that run email servers should stop pussy-footing around with SOFTFAIL records.

Re:so? (1)

ozmanjusri (601766) | more than 4 years ago | (#30676624)

You know the famous one doesn't have a monopoly on that name, right?

They probably add the term "Microsoft" to the filter.

That one definitely has a monopoly, and was one of the costliest scams of the 20th century,

Old news (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30675726)

SMTP is broken. Deal with it

Re:Old news (4, Funny)

MichaelSmith (789609) | more than 4 years ago | (#30676052)

Yeah I hate the way anybody can just walk past my house and drop stuff in the letterbox. I would be much happier if the federal government vetted everything so I could just fly to Canberra to collect my safe, filtered mail.

Re:Old news (1)

jonadab (583620) | more than 4 years ago | (#30681178)

> Yeah I hate the way anybody can just walk
> past my house and drop stuff in the letterbox.

That's not the problem. Indeed, that's an intentional and useful design feature.

The problem with SMTP is that it costs you more to maintain your mailbox than it costs the senders to keep dropping junk in it.

With a better design of mail protocol, advertisers would still be able to send you whatever junk they want, but it would cost them more to send it than it costs you to maintain a mailbox for receiving it. The obvious way to do this is to set up the protocol so that the sending mail server tells the recipient's mail server, "I have a message for [your address], with such-and-such a message ID." The recipient's mail server then keeps track of this information until the user checks their mail. The user's mailreader then gets this information, and it can either be set up to retrieve all the messages from their various sources and store them locally (offline mailreader), or else it can be set up to show the user a list, and individual messages are only retrieved from the sender when the user clicks on them (online reader). A hybrid setup would also be possible (e.g., if the sender is in my address book, go ahead and retrieve the message). This design makes the sender responsible to store the message indefinitely (although messages could have an expiration date after which they are no longer available), and the recipient's ISP does *not* have to store the whole message, just the metadata. This is a rough outline, of course, and there are a number of details that would have to be ironed out, but it doesn't matter, because it would never be adopted anyway, because it wouldn't be backward compatible with SMTP.

So yeah, SMTP is broken, but it can't be fixed.

Re:Old news (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30676224)

I wouldn't say it is broken; it serves its original purpose quite well. I think it is more a problem of our expectation of privacy and security, neither of which SMTP is capable of providing (at least not without various extensions and hacks bolted on top of it).

Re:Old news (1)

shentino (1139071) | more than 4 years ago | (#30678244)

Can't you simply run SMTP over SSL like they do HTTP?

Re:Old news (2, Informative)

bsDaemon (87307) | more than 4 years ago | (#30678640)

Yes, but encrypting the handshake and the password exchange doesn't have anything to do with the fact that you can forge FROM headers. SPF records, domain keys, etc, can help but can also be more trouble than they're worth some times and don't really prove much of anything anyway, and even those could be forged if you REALLY wanted to by doing a DNS cache poisoning or something.

So, no, SSL isn't going to solve the problem.

Re:Old news (0, Offtopic)

garaged (579941) | more than 4 years ago | (#30679138)

If only we all could revert the obsession of electronic money, that makes way more trouble than good.

Money is totally virtual, and now there is a little fraction of the "actual money" on circulation and there is no way in hell we can put the other 90% of the money in circulation to actually combat poverty.

Police is incapable of actually doing the job we need of them, so we cannot walk around the corner with more than a few bucks without being robed, so we use credit cards, just to discover that banks cannot do it's job either (take car of the money!!).

It's kind of difficult to stop thinking in conspiracy theories when the solution to a problem makes more problems, and when a country go and make a war against a country because of fear of terrorist attacks, but doesn't do much about the drug usage of the people that provoques thousands of killings yearly.

No phishing problems would exist if we didn't abuse of the electronic money, and most of the social engineering attacks would result in shame on the attacked, instead of the "stealing of (b)millions of dollars".

I needed to leverage some steam, thank you very much.

Re:Old news (0)

Anonymous Coward | more than 4 years ago | (#30680350)

I'm pretty sure that even if electronic cash never existed, it wouldn't stop phishing scams along the lines of "send a cheque/postal order to..." - these type of scams have been around in regular post for decades. Besides that, phishing isn't always about stealing money, it can be about tricking users into revealing vulnerabilities in the security of their systems, or instilling a false sense of trust and then encouraging the installation of software that hijacks the system (such as an email "from" your bank/favourite social networking site/etc saying run this attachment to improve speed/security/privacy/whatever), those attacks would still be relevant in the absence of remote payment schemes.

Not sure what the rest of your post is trying to say - that we should use more real cash and less electronic payment methods, but that we should expect to be robbed on a regular basis because the police can't do anything to protect us seems like a pretty bizarre suggestion. You're not in the thieves guild are you? Also, it's almost always been the case that there is a small fraction of actual money in circulation ever since the days of the gold standard. Money gets invested or saved and that's not necessarily a bad thing because without that state of affairs we'd have no banks, and while that might sound like an improvement, I certainly wouldn't want to carry around all my savings all the time or rent a big safety deposit box somewhere I have to go visit every time I need cash, and neither would I like to pay a huge fee to some company to securely hold my cash (because without the money banks make from investing your cash, that would be the only realistic alternative).

