Re: Email Security question: Hijacked email !!! was: [opensuse] Vista
On Friday 08 August 2008 01:58:19 am the "real" Alexey Eremenko fired up the etch a sketch and drew the following:
Hi All,
openSUSErs ! Help us - someone is hijacking email account, and we have no idea how-to protect ourselves !
Someone is sending spam emails using account of the members of this mailing list. (namely someone hijacked Ashish's email account).
How to deal with this and how this can happen ?
There are only a few ways. First, use a spamtrap email. Bots around the world harvest your email and can spoof much of your email address. Heck, I can even fire up Konqueror and send and email using the smtp of my neighbor's isp if I wanted to. The best thing to do is check the headers. Alexy, you'll see on the openSUSE email list that this is supposedly coming from you. However, it isn't. This is Kai, using my email with an alternate identity. If you look at the headers it should be from cotse.net, not your email which will have an smtp of wr-out-0506.google.com. Never fear, it just makes it more fun to spot the trolls on the list. :) (kai, impersonating Alexey's email...) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 15:10, Alexey Eremenko wrote:
Never fear, it just makes it more fun to spot the trolls on the list.
:) (kai, impersonating Alexey's email...)
Troll spotted, I can haz a cookie? Oktnxbai! ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai: Well, it feels like having a clone on the net :) It may be fun and may be scary - depending on circumstances. When I opened the RAW message from you, I see a lot of "Received: ..." Are those all recipients or "steps" in the routing of email ? Anyway: any ideas on fighting techniques ? Can we see the source IP address ? If so, maybe we can use reverse DNS and compare that to the email header "From: " address ? Perhaps I need to learn about SMTP and SPF :) -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai: BTW: In your case even the Name was emulates correctly in GMail, which means that GMail doesn't checks it at all. -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai: you said that you send email using Konqueror. You use webmail, or how? -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 6:36 am, Alexey Eremenko wrote:
Kai: you said that you send email using Konqueror. You use webmail, or how?
Did I say Konqueror? I ment KMail. My bad. I was using Firefox for the spoofed email. I have a webmail client into cotse. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 August 2008 06:28:09 am Alexey Eremenko wrote:
Kai: BTW: In your case even the Name was emulates correctly in GMail, which means that GMail doesn't checks it at all.
No, that had nothing to do with gmail. It never went through gmail. The spambot sending the spoofed email isn't programmed to recreate your name. When I sent the mail I made sure I added it in. -- kai www.filesite.org || www.4thedadz.com || www.perfectreign.com remember - a turn signal is a statement, not a request -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, Aug 9, 2008 at 12:37 AM, Kai Ponte
On Friday 08 August 2008 06:28:09 am Alexey Eremenko wrote:
Kai: BTW: In your case even the Name was emulates correctly in GMail, which means that GMail doesn't checks it at all.
No, that had nothing to do with gmail. It never went through gmail.
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof. It means, that GMail isn't protected :( -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Alexey Eremenko
On Sat, Aug 9, 2008 at 12:37 AM, Kai Ponte
wrote: On Friday 08 August 2008 06:28:09 am Alexey Eremenko wrote:
Kai: BTW: In your case even the Name was emulates correctly in GMail, which means that GMail doesn't checks it at all.
No, that had nothing to do with gmail. It never went through gmail.
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected :(
No, it does not. The "From:" *address* is spoofed. The mail does not go thru gmail's servers except/unless delivering *to* a gmail addr. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, Aug 9, 2008 at 1:12 AM, Patrick Shanahan
* Alexey Eremenko
[08-08-08 18:55]: On Sat, Aug 9, 2008 at 12:37 AM, Kai Ponte
wrote: On Friday 08 August 2008 06:28:09 am Alexey Eremenko wrote:
Kai: BTW: In your case even the Name was emulates correctly in GMail, which means that GMail doesn't checks it at all.
No, that had nothing to do with gmail. It never went through gmail.
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected :(
No, it does not. The "From:" *address* is spoofed. The mail does not go thru gmail's servers except/unless delivering *to* a gmail addr.
