RE:virus message

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

RE:virus message

Nick Thompson
Owen,

For us idiots, neophytes, saprophytes, and any other -phytes out here,
PLEASE explain why you keep sending us these scary messages.  My computer
is starting to show signs of hypochondria.

Did you know that the HelpDesk at Clark once accused me of having
"Munchschausen's Syndrome By Computer".  

Nick

Nicholas S. Thompson
Professor of Psychology and Ethology
Clark University
[hidden email]
http://home.earthlink.net/~nickthompson/
 [hidden email]


> [Original Message]
> From: <[hidden email]>
> To: <[hidden email]>
> Date: 1/4/2005 9:00:19 AM
> Subject: Friam Digest, Vol 19, Issue 4
>
> Send Friam mailing list submissions to
> [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://redfish.com/mailman/listinfo/friam_redfish.com
> or, via email, send a message with subject or body 'help' to
> [hidden email]
>
> You can reach the person managing the list at
> [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Friam digest..."
>
>
> Today's Topics:
>
>    1. {Virus?} Re: (Owen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 03 Jan 2005 19:33:59 -0800
> From: "Owen" <[hidden email]>
> Subject: [FRIAM] {Virus?} Re:
> To: "Friam" <[hidden email]>
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL:
/pipermail/friam_redfish.com/attachments/20050103/83414c1e/attachment-0001.h
tm
> -------------- next part --------------
> This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail attachment "Secret.cpl"
> was believed to be infected by a virus and has been replaced by this
warning
> message.
>
> If you wish to receive a copy of the *infected* attachment, please
> forward this email to the support department requesting a copy of the
attachment.
>
> At Mon Jan  3 23:34:46 2005 the virus scanner said:
>    Secret.cpl  Infection: W32/Bagle.AH@mm
>    Control panel items are often used to hide viruses (Secret.cpl)
>
> Note to Help Desk: Look on Virus MailScanner in
/var/spool/MailScanner/quarantine/20050103 (message 1ClfSX-0003al-6U).

> --
> Postmaster
>
> ------------------------------
>
> _______________________________________________
> Friam mailing list
> [hidden email]
> http://redfish.com/mailman/listinfo/friam_redfish.com
>
>
> End of Friam Digest, Vol 19, Issue 4
> ************************************



Reply | Threaded
Open this post in threaded view
|

RE:virus message

Owen Densmore
Administrator
Hi Nick.  Oddly enough, I don't receive these because my spam filters  
catch them and put them in my spam folder (I get between 1500 and 2000  
a month).  I'm a bit surprised this is getting through to so many of us  
.. I assumed our ISPs used fairly sophisticated blocking.

This is fairly simple.  There are two sides to email protocols: sending  
and receiving.  POP and IMAP are receiving protocols: how you get email  
from you mail server/ISP.  SMTP (Simple Mail Transport Protocol) is how  
mail gets sent from your computer.  The problem we're having is within  
the SMTP world.