Re:Old news (1)

Chrisq (894406) | more than 4 years ago | (#30680336)

SPF records, domain keys, etc, can help but can also be more trouble than they're worth some times and don't really prove much of anything anyway, and even those could be forged if you REALLY wanted to by doing a DNS cache poisoning or something.

I think that this illustrates that they are not more trouble than they are worth. Forging a "from" header is trivial, some email clients just let yo enter the "from address". DNS cache poisoning is not. For most people setting up an SPF record is a "one off" operation and with online testing tools [kitterman.com] and online wizards [microsoft.com] is not that difficult.

Re:Old news (4, Informative)

Sir_Lewk (967686) | more than 4 years ago | (#30679510)

SMTP is not broken. SMTP was never supposed to provide authentication of identity, and nobody with the slightest of technical knowledge has ever expected it too.

That is why anyone who cares uses PGP/GPG.

Re:Old news (1)

JasterBobaMereel (1102861) | more than 4 years ago | (#30680768)

I can send you a conventional paper mail and claim to be anyone, and claim to be sending it from anywhere and there is nothing you can do to trace it to me, this has not caused a problem for over 100 years ...signatures help to verify identity

The same thing has always happened with email, but this causes a problem because people strangely expect when it says an email is from harry jones it really is from him PGP/GPG Signatures verify identity ..

Most ways of filtering email do not work in a business environment because most email is from people you do not know and the originating servers do not match the mail address - an email filtering program that does not deliver an important email from a customer is broken

Checking Actual Email Address with Displayed? (1)

Phrogman (80473) | more than 4 years ago | (#30675788)

So none of these products compared the actual email address being used with the displayed one in the message? That would seem to me to be about the most obvious security check one could think of with regards to email.

Re:Checking Actual Email Address with Displayed? (1)

Obfuscant (592200) | more than 4 years ago | (#30675920)

So none of these products compared the actual email address being used with the displayed one in the message? That would seem to me to be about the most obvious security check one could think of with regards to email.

Huh? Which one of the "displayed one[s] in the message" must match the From header? And why would you consider it any more secure if there is a match, since the sender can simply insert the same address in the body of the message...

Re:Checking Actual Email Address with Displayed? (4, Informative)

yuna49 (905461) | more than 4 years ago | (#30678274)

I agree. This has to be one of the stupidest articles I've read lately.

I guess in the author's view if the SMTP envelope sender (the value appearing in the "Return-Path" header at the top of each delivered message) doesn't match the From: address, the message is somehow bogus. Try telling that to the thousands of listserver admins around the world. Many listservers preserve the the original message sender's address in the From field, while redistributing the message with an SMTP sender like owner-listname@example.com. That way if you hit reply, it goes back to the original author and not the list. However bounce messages get sent to the envelope sender, which is usually the listserver admin.

Automated web processes have the same feature. I'm careful to specify what I want the envelope sender to be and what I want the From to be, and often they are not the same thing at all. I wrote a variety of applications for organizations where an officer can send mail to a membership list using his or her own address as the From. However the envelope sender is usually something like bounces@example.com so that non-delivery messages go there rather than to the actual author.

I might want to compare the addresses, and maybe give non-matching ones an extra fractional point of spamminess in SpamAssassin, but that's about it. Not delivering messages like these would break an huge portion of the e-mail infrastructure.

Re:Checking Actual Email Address with Displayed? (1)

delinear (991444) | more than 4 years ago | (#30680400)

Similarly companies who do mail shots for clients need this functionality if they're not going to totally confuse end users. Our company uses an external agency to do this on behalf of our clients and it's not feasible to transfer the email domain to allow the third party to send from the "legitimate" address because many of the clients manage their own email server for employee mail - all our mails are opt-in so the users have to specifically request them, it would be ridiculous to tell all those users they also have to go reconfigure their spam filter to whitelist the relevant domains as well.

We can either have a relatively relaxed system and accept that some spam will get through, or we can have an overly strict system and risk missing out on mail we actually want to receive. Personally I'd rather have the minor inconvenience of the former (and, really, it is very minor these days, the spam filters might never catch everything but they catch a hell of a lot and make the rest managable).

Re:Checking Actual Email Address with Displayed? (5, Interesting)

e2d2 (115622) | more than 4 years ago | (#30676128)

Well here's why that's tough. You can't check the email address it comes from typically because that would mean using the VRFY command, which no modern email server has enabled because it would allow spammers to simply poll an SMTP server for addresses and see if they are legit. They simply disable it or send all true responses.