Yes, but I got this email into my GMail account, which means that GMail server are involved in the process. And they could check if email with such content ever left my account beforehand. And if not, reject email. -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers - there's nothing gmail can do about anyone sending a message and spoofing the "from:" header to say it came from gmail when it didn't. The same is true of every other e-mail provider on the planet. If I send a message using sendmail or postfix from my system here and say it's from Bill Gates using his Microsoft address, Microsoft's mail servers aren't going to stop that from happening because they're not involved in the transfer of the message at all. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson
On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound. Gmail could have alerted Alexey that the mail was spoofed if the first few received headers didn't indicate a gmail origin. I'm not sure what good it would do, as no-one else would get this alert except Alexey, but it seems do-able to me. -- ----------JSA--------- There are 10 kinds of people in this world, those that can read binary and those that can't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 01:32, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson
wrote: On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound.
Gmail could have alerted Alexey that the mail was spoofed if the first few received headers didn't indicate a gmail origin.
I'm not sure what good it would do, as no-one else would get this alert except Alexey, but it seems do-able to me.
The listserve blurs things. If the spammer sent the email directly to
Alexey, yes then you have a point.
But it's not the spammer. Google sees a legitimate sender in the SMTP
session: opensuse.org. Checking for spoofing senders is an SMTP session
feature. That means at HELO (or EHLO). I don't know how I can explain
this. This is what I see in my postfix logs:
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: connect from
lists4.suse.de[195.135.221.135]
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: 92C55138076:
client=lists4.suse.de[195.135.221.135]
Aug 9 01:52:48 intrepid postfix/cleanup[27322]: 92C55138076:
message-id=<27061.81.82.3.9.1218239560.squirrel@intrepid.warp.be>
Aug 9 01:52:48 intrepid postfix/qmgr[19655]: 92C55138076:
from=
On Fri, Aug 8, 2008 at 5:03 PM, Amedee Van Gasse
On Sat, August 9, 2008 01:32, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson
wrote: On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound.
Gmail could have alerted Alexey that the mail was spoofed if the first few received headers didn't indicate a gmail origin.
I'm not sure what good it would do, as no-one else would get this alert except Alexey, but it seems do-able to me.
The listserve blurs things. If the spammer sent the email directly to Alexey, yes then you have a point. But it's not the spammer. Google sees a legitimate sender in the SMTP session: opensuse.org. Checking for spoofing senders is an SMTP session feature. That means at HELO (or EHLO). I don't know how I can explain this. This is what I see in my postfix logs:
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: connect from lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/smtpd[27319]: 92C55138076: client=lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/cleanup[27322]: 92C55138076: message-id=<27061.81.82.3.9.1218239560.squirrel@intrepid.warp.be> Aug 9 01:52:48 intrepid postfix/qmgr[19655]: 92C55138076: from=
, size=4454, nrcpt=1 (queue active) Aug 9 01:52:48 intrepid postfix/smtpd[27319]: disconnect from lists4.suse.de[195.135.221.135] As you can see, the SMTP session only sees opensuse+bounces-67833-amedee=amedee.be@opensuse.org as the sender, even if the original sender was amedee@amedee.be. By the way there is a + separator, that means for checking valid mailboxes you can ignore everything after the + so the sender address is really opensuse@opensuse.org.
-- Amedee
--
When I said "First few Received Headers" I did NOT mean the top-most. I mean the first. Just above the body. Check it out in this email. Opensuse does not "blur" these. -- ----------JSA--------- There are 10 kinds of people in this world, those that can read binary and those that can't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 02:15, John Andersen wrote:
On Fri, Aug 8, 2008 at 5:03 PM, Amedee Van Gasse
wrote: On Sat, August 9, 2008 01:32, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson
wrote: On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound.
Gmail could have alerted Alexey that the mail was spoofed if the first few received headers didn't indicate a gmail origin.
I'm not sure what good it would do, as no-one else would get this alert except Alexey, but it seems do-able to me.
The listserve blurs things. If the spammer sent the email directly to Alexey, yes then you have a point. But it's not the spammer. Google sees a legitimate sender in the SMTP session: opensuse.org. Checking for spoofing senders is an SMTP session feature. That means at HELO (or EHLO). I don't know how I can explain this. This is what I see in my postfix logs:
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: connect from lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/smtpd[27319]: 92C55138076: client=lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/cleanup[27322]: 92C55138076: message-id=<27061.81.82.3.9.1218239560.squirrel@intrepid.warp.be> Aug 9 01:52:48 intrepid postfix/qmgr[19655]: 92C55138076: from=
, size=4454, nrcpt=1 (queue active) Aug 9 01:52:48 intrepid postfix/smtpd[27319]: disconnect from lists4.suse.de[195.135.221.135] As you can see, the SMTP session only sees opensuse+bounces-67833-amedee=amedee.be@opensuse.org as the sender, even if the original sender was amedee@amedee.be. By the way there is a + separator, that means for checking valid mailboxes you can ignore everything after the + so the sender address is really opensuse@opensuse.org.