SMTP originally was a store-and-forward mechanism where servers would  
now and again forward large bundles of email onto the next hop in their  
journey.  This means that mail transport is *NOT* connection based ..  
i.e. when you send mail from your computer to my IMAP/POP server, it  
need not be done with a single connection between your SMTP server and  
my IMAP/POP server.  There are relays (hops) in between.  You can see  
them by asking your mail reading software to show you the "full  
headers" of an email.  For example, here are the first third or so of  
the header lines from your email:
        From:  [hidden email]
        Subject: [FRIAM] RE:virus message
        Date: January 4, 2005 11:26:22 AM MST
        To:  [hidden email]
        Delivery-Date: Tue, 04 Jan 2005 13:27:01 -0500
        Received: from backspac by sparta.hostgo.com with local-bsmtp (Exim  
4.43) id 1CltOL-0006bP-EQ for [hidden email]; Tue, 04 Jan  
2005 13:26:58 -0500
        Received: from [64.62.180.132] (helo=athens.hostgo.com) by  
sparta.hostgo.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.43) id  
1CltOI-0006aR-Qs; Tue, 04 Jan 2005 13:26:46 -0500
        Received: from localhost ([127.0.0.1] helo=athens.hostgo.com) by  
athens.hostgo.com with esmtp (Exim 4.43) id 1CltOS-0004yA-7o; Tue, 04  
Jan 2005 14:26:56 -0400
        Received: from [209.86.89.66]  
(helo=smtpauth06.mail.atl.earthlink.net) by athens.hostgo.com with  
esmtp (Exim 4.43) id 1CltOD-0004w5-LY for [hidden email]; Tue, 04  
Jan 2005 14:26:42 -0400
        Received: from [70.57.242.30] (helo=earthlink.net) by  
smtpauth06.mail.atl.earthlink.net with asmtp (Exim 4.34) id  
1CltNu-0004XT-1Y for [hidden email]; Tue, 04 Jan 2005 13:26:22 -0500
        Domainkey-Signature: a=rsa-sha1; q=dns; c=simple; s=test1;  
d=earthlink.net;  
h=Message-ID:X-Priority:Reply-To:X-Mailer:From:To:Subject:Date:MIME-
Version:Content-type;  
b=hSUaAoV3qerPOGmiBOFJOurcPUWmuT0+PbDwSDurH5bVILXPnQxbE5ewISpQ58dI;
        Message-Id: <[hidden email]>
                ....
Note that each "Received:" header shows a hop in the progress of your  
email.

This proves to create extremely difficult security/spam problems.  Were  
SMTP to be a connection based service, various checks could be made to  
help insure folks are who they say they are.  You would be sure "owen"  
was in fact the sender.

So here's what has happened.  Someone has found my [hidden email]  
mail address and done one of two things.  1-It simply uses a mail  
anonymizing service which fakes a "From:" header to be from me.  2-It  
notices that my mail service allows forwarding and it uses it to fake  
being me.  (A third alternative is that they've hacked the server  
backspaces.net lives on and simply pretend to be me.  These are deeper  
waters.)

There is one more fine point: Friam.org only allows mail to be sent  
from members.  This means the spammer is clever and trying to do  
mailgroup spamming.  This is recently becoming a popular spam stunt,  
sort of a new treasure trove for spam kings.  So likely this cleaver  
bastard has found the friam list, and somehow found a message from me,  
and thus knows that he/she can gain spam access to friam.org via  
forging my email address, either 1 or 2 above.

Sigh.

Owen

On Jan 4, 2005, at 11:26 AM, Nicholas Thompson wrote:

> Owen,
>
> For us idiots, neophytes, saprophytes, and any other -phytes out here,
> PLEASE explain why you keep sending us these scary messages.  My  
> computer
> is starting to show signs of hypochondria.
>
> Did you know that the HelpDesk at Clark once accused me of having
> "Munchschausen's Syndrome By Computer".
>
> Nick
>
> Nicholas S. Thompson
> Professor of Psychology and Ethology
> Clark University
> [hidden email]
> http://home.earthlink.net/~nickthompson/
>  [hidden email]
>
>
>> [Original Message]
>> From: <[hidden email]>
>> To: <[hidden email]>
>> Date: 1/4/2005 9:00:19 AM
>> Subject: Friam Digest, Vol 19, Issue 4
>>
>> Send Friam mailing list submissions to
>> [hidden email]
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://redfish.com/mailman/listinfo/friam_redfish.com
>> or, via email, send a message with subject or body 'help' to
>> [hidden email]
>>
>> You can reach the person managing the list at
>> [hidden email]
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Friam digest..."
>>
>>
>> Today's Topics:
>>
>>    1. {Virus?} Re: (Owen)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 03 Jan 2005 19:33:59 -0800
>> From: "Owen" <[hidden email]>
>> Subject: [FRIAM] {Virus?} Re:
>> To: "Friam" <[hidden email]>
>> Message-ID: <[hidden email]>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> An HTML attachment was scrubbed...
>> URL:
> /pipermail/friam_redfish.com/attachments/20050103/83414c1e/attachment
> -0001.h
> tm
>> -------------- next part --------------
>> This is a message from the MailScanner E-Mail Virus Protection Service
>> ----------------------------------------------------------------------
>> The original e-mail attachment "Secret.cpl"
>> was believed to be infected by a virus and has been replaced by this
> warning
>> message.
>>
>> If you wish to receive a copy of the *infected* attachment, please
>> forward this email to the support department requesting a copy of the
> attachment.
>>
>> At Mon Jan  3 23:34:46 2005 the virus scanner said:
>>    Secret.cpl  Infection: W32/Bagle.AH@mm
>>    Control panel items are often used to hide viruses (Secret.cpl)
>>
>> Note to Help Desk: Look on Virus MailScanner in
> /var/spool/MailScanner/quarantine/20050103 (message 1ClfSX-0003al-6U).
>> --
>> Postmaster
>>
>> ------------------------------
>>
>> _______________________________________________
>> Friam mailing list
>> [hidden email]
>> http://redfish.com/mailman/listinfo/friam_redfish.com
>>
>>
>> End of Friam Digest, Vol 19, Issue 4
>> ************************************
>
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9AM @ Jane's Cafe
> Lecture schedule, archives, unsubscribe, etc.:
> http://www.friam.org
>