The next check is DNS, verifying a mail record exists for the domain in question. Here's the problem with that. DNS can be messed up and mail will still function. Say you have a hosted domain but it lacks an mx record. Mail will still go out. So the server on the other end needs to make a choice. Throw it away or pass it through.

Re:Checking Actual Email Address with Displayed? (0)

Anonymous Coward | more than 4 years ago | (#30676288)

Or LinkedIn should publish DomainKeys or SPF records..

Re:Checking Actual Email Address with Displayed? (1)

Phrogman (80473) | more than 4 years ago | (#30676686)

Okay thanks for the clarification. I know relatively little about email and how it is transmitted/received beyond how to use it :)

Re:Checking Actual Email Address with Displayed? (1)

jonadab (583620) | more than 4 years ago | (#30681268)

> DNS can be messed up and mail will still function.
> Say you have a hosted domain but it lacks an mx
> record. Mail will still go out. So the server on
> the other end needs to make a choice. Throw it
> away or pass it through.

It doesn't have to be a binary choice based on one criterion. You can use a number of different checks (does the envelope sender match the From field, does either of them match the HELO domain, does the HELO domain match the sending IP address, is the message text or HTML, does the sending domain provide SPF records and if so do they match, is there a valid subject line and if so does it match one of these regular expressions, have any of our users sent mail to this domain in the last N days, ...) to drive a variable which, if it passes a certain threshhold, can trigger other effects (greylist, check against IP blacklists, run a virus scan, whatever). You can even have multiple threshholds: if the message fails 40-60% of the checks you might greylist it with a short delay, and if if fails 61-80% you might greylist it with a longer delay, but if it fails more than 80% of the checks you might reject it out of hand, or send a "please confirm" reply that requires user interaction, or even go into teargrube mode. And you might weight some of the checks more heavily than others. For example, I'd penalize HTML mail much more heavily than mail with mismatched From and envelope sender, and domains to which I've sent mail would get a pretty big break, and so on.

Spammers use multiple techniques. If we want to keep up in the arms race, we're going to have to use multiple techniques to fight back.

Little technology (4, Funny)

Tsar (536185) | more than 4 years ago | (#30675818)

"...And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

Okay, I give up. What can little technology actually do about it? Is that like nanotechnology, but bigger?
Yes, I was bored. Back to work!

Re:Little technology (0)

Anonymous Coward | more than 4 years ago | (#30676170)

No, tecnology already has developed what we need here. It's guns. Just kill stupid people. And then the IT chaste will rule the world.

Re:Little technology (1)

RAMMS+EIN (578166) | more than 4 years ago | (#30679984)

I realize you're picking linguistic nits here, but there is actually a serious answer to your question, and it's been known for a long time. If you want some sort of assurance that an email really comes from who it purports to come from, the email infrastructure as commonly deployed won't give you that. However, there are technologies that will.

PGP is one of them. With PGP, you can sign your message with public key cryptography. If you sign with your private key and upload your public key to a keyserver, the receiver can verify that the private key corresponding to that public key was used to sign the message. In other words, only a person who knows the private key could have signed the message.

By itself, this isn't enough to verify the sender's identity. I could create a key pair and use it with the name "Bill Gates", even though I am not, in fact, Bill Gates. To solve this, PGP has introduced the web of trust (S/MIME, which is similar, uses a trust hierarchy instead, like SSL). Roughly speaking, the web of trust allows you to say "I trust this person so much I'll also trust any keys he trusts". And then, if that person says a key belongs to Bill Gates, you'll believe it does.

The end result is that, if you get a message signed by a key you trust to belong to Bill Gates, then you can trust that the message was signed by Bill Gates. Anything else means it could as well be an impostor. And since the vast majority of email doesn't use PGP or any other mechanism to verify senders, the vast majority of email could as well be from impostors. In fact, I would go as far as to say this really is the case: the bulk of email is SPAM, and SPAM is usually not from the sender it claims to be from.

Re:Little technology (1)

delinear (991444) | more than 4 years ago | (#30680450)

Web of trust is all well and good in small groups, usually of people who know each other in the real world. It might work if you set it up within a small company for instance, but the fail points will always be the people in the web who are allowed to add their own, previously "untrusted" names, because you get back to the real issue - that scammers exploit the lack of verification because it's the easiest way to achieve their aims. If the easiest way to achieve their aims was to win the trust of one of the people in this web of trust and get their name added that way, they'd switch to that tactic instead (sure, it might be more labour intensive, but if people have a higher sense of trust this way, the payoff might be sufficiently higher to justify it). Once you've demonstrated the web of trust can be infiltrated, everyone in that web is back to square one in terms of not knowing which names to trust. The only thing you've really added is a massive layer of complexity for the layman and a false sense of security for everyone involved.

Pretty much anything from linkedin is spam. (4, Informative)

schon (31600) | more than 4 years ago | (#30675858)

A couple of months ago, I got a "someone who knows you wants you to join" email from Linkedin. Someone had submitted my email address and wanted to "friend" me, and the entire contents of the "this person knows you because..." part was a spam website in China.