-- Amedee
--
When I said "First few Received Headers" I did NOT mean the top-most.
Neither did I.
I mean the first. Just above the body.
And I meant the postfix log which records (part of) the SMTP session:
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: connect from
lists4.suse.de[195.135.221.135]
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: A1DD3138084:
client=lists4.suse.de[195.135.221.135]
Aug 9 02:15:34 intrepid postfix/cleanup[29757]: A1DD3138084:
message-id=<60fb01490808081715o2143519cm9fae9b002e18d1aa@mail.gmail.com>
Aug 9 02:15:34 intrepid postfix/qmgr[19655]: A1DD3138084:
from=
Check it out in this email. Opensuse does not "blur" these.
It does. At the SMTP level. I'm looking at the protocol level, you are looking at the data level. -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 8, 2008 at 5:47 PM, Amedee Van Gasse
On Sat, August 9, 2008 02:15, John Andersen wrote:
On Fri, Aug 8, 2008 at 5:03 PM, Amedee Van Gasse
wrote: On Sat, August 9, 2008 01:32, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:19 PM, Jim Henderson
wrote: On Sat, 09 Aug 2008 00:52:37 +0200, Alexey Eremenko wrote:
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected
As Patrick said, it never went through gmail's servers -
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound.
Gmail could have alerted Alexey that the mail was spoofed if the first few received headers didn't indicate a gmail origin.
I'm not sure what good it would do, as no-one else would get this alert except Alexey, but it seems do-able to me.
The listserve blurs things. If the spammer sent the email directly to Alexey, yes then you have a point. But it's not the spammer. Google sees a legitimate sender in the SMTP session: opensuse.org. Checking for spoofing senders is an SMTP session feature. That means at HELO (or EHLO). I don't know how I can explain this. This is what I see in my postfix logs:
Aug 9 01:52:48 intrepid postfix/smtpd[27319]: connect from lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/smtpd[27319]: 92C55138076: client=lists4.suse.de[195.135.221.135] Aug 9 01:52:48 intrepid postfix/cleanup[27322]: 92C55138076: message-id=<27061.81.82.3.9.1218239560.squirrel@intrepid.warp.be> Aug 9 01:52:48 intrepid postfix/qmgr[19655]: 92C55138076: from=
, size=4454, nrcpt=1 (queue active) Aug 9 01:52:48 intrepid postfix/smtpd[27319]: disconnect from lists4.suse.de[195.135.221.135] As you can see, the SMTP session only sees opensuse+bounces-67833-amedee=amedee.be@opensuse.org as the sender, even if the original sender was amedee@amedee.be. By the way there is a + separator, that means for checking valid mailboxes you can ignore everything after the + so the sender address is really opensuse@opensuse.org.
-- Amedee
--
When I said "First few Received Headers" I did NOT mean the top-most.
Neither did I.
I mean the first. Just above the body.
And I meant the postfix log which records (part of) the SMTP session:
Aug 9 02:15:34 intrepid postfix/smtpd[29764]: connect from lists4.suse.de[195.135.221.135] Aug 9 02:15:34 intrepid postfix/smtpd[29764]: A1DD3138084: client=lists4.suse.de[195.135.221.135] Aug 9 02:15:34 intrepid postfix/cleanup[29757]: A1DD3138084: message-id=<60fb01490808081715o2143519cm9fae9b002e18d1aa@mail.gmail.com> Aug 9 02:15:34 intrepid postfix/qmgr[19655]: A1DD3138084: from=
, size=7007, nrcpt=1 (queue active) Aug 9 02:15:34 intrepid postfix/smtpd[29764]: disconnect from lists4.suse.de[195.135.221.135] Aug 9 02:15:41 intrepid postfix/local[29758]: A1DD3138084: to= , relay=local, delay=7.1, delays=0.12/6.9/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a "$EXTENSION") Check it out in this email. Opensuse does not "blur" these.
It does. At the SMTP level. I'm looking at the protocol level, you are looking at the data level.