Reply | Threaded
Open this post in threaded view
|

RE:virus message

Belinda Wong-Swanson
Owen,

Thanks for the detailed explanation of what happened.

Do you (and others) have any suggestions on prevention?

Someone has done similar things with [hidden email] except that it
was sent to an Air Force email address. ( I got the reject notice
because a virus attachment was detected. These days, as a naturalized US
citizen, the last thing I want is to mess with any US government
agencies and get deported.) I even has it set up with my email server
such that it requires a password confirmation before I can send out a
message. Obviously, it does not work in this case since the person was
not sending it from my mail server. How can we prevent someone else from
assuming our email identity?

Belinda


Owen Densmore wrote:

> Hi Nick.  Oddly enough, I don't receive these because my spam filters  
> catch them and put them in my spam folder (I get between 1500 and
> 2000  a month).  I'm a bit surprised this is getting through to so
> many of us  .. I assumed our ISPs used fairly sophisticated blocking.
>
> This is fairly simple.  There are two sides to email protocols:
> sending  and receiving.  POP and IMAP are receiving protocols: how you
> get email  from you mail server/ISP.  SMTP (Simple Mail Transport
> Protocol) is how  mail gets sent from your computer.  The problem
> we're having is within  the SMTP world.
>
> SMTP originally was a store-and-forward mechanism where servers would  
> now and again forward large bundles of email onto the next hop in
> their  journey.  This means that mail transport is *NOT* connection
> based ..  i.e. when you send mail from your computer to my IMAP/POP
> server, it  need not be done with a single connection between your
> SMTP server and  my IMAP/POP server.  There are relays (hops) in
> between.  You can see  them by asking your mail reading software to
> show you the "full  headers" of an email.  For example, here are the
> first third or so of  the header lines from your email:
>     From:       [hidden email]
>     Subject:     [FRIAM] RE:virus message
>     Date:     January 4, 2005 11:26:22 AM MST
>     To:       [hidden email]
>     Delivery-Date:     Tue, 04 Jan 2005 13:27:01 -0500
>     Received:     from backspac by sparta.hostgo.com with local-bsmtp
> (Exim  4.43) id 1CltOL-0006bP-EQ for [hidden email]; Tue, 04
> Jan  2005 13:26:58 -0500
>     Received:     from [64.62.180.132] (helo=athens.hostgo.com) by  
> sparta.hostgo.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.43) id  
> 1CltOI-0006aR-Qs; Tue, 04 Jan 2005 13:26:46 -0500
>     Received:     from localhost ([127.0.0.1] helo=athens.hostgo.com)
> by  athens.hostgo.com with esmtp (Exim 4.43) id 1CltOS-0004yA-7o; Tue,
> 04  Jan 2005 14:26:56 -0400
>     Received:     from [209.86.89.66]  
> (helo=smtpauth06.mail.atl.earthlink.net) by athens.hostgo.com with  
> esmtp (Exim 4.43) id 1CltOD-0004w5-LY for [hidden email]; Tue, 04  
> Jan 2005 14:26:42 -0400
>     Received:     from [70.57.242.30] (helo=earthlink.net) by  
> smtpauth06.mail.atl.earthlink.net with asmtp (Exim 4.34) id  
> 1CltNu-0004XT-1Y for [hidden email]; Tue, 04 Jan 2005 13:26:22 -0500
>     Domainkey-Signature:     a=rsa-sha1; q=dns; c=simple; s=test1;  
> d=earthlink.net;  
> h=Message-ID:X-Priority:Reply-To:X-Mailer:From:To:Subject:Date:MIME-
> Version:Content-type;  
> b=hSUaAoV3qerPOGmiBOFJOurcPUWmuT0+PbDwSDurH5bVILXPnQxbE5ewISpQ58dI;
>     Message-Id:     <[hidden email]>
>         ....
> Note that each "Received:" header shows a hop in the progress of your  
> email.
>
> This proves to create extremely difficult security/spam problems.  
> Were  SMTP to be a connection based service, various checks could be
> made to  help insure folks are who they say they are.  You would be
> sure "owen"  was in fact the sender.
>
> So here's what has happened.  Someone has found my
> [hidden email]  mail address and done one of two things.  1-It