Any casual glance would show that it was spam.

Linkedin had "kindly" put a link at the bottom of the email saying "if this is spam, report it here". So I did, and the web page thanked me for reporting the spam.

Two weeks later, I got *ANOTHER* email from Linkedin, "helpfully" reminding me that I hadn't accepted the spammer's invitation

WTF?!?! I told them is was spam, and not only hadn't they banned the spammer, they were spamming for him!

Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.

Re:Pretty much anything from linkedin is spam. (2, Insightful)

sco08y (615665) | more than 4 years ago | (#30676156)

I've been on LinkedIn since 2006. It's really gone downhill.

Networking is a fine thing to do and makes sense, at least given that HR departments don't actually do their job. Unfortunately, there is a large contingent of markety types who seem to think that networking and motivational crap can completely take the place of actually doing work. And they are dominating LinkedIn right now.

Re:Pretty much anything from linkedin is spam. (3, Funny)

Anonymous Coward | more than 4 years ago | (#30676716)

LinkedIn has ALWAYS been crappy, in my opinion.

I got an invitation to join this wonderful networking site years ago. I checked out the site. My top competitor was on there, and he had befriended a bunch of clients. I grabbed them, and called the clients, and landed business with several of them. My competitor didn't know what hit him.

Yeah, watch out who you share your Outlook Contact list with. Geez, that should be a guarded secret, not a free-for-all posted on the internet!

Re:Pretty much anything from linkedin is spam. (1)

hany (3601) | more than 4 years ago | (#30680584)

I assume those people got better deal from you so I guess it was not bad for them that your competitor shared his contact list. :)

Re:Pretty much anything from linkedin is spam. (1)

Thelasko (1196535) | more than 4 years ago | (#30676256)

I think you are being a bit harsh on Linkedin. Yeah, there is some spam. Spam is everywhere. However, in this economy, corporations are turning to LinkedIn as a recruiting tool.

When a company posts a position on Monster and Careerbuilder (I get spam from both by the way), they are flooded with resumes. The situation is so bad that their human resources departments don't have the resources to sort through them all. They therefore use LinkedIn as a search tool for candidates without opening themselves up to a deluge of resumes.

Yeah there is some spam on LinkedIn. There is spam on other sites as well, but it doesn't mean those sites are worthless.

Re:Pretty much anything from linkedin is spam. (1)

schon (31600) | more than 4 years ago | (#30677502)

I think you are being a bit harsh on Linkedin.

Then you don't understand what happened.

Yeah, there is some spam. Spam is everywhere.

So that makes it OK to steal my bandwidth and annoy me? Fuck that!

However, in this economy, corporations are turning to LinkedIn as a recruiting tool.

Besides "fuck them", this statement shows that you don't understand what happened.

Linkedin sent me email from a known spammer. This was not "recruitment", it was spam.

There is spam on other sites as well

Name them. Name one that will send you OBVIOUS spam, even when you tell them it's spam and you don't want to receive it, just because they want you to join their service.

it doesn't mean those sites are worthless.

Yes, it does. The first time it happened, I can understand it. But they sent me a reminder that I didn't accept a spammer's spam after I reported it as spam - that makes them 100% worthless.

Re:Pretty much anything from linkedin is spam. (1)

edumacator (910819) | more than 4 years ago | (#30677894)

Yes, it does. The first time it happened, I can understand it. But they sent me a reminder that I didn't accept a spammer's spam after I reported it as spam - that makes them 100% worthless.

Or...it means there was a hole in their system, and instead of taking a moment to send an email to their tech department, you just decided to throw away the baby with the bath water.

I'm not sure what causes it, but the all or nothing approach, and holier than thou belief system that pervades the web is a little saddening. Sure they should have caught that error, but I'd venture a guess that you might have messed up now and then in whatever work capacity you have. Why not give them a chance, shoot them a message, and see if they fix the problem?

Re:Pretty much anything from linkedin is spam. (1)

Darkness404 (1287218) | more than 4 years ago | (#30679528)

So that makes it OK to steal my bandwidth and annoy me? Fuck that!

Yeah, "stealing" that oh so precious 5Kb of bandwidth.

Linkedin sent me email from a known spammer. This was not "recruitment", it was spam.

By your logic every time I get a friend request from a random person and Facebook sends me a message that is spam.

Name them. Name one that will send you OBVIOUS spam, even when you tell them it's spam and you don't want to receive it, just because they want you to join their service.

Lets see (granted, this is biased based on the mail I have received):

A) Scholarship "search" sites
B) Random colleges in the middle of nowhere
C) Any random software program that wants you to "register"

Of course, none of this mail makes it into my real mailbox because I have 2 main E-mail accounts, one is my personal e-mail that I only give out to people I know, and another where I sign up for all my sites. If I don't have to click a registration link, the second spam e-mail account rarely gets checked.