Yup. I'm looking at what is available in real data. You are looking at theory. -- ----------JSA--------- There are 10 kinds of people in this world, those that can read binary and those that can't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 03:18, John Andersen wrote:
It does. At the SMTP level. I'm looking at the protocol level, you are looking at the data level.
Yup. I'm looking at what is available in real data. You are looking at theory.
I think I don't like where this is going. But I know this: because you are using gmail, you are probably not running your own mailserver, at least not for receiving mail from this list. That means you don't have access to server logs. I am running my own postfix installation and I have access to the logs. That means you have only the client-side information of the email story, while I have both client-side and server-side. This is not to, I don't know how to say this in English, treat you like someone inferior or something. I really, really want to help you by sharing the information that you are missing, so that you can see the entire picture. I'm really sorry that my positive attitude towards you isn't understood the way I intended. Kind regards, Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, Aug 9, 2008 at 2:05 AM, Amedee Van Gasse
On Sat, August 9, 2008 03:18, John Andersen wrote:
It does. At the SMTP level. I'm looking at the protocol level, you are looking at the data level.
Yup. I'm looking at what is available in real data. You are looking at theory.
I think I don't like where this is going.
But I know this: because you are using gmail, you are probably not running your own mailserver, at least not for receiving mail from this list. That means you don't have access to server logs. I am running my own postfix installation and I have access to the logs. That means you have only the client-side information of the email story, while I have both client-side and server-side.
But the Gmail SMTP servers that receive the mail from the list has access to both the envelope as well as the headers. That server could know if the mail from the list originated from recipient, (as it purports to do). Especially given the amount of stuff google stuffs into domain keys, spf, etc. It could alert the recipient to the forgery, especially the forgery of his own from header, allowing him to warn others. Look, its not like this is a totally new idea, you know. Forged "From" header detection (especially when one's own domain is the one being forged) has been bandied about for some time. Its available in Kolab, and probably other smtp servers as well. See: http://www.mikerubel.org/computers/rmx_records/ Its usefulness might not be that great, and it does hold a potential for false alarms for mail from people who insist on sending from one domain and receiving from another (falsifying their own headers in effect). But realistically, how many people do that? -- ----------JSA--------- There are 10 kinds of people in this world, those that can read binary and those that can't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* John Andersen
Look, its not like this is a totally new idea, you know. Forged "From" header detection (especially when one's own domain is the one being forged) has been bandied about for some time. Its available in Kolab, and probably other smtp servers as well. See: http://www.mikerubel.org/computers/rmx_records/
Its usefulness might not be that great, and it does hold a potential for false alarms for mail from people who insist on sending from one domain and receiving from another (falsifying their own headers in effect). But realistically, how many people do that?
You do if you want to see your own posts to the lists as gmail does not show them, duplicates. I do and have for ever since gmail existed. I post with *my* gmail "From:" addr relayed thru my isp from my server. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, Aug 9, 2008 at 11:45 AM, Patrick Shanahan
people who insist on sending from one domain and receiving from another (falsifying their own headers in effect). But realistically, how many people do that?
You do if you want to see your own posts to the lists as gmail does not show them, duplicates.
I do see my own posts, as long as they are replies to existing threads. The only ones I don't see are when I start a thread. I remember seeing a hack for this somewhere. -- ----------JSA--------- Someone stole my tag line, so now I have this rental. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 08 Aug 2008 16:32:20 -0700, John Andersen wrote:
And as Alexey said it DID arrive in his Gmail mailbox which, by definition means it DID go thru Gmail's server: inbound.
And that isn't what I was talking about. Gmail has no idea whether or not he actually sent it using another mail client (for example). Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 8, 2008 at 6:52 PM, Alexey Eremenko
On Sat, Aug 9, 2008 at 12:37 AM, Kai Ponte
wrote: On Friday 08 August 2008 06:28:09 am Alexey Eremenko wrote:
Kai: BTW: In your case even the Name was emulates correctly in GMail, which means that GMail doesn't checks it at all.
No, that had nothing to do with gmail. It never went through gmail.
I thought GMail would scan for all suspecious emails, and according to logical something that arrived into my GMail, with "From: al4321@gmail.com" - my email address, but never sent from my account is spoof.