> simply uses a mail  anonymizing service which fakes a "From:" header
> to be from me.  2-It  notices that my mail service allows forwarding
> and it uses it to fake  being me.  (A third alternative is that
> they've hacked the server  backspaces.net lives on and simply pretend
> to be me.  These are deeper  waters.)
>
> There is one more fine point: Friam.org only allows mail to be sent  
> from members.  This means the spammer is clever and trying to do  
> mailgroup spamming.  This is recently becoming a popular spam stunt,  
> sort of a new treasure trove for spam kings.  So likely this cleaver  
> bastard has found the friam list, and somehow found a message from
> me,  and thus knows that he/she can gain spam access to friam.org via  
> forging my email address, either 1 or 2 above.
>
> Sigh.
>
> Owen
>
> On Jan 4, 2005, at 11:26 AM, Nicholas Thompson wrote:
>
>> Owen,
>>
>> For us idiots, neophytes, saprophytes, and any other -phytes out here,
>> PLEASE explain why you keep sending us these scary messages.  My  
>> computer
>> is starting to show signs of hypochondria.
>>
>> Did you know that the HelpDesk at Clark once accused me of having
>> "Munchschausen's Syndrome By Computer".
>>
>> Nick
>>
>> Nicholas S. Thompson
>> Professor of Psychology and Ethology
>> Clark University
>> [hidden email]
>> http://home.earthlink.net/~nickthompson/
>>  [hidden email]
>>
>>
>>> [Original Message]
>>> From: <[hidden email]>
>>> To: <[hidden email]>
>>> Date: 1/4/2005 9:00:19 AM
>>> Subject: Friam Digest, Vol 19, Issue 4
>>>
>>> Send Friam mailing list submissions to
>>>     [hidden email]
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>     http://redfish.com/mailman/listinfo/friam_redfish.com
>>> or, via email, send a message with subject or body 'help' to
>>>     [hidden email]
>>>
>>> You can reach the person managing the list at
>>>     [hidden email]
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Friam digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>>    1. {Virus?} Re: (Owen)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Mon, 03 Jan 2005 19:33:59 -0800
>>> From: "Owen" <[hidden email]>
>>> Subject: [FRIAM] {Virus?} Re:
>>> To: "Friam" <[hidden email]>
>>> Message-ID: <[hidden email]>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> An HTML attachment was scrubbed...
>>> URL:
>>
>> /pipermail/friam_redfish.com/attachments/20050103/83414c1e/attachment
>> -0001.h
>> tm
>>
>>> -------------- next part --------------
>>> This is a message from the MailScanner E-Mail Virus Protection Service
>>> ----------------------------------------------------------------------
>>> The original e-mail attachment "Secret.cpl"
>>> was believed to be infected by a virus and has been replaced by this
>>
>> warning
>>
>>> message.
>>>
>>> If you wish to receive a copy of the *infected* attachment, please
>>> forward this email to the support department requesting a copy of the
>>
>> attachment.
>>
>>>
>>> At Mon Jan  3 23:34:46 2005 the virus scanner said:
>>>    Secret.cpl  Infection: W32/Bagle.AH@mm
>>>    Control panel items are often used to hide viruses (Secret.cpl)
>>>
>>> Note to Help Desk: Look on Virus MailScanner in
>>
>> /var/spool/MailScanner/quarantine/20050103 (message 1ClfSX-0003al-6U).
>>
>>> --
>>> Postmaster
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Friam mailing list
>>> [hidden email]
>>> http://redfish.com/mailman/listinfo/friam_redfish.com
>>>
>>>
>>> End of Friam Digest, Vol 19, Issue 4
>>> ************************************
>>
>>
>>
>>
>> ============================================================
>> FRIAM Applied Complexity Group listserv
>> Meets Fridays 9AM @ Jane's Cafe
>> Lecture schedule, archives, unsubscribe, etc.:
>> http://www.friam.org
>>
>
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9AM @ Jane's Cafe
> Lecture schedule, archives, unsubscribe, etc.:
> http://www.friam.org
>