Re:Pretty much anything from linkedin is spam. (1)

socz (1057222) | more than 4 years ago | (#30676570)

Yep I've gotten the same exact thing several times before spamming them entirely. I started asking around if anyone had requested me to join and it turns out only 1 close friend is signed up on it! So no one I really care about (that I know of) is on it. And you're right, they're helping the spammers spam, that's the worst part!

Re:Pretty much anything from linkedin is spam. (2, Interesting)

DonCarlos (222830) | more than 4 years ago | (#30680318)

Linkedin instantly went into my mailservers blacklist. They're just fucking spammers.

Don't be silly. It's looks a sort of bug in LinkedIn - they aparently do not remove pending requests from user's queue even the request sender was reported by that user as a spammer. Simple as that.

This is nothing new (5, Insightful)

Punto (100573) | more than 4 years ago | (#30675882)

SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

Re:This is nothing new (1)

MichaelSmith (789609) | more than 4 years ago | (#30676210)

Its OT but I had a moment of cognitive dissonance the other week when I opened a letter addressed to my wife's business from google. Never before had I seen their logo on paper. It took a moment to take in what I was seeing.

Re:This is nothing new (0)

Anonymous Coward | more than 4 years ago | (#30676516)

Never before had I seen their logo on paper

You've never printed out a map from GoogleMaps?

Re:This is nothing new (0)

Anonymous Coward | more than 4 years ago | (#30677882)

Not sure what country you are writing from, but in the US that would be mail fraud and a felony, I don't think the same applies to spam.

Mod parent thick as two short planks (1)

DavidRawling (864446) | more than 4 years ago | (#30679160)

What? Someone other than a postal worker placing a letter in your (house's) mailbox, addressed to you, is mail fraud? I do not think mail fraud [wikipedia.org] is what you think it is. Did you even read what you wrote, or what you replied to?

What if the person was a postal worker but not a delivery agent?

What if the person was a delivery agent but your house is not on his route?

What if the person was a delivery agent but it's 3 in the morning?

I'm sure all the Bill Gates in the world would love to know that according to you, if they live in, or move to the US, they should change their name to avoid committing mail fraud every time they send an item by post. Does that apply to all duplicate names or just those you happen to like?

You're an idiot (and I must be bored on holiday if I'm responding to ObviousTroll). Next time at least make SOMETHING in your troll plausible!

Re:Mod parent thick as two short planks (1)

tomhudson (43916) | more than 4 years ago | (#30679538)

What if the person was a delivery agent but it's 3 in the morning?

He'd be arrested. The city bans ALL junk mail like fliers and crap between 8pm and 7am. ANY delivery at 3am is going to get you a conversation with the cops over here.

Re:Mod parent thick as two short planks (1)

Rysc (136391) | more than 4 years ago | (#30680918)

What if the person was a delivery agent but it's 3 in the morning?

He'd be arrested. The city bans ALL junk mail like fliers and crap between 8pm and 7am. ANY delivery at 3am is going to get you a conversation with the cops over here.

What city?

What happens if I'm hand-delivering a letter that isn't a flier and isn't junk mail? Do I still get harassed for no reason?

Re:This is nothing new (2, Informative)

grizdog (1224414) | more than 4 years ago | (#30680984)

SMTP works like real mail. Anyone can walk up to your mailbox and leave an envelope addressed to you from "Bill Gates". Unless you know how to look for signs that it was properly handled by the post service, you have no idea if it's real or not. We've known this since around 2400BC (because wikipedia says so).

Actually, in the US, this is illegal, and it does get enforced. No one but the US Government is allowed to put something inside your mailbox, and you will probably find out if you try distributing leaflets for a commercial enterprise or political campaign. It may be illegal to forge an email, but that's different from delivering it.

The Limits of Security (4, Insightful)

Jonas Buyl (1425319) | more than 4 years ago | (#30675948)

Whoever thinks this is a big issue should evaluate how much security we can expect from computers. Scams like this can be pulled off by sending IRL mail as well and are equally hard to detect by humans. Why should we expect an automated algorithm to be able to detect it? Scams like this are only going to stop when every move you make on the Internet can be tracked down straight back to you. We're getting closer and closer to a decision: Privacy or security. What's Slashdot's pick?

Re:The Limits of Security (1)

severoon (536737) | more than 4 years ago | (#30677828)

Why do we have to pick? We could just have a secure messaging system that encrypts and signs messages for intended recipients. If you can read it, congratulations, it's from who it says it's from (unless they hacked the endpoint, of course--but that's a good deal better than what we have now, innit?).

Ah, but if only we had such a system. ahemcoughcoughwavecoughcough

Outlook Express? (1)

Evro (18923) | more than 4 years ago | (#30675962)

Why would anyone expect the client to be able to filter out phishing attacks, unless it's looking up against some centralized DB?

