Chronology Current Month Current Thread Current Date
[Year List] [Month List (current year)] [Date Index] [Thread Index] [Thread Prev] [Thread Next] [Date Prev] [Date Next]

Re: virus and/or spam alert



Basically JDs advice is very good. However there are added layers of
security that can be used. I have a short web page about security based on
my personal experience and a bit of research at:
http://www.hal-pc.org/~clement/security.html

I would like to point out that the listserv probably does not use the
return-address for verification. It probably uses the from address. All
mailers are required to supply 3 pieces of information: the from address,
the time stamp, and the to address. The return address is optional
information and is easily changed in any good mailer. The from address and
time stamp are not easily changed in regular mailers, but hackers can
readily get programs that spoof any fields. The problem is that on the
internet the recipient only knows who you say you are.

There is a solution to this problem which could be implemented, but probably
is not. The mail client can check to see if the address the mail comes from
matches the claimed from address of the sender. The actual address the mail
comes from can not be easily spoofed. This is because in the process of
receiving the message a virtual connection is established between the sender
and recipient. Each has to synchronize and send messages back and forth. A
spoofed address will result in the messages not being received by the
recipient. This particular solution can be implemented after the message
has been received because the message header contains the address of the
machine that sent the mail to your post office machine. Since this info. is
put there by the post office machine it will be accurate.

This solution is so simple and actually so obvious that I have always
wondered why it is not implemented. It not only prevents spoofing, but it
also be configured to prevent most spamming. Spammers generally send their
messages through relay machines. The message header reveals this, and such
messages could also be rejected.

John M. Clement
Houston, TX

John Denker Wrote:
On Fri, 10 May 2002 04:53:14 -0500 there appeared a message
falsely attributed to me with the Subject line:
WhfhixFq2ybVmC2ZK78ZJZDmCgZuKUPXpS9W

1) I don't have any mailers configured to set my return
address to "jsd <jsd@monmouth.com>" ... They're all
"John S. Denker <jsd@monmouth.com>" or something like that.

2) I don't have any computers that operate in the GMT -0500
timezone.

3) I wasn't awake at that time, anyway.

4) The format of the message, multipart/alternative with
attachments, is not the sort of thing I'd be likely to
send, by accident or otherwise.

5) There is no reason to believe any of my computers have
been hacked.

6) OTOH there are known viruses running around that forge
the "From:" lines of the messages they send out.

The best hypothesis I can think of is that some member of this
list has been infected. The virus got the address of the list
from one line in the victim's address-book, and forged the From:
address based on another line in the victim's address-book. This
hypothesis fits most of the facts, but the exact formatting and
payload of the message isn't 100% consistent with any virus I
know of. Maybe it's a new virus, and/or the payload was mangled
by the listserv.

For slightly more information about the forged message, look at
http://mailgate1.nau.edu/cgi-bin/wa?A2=ind0205&L=phys-l&F=&S=&P=38557

===================================================

More generally: There is grounds for some concern about the future.
This list defends itself by checking the return-addresses. If the
viruses and/or spammers figure this out, we might start seeing quite
a lot of bogus messages. It would be very hard for the listserv per
se to defend against this sort of attack; by far the best defense is
for each participant to maintain good computer security. Use good
firewall and virus-checking software, or (better yet) run an email
reader that was sufficiently well designed that it isn't a culture
medium for viruses. (This rules out all microsoft products.)