It means, that GMail isn't protected :(
Alexey, It is not that simple and you've pointed out a way to work around some of the anti-spoofing technology, at least as it is now implemented. I'm pretty sure a direct email to you originating from a non-gmail SMTP claiming to be from a gmail account would get discarded. The trouble is with the mailinglist forwarding the address, google does not have enough information to know where the email originated. So, if I were a spammer, I would fake the headers to look like the email was being forwarded by a site like opensuse. So now it looks like the listserve server needs to: 1) Check for valid info on receipt to ignore spoofed email 2) Provide valid info on send to allow recipients to validate the sender. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 8, 2008 at 4:29 PM, Greg Freemyer
The trouble is with the mailinglist forwarding the address, google does not have enough information to know where the email originated.
That's just not true Greg.
Using headers in your own posting to opensuse:
------begin excertp ---
Received: by an-out-0708.google.com with SMTP id b33so191332ana.112
for
On Fri, Aug 8, 2008 at 7:38 PM, John Andersen
On Fri, Aug 8, 2008 at 4:29 PM, Greg Freemyer
wrote: The trouble is with the mailinglist forwarding the address, google does not have enough information to know where the email originated.
That's just not true Greg.
Using headers in your own posting to opensuse:
------begin excertp --- Received: by an-out-0708.google.com with SMTP id b33so191332ana.112 for
; Fri, 08 Aug 2008 16:29:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=+At/E0R+WGDJuOyD/nTbeuVBapWCrGc1HPv021wBVog=; b=q1gFa2CY5pMhRhX5cQGGTxv8+lHUUqw2H3MG4dXm6A3ufOmEp9m1NV8aDog281jLwe x1kiCfaftKKblyZjgPnhZq8Az8MMzt4iTxNcmcF/BUIgtrrduDsuzquE5sFOga7daF7w dEUtPlJoNi9/O8gmwUZBawaeB271yTlNAAMKc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=u59WjuD61Z8iDbQDYe99BZCeOgsXovStFPoFn70jRgQThYGXF7F+x7qx8v0OKNjlsE qaHAilalYW06V96refQW2T+ojtg/yjgAEz2jRHuMtfq5nY+3eLxwzKTuHvaGFwq/jEn1 vggJBDQYYhzKd2AmoI7NgVSlnXLpRKif4xhfk= ---- end excerpt
Plenty of evidence here that the mail came from gmail.
If the gmail didn't see its own tracks in the first few "received" headers it could assume that mail purporting to be FROM gmail was forged and could have alerted Alexey to that fact.
I'm not sure it would help anyone except Alexey but it would at least give him a heads up.
Interesting. I was looking for the SPF relevant info. That was missing. I don't know anything about DKIM. Maybe gmail is only supporting that on the sending side? Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
How about *forcing* email servers to use reverse DNS against all incoming email and the email "From: " field ? I.e. If I received from someone@opensuse.org, but source IP address cannot be reverse-DNS-resolved, that it really came from openSUSE@org, wuch email can be automatically sent to spam folder. Is this possible ? -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 02:08, Alexey Eremenko wrote:
How about *forcing* email servers to use reverse DNS against all incoming email and the email "From: " field ?
I.e. If I received from someone@opensuse.org, but source IP address cannot be reverse-DNS-resolved, that it really came from openSUSE@org, wuch email can be automatically sent to spam folder. Is this possible ?
What are you talking about? a) Email headers: From: b) SMTP headers: MAIL FROM: Do you know the difference between the two? a) should be handled by a spamfilter like SpamAssassin. b) is done in postfix with reject_unverified_sender reject_unverified_sender wil keep your box under *heavy* load. It has to verify *every* incoming email while the SMTP session is still open. The SMTP server at the other end may timeout resulting in unnecessary reconnects and more network traffic, or it may refuse your connection back, or it may simply be an Exchange^Wmisconfigured server, and then you lose some legitimate email. You'll need whitelists. -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Amedee Van Gasse wrote:
On Sat, August 9, 2008 02:08, Alexey Eremenko wrote:
How about *forcing* email servers to use reverse DNS against all incoming email and the email "From: " field ?
I.e. If I received from someone@opensuse.org, but source IP address cannot be reverse-DNS-resolved, that it really came from openSUSE@org, wuch email can be automatically sent to spam folder. Is this possible ?
What are you talking about? a) Email headers: From: b) SMTP headers: MAIL FROM:
I assume you are talking about the difference between envelope sender and the From: field in the DATA part of the mail.