This is research? Where's the beef? (5, Insightful)

NeumannCons (798322) | more than 4 years ago | (#30675982)

So the "researcher" sends an email pretending to be B. Gates and the message got through? OMG! Seriously, where's the "phishing" part? Did he have them click on a link? What was the success rate of that? Linkedin is fairly safe - there's not a whole lot of sensitive information there (unless past work history is "sensitive) - it doesn't ask you for your SSN, address, credit card no, etc. Asking a victim to supply that info to join someones linkedin group would surely raise suspicion and alert people that it's a fake. There's no real meat to the article here. Either the reporter reporting on this story has missed an important part of the story (likely) or the researcher has just discovered that you can email anyone and pretend to be anyone.

All of the tools listed don't work by verifying the identity of the sender. If you fail to look/behave like a spammer/cracker/phisher, your email will get through unless you use a white list at which point 99% of people outside your list won't know how to get an email to you even though the rejection letter spells out the correct procedure. I wonder how many people actually tried to join Bill's linkedin account and of those what percentage thought it may actually *be* Bill. I'm gonna guess it's somewhere around zero.

Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.

Re:This is research? Where's the beef? (2, Funny)

socz (1057222) | more than 4 years ago | (#30676598)

Now excuse me, I have to get back to forwarding Bill's email I got to 20 people so have I have a chance at the million dollar prize.

Wow you're lucky! In Mexico, Bill Gates was about to close down hotmail.mx but thanks to everyone forwarding that e-mail MS saw that people used it and prevented its closure! Too bad they didn't have a chance at that prize...

Re:Research no, risky possibly? (2, Interesting)

BigSlowTarget (325940) | more than 4 years ago | (#30676874)

Actually I think this might just be against the law and the researcher may have painted a big bullseye on his wallet for any one of these people who think they've been 'harmed' by believing they were actually invited by Bill Gates.

There are a lot of stupid internet laws out there and I'm sure the prosecutors/"victims" like nothing more than someone who provides all the evidence in a nice research report ready for prosecution.

Re:Research no, risky possibly? (0)

Anonymous Coward | more than 4 years ago | (#30678626)

Its not your fault. Lack of education is a problem these days.

Did you even read the report? Everyone who participated knew it was a fake "SPOOFED" email with phishing links. THe intent was to determine if the email security systems could identify the attack.

What's even worse... (1)

Locke2005 (849178) | more than 4 years ago | (#30676004)

It not only duped the top tools, it also duped the software that those big tools were running as well!

What a crap story (5, Insightful)

bloodhawk (813939) | more than 4 years ago | (#30676006)

Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

secondly what a piece of garbage, the mail products ALL did what they were supposed to, looking at how the email was constructed there was no piece of information in it that would allow any of the products to automatically detect it as an attack, sadly this is the nature of how SMTP mail is built, there is no easy way to determine a real email from fake one as is easily demonstrated by the 100% failure of every product, or more to the point the 100% failure of the researchers in understanding what they are doing, claiming they were trying to measure the levels of security is just complete crap, all they are after is publicity on a well known and understood technology and its many flawes.

Re:What a crap story (4, Funny)

sco08y (615665) | more than 4 years ago | (#30676196)

If computers could magically detect bullshit the way this journalist thinks they ought to be able to, I'd have them filtering the goddamned newspaper.

Re:What a crap story (1)

fm6 (162816) | more than 4 years ago | (#30678986)

No magic required. Just a mail system that doesn't make it so easy to forge a return address. Like a lot of tech that dates back to the pre-commercial internet, SMTP takes too much on trust.

More than just MS products (0)

mu51c10rd (187182) | more than 4 years ago | (#30676580)

Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

I noticed this too. Although the summary chooses to mention a few Microsoft products and Cisco Ironport, here is the list from the article:


  Microsoft and Cisco products, including users with GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's Email Security appliance, LinuxMail with greylisting, Opera Mail, and Mozilla Thunderbird,iPhone, BlackBerry, and Palm Pre

Not quite 100%, but it looks like most.

Re:More than just MS products (0)

ColdWetDog (752185) | more than 4 years ago | (#30679386)

Hey, the iPhone isn't on the list! Apple rulz!

Re:More than just MS products (0)

Anonymous Coward | more than 4 years ago | (#30680574)

Microsoft and Cisco products, including users with GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's Email Security appliance, LinuxMail with greylisting, Opera Mail, and Mozilla Thunderbird,iPhone, BlackBerry, and Palm Pre

Hey, the iPhone isn't on the list! Apple rulz!

Erm, were you looking at a different list, or just blinded by fanboism?

Re:What a crap story (1)

FlyingBishop (1293238) | more than 4 years ago | (#30676700)

I don't see how they could've excluded Google. I use Outlook+Exchange, Gmail, and Yahoo mail on a regular basis (work, personal, shopping) and Gmail is the gold standard. Outlook and Yahoo are a joke.

Re:What a crap story (1)

Chapter80 (926879) | more than 4 years ago | (#30676732)

Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

New here? Best way to get to the front page of Slashdot is to bash Microsoft.