Reply | Threaded
Open this post in threaded view
|

RE:virus message

Roger Critchlow-2
Belinda Wong-Swanson wrote:

> Owen,
>
> Thanks for the detailed explanation of what happened.
>
> Do you (and others) have any suggestions on prevention?
>
> Someone has done similar things with [hidden email] except that it
> was sent to an Air Force email address. ( I got the reject notice
> because a virus attachment was detected. These days, as a naturalized US
> citizen, the last thing I want is to mess with any US government
> agencies and get deported.) I even has it set up with my email server
> such that it requires a password confirmation before I can send out a
> message. Obviously, it does not work in this case since the person was
> not sending it from my mail server. How can we prevent someone else from
> assuming our email identity?
>
> Belinda

Belinda -

   This is called a "joe job": your email address is forged as the
sender of a virus or some spam or any message you didn't actually send.
  It's been happening for years, but they're getting more creative about
it now a days.

   If the govt decides to start investigating everyone who gets joe
jobbed, then the end of civilization as we know it will have definitely
arrived, because they will no longer have the resources to pursue any of
the other responsibilities of govt.

   There is a solution in the works, as http://spf.pobox.com explains.
The idea is that every domain specifies the mail servers which are
allowed to send their outgoing mail.  So Owen would list the mail
servers at hostgo as the only servers permitted to send mail from
backspaces.net, and then when Friam received mail From:
[hidden email] that didn't originate from a hostgo mail server,
Friam would know it was forged.

   I haven't been able to set it up for my domains, yet, but I expect it
will become more possible in the near future.

-- rec --

Reply | Threaded
Open this post in threaded view
|

RE:virus message

Parks, Raymond
In reply to this post by Belinda Wong-Swanson
Belinda Wong-Swanson wrote:

> Owen,
>
> Thanks for the detailed explanation of what happened.
>
> Do you (and others) have any suggestions on prevention?
>
> Someone has done similar things with [hidden email] except that it
> was sent to an Air Force email address. ( I got the reject notice
> because a virus attachment was detected. These days, as a naturalized US
> citizen, the last thing I want is to mess with any US government
> agencies and get deported.) I even has it set up with my email server
> such that it requires a password confirmation before I can send out a
> message. Obviously, it does not work in this case since the person was
> not sending it from my mail server. How can we prevent someone else from
> assuming our email identity?