Do you know the difference between the two?
a) should be handled by a spamfilter like SpamAssassin. b) is done in postfix with reject_unverified_sender
reject_unverified_sender wil keep your box under *heavy* load. It has to verify *every* incoming email while the SMTP session is still open. The SMTP server at the other end may timeout resulting in unnecessary reconnects and more network traffic, or it may refuse your connection back, or it may simply be an Exchange^Wmisconfigured server, and then you lose some legitimate email. You'll need whitelists.
Please to not use global sender verification. It is like catching flies with a hammer. You might get some once in a while but the damage you do while using said appliance is rather heavy. In case of the listserver you would verify the sender address of the listserver (not very useful). opensuse-de+bounces-32203-suse-linux=japantest.homelinux.com@opensuse.org In this case I would have to check if the listserver would even recognise the address extension as a valid address. Additionally, a lot of other big companies don't use valid sender addresses, so the false positive rate is rather high. An additional risk is that some ISPs are blacklisting you if your probes result in too many rejected address probes. T-Online.de for example blacklists you if you try to send to more than 40 invalid recipients within 24 hours. Don't use whitelists for sender verification, instead use it only for select domains that are falsified often. You might get away with that if you only use the server for your own needs but once the server is used by many people it's simply not possible to know all desired clients or mails anymore. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 13:41, Sandy Drobic wrote:
Amedee Van Gasse wrote:
On Sat, August 9, 2008 02:08, Alexey Eremenko wrote:
How about *forcing* email servers to use reverse DNS against all incoming email and the email "From: " field ?
I.e. If I received from someone@opensuse.org, but source IP address cannot be reverse-DNS-resolved, that it really came from openSUSE@org, wuch email can be automatically sent to spam folder. Is this possible ?
What are you talking about? a) Email headers: From: b) SMTP headers: MAIL FROM:
I assume you are talking about the difference between envelope sender and the From: field in the DATA part of the mail.
Yes, you assume right.
Please to not use global sender verification. It is like catching flies with a hammer. You might get some once in a while but the damage you do while using said appliance is rather heavy.
Yes, I agree. That is sort of what I wrote too.
In case of the listserver you would verify the sender address of the listserver (not very useful).
opensuse-de+bounces-32203-suse-linux=japantest.homelinux.com@opensuse.org
In this case I would have to check if the listserver would even recognise the address extension as a valid address. Additionally, a lot of other big companies don't use valid sender addresses, so the false positive rate is rather high.
I know. I work for company number 39 on that well known list, and I'm doing 2nd level email support on one of the sites. We have just done a migration from Notes to Exchange, last year. Now I know there are lots of very good reasons why sometimes it isn't possible to have valid sender addresses. If a company is in a transition phase, you have to live with that.
An additional risk is that some ISPs are blacklisting you if your probes result in too many rejected address probes. T-Online.de for example blacklists you if you try to send to more than 40 invalid recipients within 24 hours.
I didn't know that for sure, but I believe you. It sounds familiar.
Don't use whitelists for sender verification, instead use it only for select domains that are falsified often.
That is what I meant to write but my Engrish is not so good. :-)
You might get away with that if you only use the server for your own needs but once the server is used by many people it's simply not possible to know all desired clients or mails anymore.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 01:38, John Andersen wrote:
On Fri, Aug 8, 2008 at 4:29 PM, Greg Freemyer
wrote: The trouble is with the mailinglist forwarding the address, google does not have enough information to know where the email originated.
That's just not true Greg.
Using headers in your own posting to opensuse:
------begin excertp --- Received: by an-out-0708.google.com with SMTP id b33so191332ana.112 for
; Fri, 08 Aug 2008 16:29:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=+At/E0R+WGDJuOyD/nTbeuVBapWCrGc1HPv021wBVog=; b=q1gFa2CY5pMhRhX5cQGGTxv8+lHUUqw2H3MG4dXm6A3ufOmEp9m1NV8aDog281jLwe x1kiCfaftKKblyZjgPnhZq8Az8MMzt4iTxNcmcF/BUIgtrrduDsuzquE5sFOga7daF7w dEUtPlJoNi9/O8gmwUZBawaeB271yTlNAAMKc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=u59WjuD61Z8iDbQDYe99BZCeOgsXovStFPoFn70jRgQThYGXF7F+x7qx8v0OKNjlsE qaHAilalYW06V96refQW2T+ojtg/yjgAEz2jRHuMtfq5nY+3eLxwzKTuHvaGFwq/jEn1 vggJBDQYYhzKd2AmoI7NgVSlnXLpRKif4xhfk= ---- end excerpt
Plenty of evidence here that the mail came from gmail.