Re:What a crap story (0)

GF678 (1453005) | more than 4 years ago | (#30678142)

Firstly why is MS singled out in the slashdot version of the story? 100% of mail products failed this so called test.

You know the reason - Slashdot is EXTREMELY biased against Microsoft to the point of irrationality at times. Gets rather tiring at times, but hey, every source of media has some bias (except perhaps Reuters).

LOLWUT? (2, Insightful)

argent (18001) | more than 4 years ago | (#30676066)

What's the point of this? If you send someone an email, they'll get it? God, I hope so! That used to be the norm before spammers poisoned the well.

I don't think that word means... (2, Insightful)

Alerius (851519) | more than 4 years ago | (#30676116)

what you think it means.

Phishing attacks would presumably be trying to get some otherwise secured info from the victim. What would the victim of this attack provide in response to this email? Credit card info? Online banking credentials? Warcraft account info? sheesh. As someone above stated, the guy sent an email and it got through. No news there. This isn't phishing, it's spam. And not even good spam. I would bet more people would be trying to buy cheap viagra than join Bill's Linkedin.

Re:I don't think that word means... (1, Informative)

Anonymous Coward | more than 4 years ago | (#30676626)

That's ok, we didn't expect you to read the article:

"He used his own phishing framework tool, called User Attack Framework, which automated the "attack," helped him track the success of the phish, and captured information about the "victim" once the person clicked on the "invite" and was sent to the phishing site, such as his IP address, user ID, location, browser, operating system, and other Website statistics."

"He also plans to go the next step and apply browser and other exploits to the phony phishing site. "The next part we're going to dive into is applying browser, Adobe, and JavaScript exploits," he says. "Now can we then get their credentials and exploit their client machine?""

Re:I don't think that word means... (0)

Anonymous Coward | more than 4 years ago | (#30676884)

The only point that the "security tester" might have with all of this is that Linkedin doesn't use an X-Originating-IP: or similar header in these invites -- this means that low-volume spam such as this gets through as legitimate, because the receiving systems have no way of knowing it isn't legit Linkedin messages. Yahoo and Google are also guilty of this. If the sender's IP was revealed, you could rest assured that any offending IPs would be blocked by all the major vendors in short order. Of course, this also means that there is no layer of anonymity between the sender and the recipient, which the sender might not like, even if they are on the up and up.

not really news, but not bad to refresh memories (0)

Anonymous Coward | more than 4 years ago | (#30676268)

I'm amazed the "researcher" didn't already know this, especially that "tools" such as Outlook would not catch them. Outlook is an email CLIENT.

This "spoofing" has been going on for a long time now, and often for legitimate means like: Mass-email marketing companies, online retailers (email this item to a friend!) and even online news like yahoo/google. Spoofing an email address isn't considered a no-no.

Proper email security software will see these though. What you do with them is up to you (send them for junk, or tag them)..I'd be amazed if anyone quarantines or deletes.

Social Engineering will always (probably) work..If someone calls a user and tells them to open the doors, and said user does so, there's only so much admins can do, other then find out who opened the doors.

ps..Outlook express??? I mean, seriously? LMAO

ado7l (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30676336)

Create, manufacture bUWLA, or BSD Trying to Dissect And sold in the Lay down paper another troubled 200 running NT under the GPL.

The experiment is lame... (0)

Anonymous Coward | more than 4 years ago | (#30676420)

Something like policyd-weight would have blocked that mail without big issues. Spoofing a message is nothing new and nothing special. I block gazillions of them per day. What is the big deal?

No surprise - SMTP is unauthenticated by design (0)

Anonymous Coward | more than 4 years ago | (#30676434)

Email is broken; bootstrapping garbage like SPF, DomainKeys, SenderID, or whatever you want to it is not going to fix it. The entire thing needs to be scrapped and rebuilt.

dumb to dumber? (0)

Anonymous Coward | more than 4 years ago | (#30676688)

despite the dumb concept of the initial "exploitz", i like the next step stated in tfa:
"The next part we're going to dive into is applying browser, Adobe, and JavaScript exploits..."
really?

so let me get this straight.
in order to make your security firm noticed, you're going to demonstrate existing security concerns and exploit them?
yes, this is who i'd want to go with for my company security. oh yes.

i have a good idea, i'm going to get a new IT job and show how vulnerable the systems are to being knocked offline by unplugging the wires from the back of each machine. yes. then i will make more money because i show a new exploitz and can write an article about it showing how unsecured the computers are. yes. i am the famous now! yes!

This is no news. (1)

jobst (955157) | more than 4 years ago | (#30676738)

This shouldn't have been on /.!
Scammers have been tricking people since 1000's of years always trying to "stay ahead" of what people have learned ... the same applies to anything in this world including virus/worm/trojan checkers, any other spam/email/whatever.
There are many sales people who will sell you something you don't need and most of people who bought the stuff walk away "happy" not realizing the where scammed "legitimately" ...
Any of us need to learn/see when we are getting scammed ... always.