   The current proposed solutions in order of decreasing
popularity/maturity are:

Sender Policy Framework (SPF) in which domain owners identify sending
mail servers in DNS and the receiving Mail Transfer Agent (MTA) verifies
this information against the sender header information.  Since you have
your own domain, I'd recommend using this approach, although you may
have to negotiate with your ISP if you don't host your own mail server.
  See http://spf.pobox.com/ for more information.

Sender-ID is a Microsoft proposal to have the Mail User Agent (MUA)
verify the "Purported Responsible Address".  Microsoft programs will
probably have the capability of doing this in upcoming versions.
Sender-ID has patent encumbrances and does not have widespread acceptance.

Bounce Address Tag Validation (BATV) which is a proposal to use the
mail-from header tag to alleviate the very problem that started this
thread - bounced email notifications to folks who didn't originate the
offending email.

Client SMTP Validation (CSV) which is similiar to SPF but has the
potential to be more reliable.

Bottom line - if you have an email server, you should probably implement
SPF.

--
Ray Parks                   [hidden email]
IDART Project Lead          Voice:505-844-4024
IORTA Department            Fax:505-844-9641
http://www.sandia.gov/idart Pager:800-690-5288


Reply | Threaded
Open this post in threaded view
|

Sender Policy Framerwork (SPF) (was RE:virus message)

Stephen Guerin
On Roger and Ray's suggestion I checked whether the domain hosting service
for Friam.org and Redfish.com supports SPF. Here's their response:

"We won't start supporting SPF until it is accepted by more than 50% of the
large ISPs(AOL, Earthlink...etc)."

-Steve

________________________________________________________
[hidden email] http://www.redfish.com
office: (505)995-0206 624 Agua Fria Street
mobile: (505)577-5828 Santa Fe, NM 87501

> -----Original Message-----
> From: Raymond C. Parks [mailto:[hidden email]]
> Sent: Tuesday, January 04, 2005 5:20 PM
> To: The Friday Morning Applied Complexity Coffee Group
> Subject: Re: [FRIAM] RE:virus message
>
>
> Belinda Wong-Swanson wrote:
>
> > Owen,
> >
> > Thanks for the detailed explanation of what happened.
> >
> > Do you (and others) have any suggestions on prevention?
> >
> > Someone has done similar things with [hidden email] except that it
> > was sent to an Air Force email address. ( I got the reject notice
> > because a virus attachment was detected. These days, as a
> naturalized US
> > citizen, the last thing I want is to mess with any US government
> > agencies and get deported.) I even has it set up with my email server
> > such that it requires a password confirmation before I can send out a
> > message. Obviously, it does not work in this case since the person was
> > not sending it from my mail server. How can we prevent someone
> else from
> > assuming our email identity?
>
>    The current proposed solutions in order of decreasing
> popularity/maturity are:
>
> Sender Policy Framework (SPF) in which domain owners identify sending
> mail servers in DNS and the receiving Mail Transfer Agent (MTA) verifies
> this information against the sender header information.  Since you have
> your own domain, I'd recommend using this approach, although you may
> have to negotiate with your ISP if you don't host your own mail server.
>   See http://spf.pobox.com/ for more information.
>
> Sender-ID is a Microsoft proposal to have the Mail User Agent (MUA)
> verify the "Purported Responsible Address".  Microsoft programs will
> probably have the capability of doing this in upcoming versions.
> Sender-ID has patent encumbrances and does not have widespread acceptance.
>
> Bounce Address Tag Validation (BATV) which is a proposal to use the
> mail-from header tag to alleviate the very problem that started this
> thread - bounced email notifications to folks who didn't originate the
> offending email.
>
> Client SMTP Validation (CSV) which is similiar to SPF but has the
> potential to be more reliable.
>
> Bottom line - if you have an email server, you should probably implement
> SPF.
>
> --
> Ray Parks                   [hidden email]
> IDART Project Lead          Voice:505-844-4024
> IORTA Department            Fax:505-844-9641
> http://www.sandia.gov/idart Pager:800-690-5288
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9AM @ Jane's Cafe
> Lecture schedule, archives, unsubscribe, etc.:
> http://www.friam.org
>
>


