RE: email security issue

["Richard H. Cotterell" <seec () mail retina ar>]

Ref: David Gillett <gillettdavid () fhda edu>'s
     message dated Thursday, June 12, 2003, 10:50 hours.

>  The extra values that SpamCop (and presumably other
> services as well) bring to this, that I cannot rely on
> my own brain[*] to provide, are:
>
> 1.  Syntax analysis to spot forged Received: headers.
> (Your message below sounds like you don't believe they
> ever happen.  They do.)

Are you suggesting that normal users who have done their homework in 
reference to e-mail (headers included) are incapable of syntax analysis?

As to what you read between the lines or directly from my messsage is a 
result of your subjective analysis and that alone and not based on a 
factual statement.  :(

'When I use a word,' Humpty Dumpty said in a rather scornful tone, 'it 
means just what I choose it to mean, -neither more nor less.' [Lewis Carrol 
(pen name of Charles Lutwidge Dodgson), Through the Looking-Glass, ch.5.]

> 2.  Database cross-reference to known open relays and boxes
> that do not reliably/correctly report message sources in
> the headers they add.  (Servers do not generally volunteer
> this information about themselves in the headers.)

Without wishing to offend in any way, these operators remind me of the 
following story:

A wise man goes to the market and finds, among all the hustle-bustle, a
man selling a parrot for the astronomical cost of a thousand dinars. The
wise man is astounded by the cost. 
'Why so expensive?' he asks. 
'Aha,' says the vendor, 'this parrot can talk.' 
 
The wise man goes home and returns next day to the market with a hen,
which he puts up for sale with the offering price of 5,000 dinars.
People are outraged. 
'What's this', bystanders exclaim, 'five thousand dinars for a hen?
There's a man  over there selling a parrot - that can TALK - for only
ONE thousand dinars!'
'Yes', replies the wise man, 'but my hen can THINK'.
 
There are compliant RFC systems and non-compliant RFC systems with all the 
connotations that the definition implies.  There are open or closed SMTP 
servers.  There are highjacked servers and workstations, spoofed headers, 
and the list goes on, yet you fail to state, in particular, how *spamcop* 
will detect and pin-point the offending machine from either a no 
information of source or a highjacked and spoofed address, for example.
Are you trying to say that they and others like them are the cyber wizards 
in locating offenders?

> 3.  (Not always needed...) Automatic lookup of abuse-reporting
> addresses, often with an indication of how seriously that
> authority takes complaints.

How about a normal WhoIs or DNS search?  Another aspect of good computer 
management is to keep all these type of addresses handy.  :)

> [*] ... and I modestly claim that I have more experience with 
> this than a vast majority of users, and even many administrators.

Commendable for two reasons: the first, the humbleness of the statement; 
and the second, the possibility of employment demands that don't match your
experience.  Have you thought about the NSA, FBI, CIA or such?

> David Gillett
>
>
> > -----Original Message-----
> > From: Richard H. Cotterell [mailto:seec () mail retina ar]
> > Sent: June 12, 2003 06:22
> > To: gillettdavid () fhda edu; shar () cybermilieu com;
> > security-basics () securityfocus com
> > Subject: RE: email security issue
> >
> >
> >
> >
> > Ref: David Gillett <gillettdavid () fhda edu>'s
> >      message dated Wednesday, June 11, 2003, 9:02 hours.
> >
> > ... [text discarded as irrelevant to the answer being given].
> >
> > >  Most users who've been on line for more than a month or two
> > > have learned that they cannot trust the From: header to correctly
> > > report the source of a spam message.  There are various utilities,
> > > such as http://www.spamcop.net, that will analyze other headers to
> > > try to determine the actual origin (or at least the last open proxy
> > > used).
> >
> > I fail to see why one has to use a service such as *spamcop* 
> > to analyze 
> > headers when all one has to do is take a good look at the *Received:* 
> > information that will list all tha machines that handled the mail.
> >
> > The best anyone wishing to learn about mail headers can do, 
> > is to take a 
> > look at Gerald Boyd's pages on the subject at <http://www.expita.com>.
> >
> > ... [snipped for the same reason as the introduction].
> >
> >
> > > David Gillett
> > >
> > >
> > > > -----Original Message-----
> > > > From: Shar [mailto:shar () cybermilieu com]
> > > > Sent: June 10, 2003 17:58
> > > > To: security-basics () securityfocus com
> > > > Subject: email security issue
> > > >
> > > >
> > > > A website I own has had the main email address identity 
> > > > stolen.  Someone
> > > > from somewhere in the world is sending out spam around the 
> > > > world.  This has
> > > > been going on since Sunday.  I am trying to stop this but I 
> > > > have been unable
> > > > to read the header for the information I need.  Can anyone 
> > > > help me with
> > > > this?
> > > >
> > > > Alexx
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------
> > > > -------------
> > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by 
> > > > top analysts!
> > > > The Gartner Group just put Neoteris in the top of its 
> > Magic Quadrant,
> > > > while InStat has confirmed Neoteris as the leader in marketshare.
> > > >      
> > > > Find out why, and see how you can get plug-n-play secure 
> > > > remote access in
> > > > about an hour, with no client, server changes, or ongoing 
> > maintenance.
> > > >           
> > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > > > --------------------------------------------------------------
> > > > --------------
> >
> >
> > --
> > Richard H. Cotterell  <mailto:seec () mail retina ar>
> >
> > You don't make the poor richer by making the rich poorer.
> >   -Sir Winston Leonard Spencer Churchill


--
Richard H. Cotterell  <mailto:seec () mail retina ar>

To defend one's self against fear is simply to ensure that one
will, one day, be conquered by it; fears must be faced.
  -James Arthur Baldwin



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------