You guys are too cynical! (0)

Anonymous Coward | more than 4 years ago | (#30676828)

Bill G. really is my LinkedIn buddy. In fact, he's going to send me a cashier's check for $1M as soon as I reimburse him for the bank fee. So there.

Not too obvious.. (2, Funny)

cmacb (547347) | more than 4 years ago | (#30677576)

Bill Gates has indicated you are a fellow group member of Microsoft Security. I'd like to add you to my professional network on LinkedIn. - B. Gates.

Oh, that would have fooled me. It would have been more tricky if they'd added something like:

Oh, and I'm also inviting you to the other special interests groups I follow: "Committee for Prevention of Bloat in Operating Systems", and "Six Forty K. It's Enough for Anyone". I look forward to seeing you on LinkedIN and if you are ever in the Seattle area, stop by for a brew.

The article is a wank / PR press release, but .... (2, Insightful)

dhammabum (190105) | more than 4 years ago | (#30677664)

Dark Reading (ooh, spooky) as is their wont, lists no actual details so we don't know what the guy actually did. But mail clients in general are pretty hopeless at interpreting "who" a message is from. There are several fields that can be used - the actual sending address (the "mail from: " in the SMTP exchange), Reply-to:, From: Sender:. There is no agreed prioritisation that I know of as to what actually goes in the "From" that we see in the client...

I once had a weird circumstance where messages from a mail script I wrote using the MIME::Entity perl module were being received as from "nobody". I hadn't specified the sender field in the entity mail object and the module thoughtfully provided one for me, using the owner of the process running the script. So even though the reply-to and from fields were correctly set, I got a number of calls about who this nobody was....

One can prevent spoofed email using filters, etc, at least with Unix/Linux-based mail transfer agents, presumably this can also be done with MS Exchange. So the breathless report that 100% of the spoofed messages got through just indicates the low priority spoofing has in those administrators' minds.

TrueDomain (1)

InsertCleverUsername (950130) | more than 4 years ago | (#30678480)

I use Fastmail.fm (a fantastic service) for my e-mail and I noticed something new in my inbox yesterday. Little icons now appear next to messages from LinkedIn, Facebook, etc. to indicate that the origin of the message has been verified through some new service called Truedomain. Anybody know the technical details?

Re:TrueDomain (2, Informative)

Bronster (13157) | more than 4 years ago | (#30680054)

http://blog.fastmail.fm/2010/01/06/truedomain-anti-phishing-and-email-authentication/ [fastmail.fm]

describes the way Truedomain operates. We run a milter which applies X-Truedomain-* headers (view source on those messages - you'll see that even the Logo image is added a per-message basis as a Base64 encoded header)

We're also planning to colour messages from known senders (in your address book) and offer a link to the address book entry that caused them to be trusted, as well as labelling messages that have gone entirely through a trusted path. I added a bunch of extra headers to the list that Cyrus caches on the fast metadata drives to support all this just last week! We've been beta testing Truedomain for a while on one of our incoming MX servers, and it's now applied to all incoming email.

SPF (1)

oglueck (235089) | more than 4 years ago | (#30680216)

linkedin.com text = "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"

That is ~all and not -all. So linkedin is happy with any IP sending mail in their name. It will only cause a soft fail and no MTA should reject the message as fake. It's hardly the fault of mail clients here.

Re:SPF (1)

Chrisq (894406) | more than 4 years ago | (#30680370)

I wish more mail clients would issue a warning when SPF returns SOFTFAIL. So many people use the ~all just in case they ever want another machine to send emails and forget to update their DNS that a warning would be nice. Of course more people should bite the bullet and use -all

This article simply states the obvious. (1)

Phil_at_EvilNET (569379) | more than 4 years ago | (#30681968)

Not to mention, it was written back in October.

Regardless, anyone that deals with spam on any level knows that targeted attacks (spear phishing...who the hell coined that?) are *not* the primary focus of appliances like the Ironport. Being an Ironport admin I know from experience with both Ironport and Puremessage (PerlMX) that the priority of these devices is to focus on QUANTITY. The volume of messages coming into a firm or company is more important than the targeted individual, not to mention that the target should exercise a little discretion and common sense when opening an email message coming from *anyone*, especially someone (in)famous like Bill Gates.

Local mail reader programs (and spam admins with time on their hands) are the front lines for targeted email attacks. Just like a good suit of armor, any good firewall design uses multiple devices to prevent penetration. The same thing holds true with email, and the targeted attack that gets past the first layer of security (routing MTA or spam appliance) should be handled by the second layer (the Mail Server) or the third layer (the desktop client).

From my own personal experience, custom rulesets are created on the Ironport or the Outlook/Lotus Notes client and the targeted attack is usually dealt with "after the fact". Its unfortunate that it gets done that way, but coming from a firm that used to handle millions of messages a day, the frequency of targeted attacks based on volume were insignificant. Either way, this is nothing new. It's like discovering the moon.

-Phil

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...