Reply | Threaded
Open this post in threaded view
|

Sender Policy Framerwork (SPF) (was RE:virus message)

Carl Tollander-2
I wonder if there might be a way of setting up a plugin for Mozilla
Thunderbird that would check a config file and simply flag a message as
spam if it didn't come from the "right" place.

Oh, hey, there is one:
https://addons.update.mozilla.org/extensions/moreinfo.php?id=345&vid=1051

Carl

Stephen Guerin wrote:

> On Roger and Ray's suggestion I checked whether the domain hosting service
> for Friam.org and Redfish.com supports SPF. Here's their response:
>
> "We won't start supporting SPF until it is accepted by more than 50% of the
> large ISPs(AOL, Earthlink...etc)."
>
> -Steve
>
> ________________________________________________________
> [hidden email] http://www.redfish.com
> office: (505)995-0206 624 Agua Fria Street
> mobile: (505)577-5828 Santa Fe, NM 87501
>
>
>>-----Original Message-----
>>From: Raymond C. Parks [mailto:[hidden email]]
>>Sent: Tuesday, January 04, 2005 5:20 PM
>>To: The Friday Morning Applied Complexity Coffee Group
>>Subject: Re: [FRIAM] RE:virus message
>>
>>
>>Belinda Wong-Swanson wrote:
>>
>>
>>>Owen,
>>>
>>>Thanks for the detailed explanation of what happened.
>>>
>>>Do you (and others) have any suggestions on prevention?
>>>
>>>Someone has done similar things with [hidden email] except that it
>>>was sent to an Air Force email address. ( I got the reject notice
>>>because a virus attachment was detected. These days, as a
>>
>>naturalized US
>>
>>>citizen, the last thing I want is to mess with any US government
>>>agencies and get deported.) I even has it set up with my email server
>>>such that it requires a password confirmation before I can send out a
>>>message. Obviously, it does not work in this case since the person was
>>>not sending it from my mail server. How can we prevent someone
>>
>>else from
>>
>>>assuming our email identity?
>>
>>   The current proposed solutions in order of decreasing
>>popularity/maturity are:
>>
>>Sender Policy Framework (SPF) in which domain owners identify sending
>>mail servers in DNS and the receiving Mail Transfer Agent (MTA) verifies
>>this information against the sender header information.  Since you have
>>your own domain, I'd recommend using this approach, although you may
>>have to negotiate with your ISP if you don't host your own mail server.
>>  See http://spf.pobox.com/ for more information.
>>
>>Sender-ID is a Microsoft proposal to have the Mail User Agent (MUA)
>>verify the "Purported Responsible Address".  Microsoft programs will
>>probably have the capability of doing this in upcoming versions.
>>Sender-ID has patent encumbrances and does not have widespread acceptance.
>>
>>Bounce Address Tag Validation (BATV) which is a proposal to use the
>>mail-from header tag to alleviate the very problem that started this
>>thread - bounced email notifications to folks who didn't originate the
>>offending email.
>>
>>Client SMTP Validation (CSV) which is similiar to SPF but has the
>>potential to be more reliable.
>>
>>Bottom line - if you have an email server, you should probably implement
>>SPF.
>>
>>--
>>Ray Parks                   [hidden email]
>>IDART Project Lead          Voice:505-844-4024
>>IORTA Department            Fax:505-844-9641
>>http://www.sandia.gov/idart Pager:800-690-5288
>>
>>
>>============================================================
>>FRIAM Applied Complexity Group listserv
>>Meets Fridays 9AM @ Jane's Cafe
>>Lecture schedule, archives, unsubscribe, etc.:
>>http://www.friam.org
>>
>>
>
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9AM @ Jane's Cafe
> Lecture schedule, archives, unsubscribe, etc.:
> http://www.friam.org
>


Reply | Threaded
Open this post in threaded view
|

Sender Policy Framerwork (SPF) (was RE:virus message)

Carl Tollander-2
In reply to this post by Stephen Guerin
Ok, I was a little hasty in posting the Thunderbird SPF thing.
It's not an unalloyed wonder.  (now watch, I'll get spam with
'unalloyed wonder' in the title).