True.
If the gmail didn't see its own tracks in the first few "received" headers it could assume that mail purporting to be FROM gmail was forged and could have alerted Alexey to that fact.
Not true. The evidence doesn work that way. I don't know how I can explain. I'll try. Troll sends forged email to opensuse. Opensuse accepts the forged email. Opensuse forwards the email. list4.suse.de opens an SMTP connection on port 25 to gmail-smtp-in.l.google.com list4.suse.de says: HELO list4.suse.de list4.suse.de says: MAIL FROM: opensuse@opensuse.org gmail-smtp-in.l.google.com checks if opensuse.org uses SPF. Too bad it doesn't now we don't know if this email is forged. Let's treat it like a neutral email. list4.suse.de says: RCPT TO: jsamyth@gmail.com gmail-smtp thinks, OK, I know that user, you may continue. list4.suse.de says: DATA This is followed by a blob of data that could be anything. At this point, the SMTP session really doesn't care. As long as it is structured as an RFC2822, it could be anything. gmail-smtp accepts the data. list4.suse.de says goodbye and breaks the connection. At this point, Gmail is responsible for the mail. It's too late to refuse the email. Its only options left are delivery or dropping the email. Now gmail starts scanning the email, to find out if it is spam. When Gmail does not find its own SPF evidence in an email with a gmail-from, this does not mean forgery! It is possible that a legitimate user is sending email with his Thunderbird configured with the gmail addres as the sender address. This happens a lot with popular email services like Gmail, so they cannot treat those emails as suspicious. OTOH, companies with strict IT policies can reject every email with one of their addresses in the from but not sent from one of the company mailservers, if they enforce a policy that forbids emplyees to configure their work email accounts in their home internet connections, or forces them to use a VPN to the company mail server to send company mail. -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, August 9, 2008 01:29, Greg Freemyer wrote:
The trouble is with the mailinglist forwarding the address, google does not have enough information to know where the email originated.
So, if I were a spammer, I would fake the headers to look like the email was being forwarded by a site like opensuse.
So now it looks like the listserve server needs to:
1) Check for valid info on receipt to ignore spoofed email 2) Provide valid info on send to allow recipients to validate the sender.
I was thinking the same thing too. But what if a spammer also the headers of the listserve server too? In theory *and* in practice, any mail header can be forged, including the routing headers (the From: headers). The spam server can send email to Google, claiming to be just an innocent forwarding server, with fake listserver and routing headers. Google can 't tell the difference! This can only be fixed if the opensuse mailserver uses SPF, so Gmail can check that the spamserver isn't allowed to send email on behalf of opensuse. And even then it's not foolproof. SPF is always recommended as only one of many factors to determine if email is unwanted. It's not an absolute judgement. -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 15:26, Alexey Eremenko wrote:
Kai: Well, it feels like having a clone on the net :) It may be fun and may be scary - depending on circumstances.
When I opened the RAW message from you, I see a lot of "Received: ..." Are those all recipients or "steps" in the routing of email ?
Yes.
Anyway: any ideas on fighting techniques ? Can we see the source IP address ?
Yes. Depending on your mail client, this is easy or hard.
If so, maybe we can use reverse DNS and compare that to the email header "From: " address ?
No. There are legitimate reasons why the IP address won't match the header "From: " address. You shouldn't look at the header-From but at the SMTP-From. Two different things. This is what SPF does for you, at the MTA level. But... that information is lost when the mail passes the Opensuse server. It's the Opensuse server that should check for SPF.
Perhaps I need to learn about SMTP and SPF :)
Definitely. I speak SMTP fluently, and I'm still learning SPF. Start with the RFC's. Dry and techie stuff but really useful. Frak, I should get a job as an independent email security consultant, I know more about email than most Exchange admins. Why am I still a L2 support engineer... ;-) PS: This has become a general mail routing, mail spoofing and mail security topic, not about Opensuse in particular. I don't know if we're still on topic and if other list members are still interested. Is there an off-topic mailing list that is better suited for this kind of interesting treads? -- Amedee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Strictly speaking, openSUSE mailing list is also spoofing email
addresses as I receive something like:
from Amedee Van Gasse
If so, maybe we can use reverse DNS and compare that to the email header "From: " address ?