Here's the current stuff: http://taubz.for.net/code/spf/
Sorry if raised any false hopes.

Carl

Stephen Guerin wrote:

> On Roger and Ray's suggestion I checked whether the domain hosting service
> for Friam.org and Redfish.com supports SPF. Here's their response:
>
> "We won't start supporting SPF until it is accepted by more than 50% of the
> large ISPs(AOL, Earthlink...etc)."
>
> -Steve
>
> ________________________________________________________
> [hidden email] http://www.redfish.com
> office: (505)995-0206 624 Agua Fria Street
> mobile: (505)577-5828 Santa Fe, NM 87501
>
>
>>-----Original Message-----
>>From: Raymond C. Parks [mailto:[hidden email]]
>>Sent: Tuesday, January 04, 2005 5:20 PM
>>To: The Friday Morning Applied Complexity Coffee Group
>>Subject: Re: [FRIAM] RE:virus message
>>
>>
>>Belinda Wong-Swanson wrote:
>>
>>
>>>Owen,
>>>
>>>Thanks for the detailed explanation of what happened.
>>>
>>>Do you (and others) have any suggestions on prevention?
>>>
>>>Someone has done similar things with [hidden email] except that it
>>>was sent to an Air Force email address. ( I got the reject notice
>>>because a virus attachment was detected. These days, as a
>>
>>naturalized US
>>
>>>citizen, the last thing I want is to mess with any US government
>>>agencies and get deported.) I even has it set up with my email server
>>>such that it requires a password confirmation before I can send out a
>>>message. Obviously, it does not work in this case since the person was
>>>not sending it from my mail server. How can we prevent someone
>>
>>else from
>>
>>>assuming our email identity?
>>
>>   The current proposed solutions in order of decreasing
>>popularity/maturity are:
>>
>>Sender Policy Framework (SPF) in which domain owners identify sending
>>mail servers in DNS and the receiving Mail Transfer Agent (MTA) verifies
>>this information against the sender header information.  Since you have
>>your own domain, I'd recommend using this approach, although you may
>>have to negotiate with your ISP if you don't host your own mail server.
>>  See http://spf.pobox.com/ for more information.
>>
>>Sender-ID is a Microsoft proposal to have the Mail User Agent (MUA)
>>verify the "Purported Responsible Address".  Microsoft programs will
>>probably have the capability of doing this in upcoming versions.
>>Sender-ID has patent encumbrances and does not have widespread acceptance.
>>
>>Bounce Address Tag Validation (BATV) which is a proposal to use the
>>mail-from header tag to alleviate the very problem that started this
>>thread - bounced email notifications to folks who didn't originate the
>>offending email.
>>
>>Client SMTP Validation (CSV) which is similiar to SPF but has the
>>potential to be more reliable.
>>
>>Bottom line - if you have an email server, you should probably implement
>>SPF.
>>
>>--
>>Ray Parks                   [hidden email]
>>IDART Project Lead          Voice:505-844-4024
>>IORTA Department            Fax:505-844-9641
>>http://www.sandia.gov/idart Pager:800-690-5288
>>
>>
>>============================================================
>>FRIAM Applied Complexity Group listserv
>>Meets Fridays 9AM @ Jane's Cafe
>>Lecture schedule, archives, unsubscribe, etc.:
>>http://www.friam.org
>>
>>
>
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9AM @ Jane's Cafe
> Lecture schedule, archives, unsubscribe, etc.:
> http://www.friam.org
>