No. There are legitimate reasons why the IP address won't match the header "From: " address. What reasons ?
PS: This has become a general mail routing, mail spoofing and mail security topic, not about Opensuse in particular. I don't know if we're still on topic and if other list members are still interested. Is there an off-topic mailing list that is better suited for this kind of interesting treads?
This is because opensuse mailing list was under attack by spoofing spammers. And we are defenseless... Well, some professional can even send email from command-line, effectively converting the PC into email client. Unfortunately I can only use email-clients like Thunderbird or webmail. -- -Alexey Eromenko "Technologov" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, August 8, 2008 15:55, Alexey Eremenko wrote:
Strictly speaking, openSUSE mailing list is also spoofing email addresses as I receive something like:
from Amedee Van Gasse
to opensuse@opensuse.org While in reality I should receive something like: from opensuse@opensuse.org to al4321@gmail.com
You understand ?
Of course.
If so, maybe we can use reverse DNS and compare that to the email header "From: " address ?
No. There are legitimate reasons why the IP address won't match the header "From: " address. What reasons ?
You just gave one, a few lines up. ;-)
Well, some professional can even send email from command-line, effectively converting the PC into email client. Unfortunately I can only use email-clients like Thunderbird or webmail.
I'm just an amateur! But sending email from command-line is a piece of cake. First you have to find out which mailserver you have to contact. You do this with "dig <domain> mx", for example $ dig opensuse.org mx The MX records point to the mailservers of a domain. In case of opensuse.org, you get two answers: ;; ANSWER SECTION: opensuse.org. 300 IN MX 42 mx1.suse.de. opensuse.org. 300 IN MX 42 mx2.suse.de. The number 42 is the priority. Sensible mailservers start with the server with the lowest number, and if they cannot contact it, they take the next one. In this case both servers have equal priorities. It's a kind of load balancing. Spammers OTOH usually abuse the server with the highest number. This is often a backup server somewhere at a remote location that just forwards mail to the main mailserver, and everybody forgets to update the backup server. Now that you know the mailserver, you are ready to send your email: $ telnet mx2.suse.de 25 (port 25 is the default SMTP port) The server shows a banner: Trying 195.135.220.15... Connected to mx2.suse.de. Escape character is '^]'. 220 mx2.suse.de ESMTP Postfix (2.1.1) You are polite and say hel(l)o to the server: HELO spammer.com 250 mx2.suse.de Lines starting with 250 are replies from the suse mailserver, saying everything is OK. Now we start sending email. First we say who it is from: MAIL FROM: badboy@spammer.com 250 Ok And who is the intended receipient: RCPT TO: opensuse@opensuse.org 250 Ok This is all you need, now you send the data part of the mail: DATA 354 End data with <CR><LF>.<CR><LF> The mailserver tells you how you can say you reached the end of an email. First you type the mailheaders, followed by a blank line, followed by the body of the mail, and then you close with a dot on a single line. From: al4321@gmail.com To: opensuse@opensuse.org Subject: Sending email with telnet on port 25 X-Yet-Another-Header: nothing to see, move along This is a test. I am sending this email with telnet on port 25. It may or may not arrive, depending on the spamfilter used by Suse. Have fun, Amedee, pretending to be someone else . 250 Ok: queued as 8639A45AF2 The message is accepted by Suse, now we break the connection: QUIT 221 Bye Connection closed by foreign host. That's all! To recapitulate: dig example.com mx telnet mail.example.com 25 HELO your.servername MAIL FROM: your address RCPT TO: somebody@example.com DATA Email headers Email body . QUIT Cheers, Amedee. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 August 2008 06:26:43 am Alexey Eremenko wrote:
Kai: Well, it feels like having a clone on the net :) It may be fun and may be scary - depending on circumstances.
With teh power of openSUSE I kan haxxor into other systemz too! :)
When I opened the RAW message from you, I see a lot of "Received: ..." Are those all recipients or "steps" in the routing of email ?
Yes, exactly. That's what they are.
Anyway: any ideas on fighting techniques ?
I think it is up to the opensuse list. -- kai www.filesite.org || www.4thedadz.com || www.perfectreign.com remember - a turn signal is a statement, not a request -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (8)
-
Alexey Eremenko
-
Amedee Van Gasse
-
Greg Freemyer
-
Jim Henderson
-
John Andersen
-
Kai Ponte
-
Patrick Shanahan
-
Sandy Drobic