Re: [CentOS] dealing with spoofing
--On Wednesday, August 31, 2011 5:48 PM -0400 Mailing Lists mailingl...@theflux.net wrote: http://www.openspf.org/Introduction - SPF FTW DKIM is another possibility. Blizzard (the game company) signs some (not all) of its mail with DKIM, and I use that to spot obvious account-theft scams. Unfortunately some servers break the signature, so it can be difficult to use and verify. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
on 9/1/2011 10:39 AM Kenneth Porter spake the following: --On Wednesday, August 31, 2011 5:48 PM -0400 Mailing Lists mailingl...@theflux.net wrote: http://www.openspf.org/Introduction - SPF FTW DKIM is another possibility. Blizzard (the game company) signs some (not all) of its mail with DKIM, and I use that to spot obvious account-theft scams. Unfortunately some servers break the signature, so it can be difficult to use and verify. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail I get TONS of spam with legitimate DKIM signatures... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Thursday, September 01, 2011 12:43 PM -0700 Scott Silva ssi...@sgvwater.com wrote: I get TONS of spam with legitimate DKIM signatures... DKIM and SPF do not stop you from getting spam. Their purpose is to keep you from getting joe-jobbed, by declaring to the world which mail really came from you. It protects email sources, not destinations. So you're getting honest spam that tells you that it really came from where it claims to have come from. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Thu, 2011-09-01 at 12:43 -0700, Scott Silva wrote: I get TONS of spam with legitimate DKIM signatures... How is that possible ? Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
on 9/1/2011 1:14 PM Kenneth Porter spake the following: On Thursday, September 01, 2011 12:43 PM -0700 Scott Silva ssi...@sgvwater.com wrote: I get TONS of spam with legitimate DKIM signatures... DKIM and SPF do not stop you from getting spam. Their purpose is to keep you from getting joe-jobbed, by declaring to the world which mail really came from you. It protects email sources, not destinations. So you're getting honest spam that tells you that it really came from where it claims to have come from. Yes... Hotmail and YAhoo let ANYONE sign up, and flood for a short time until they get cut off. Legitimate source, but still crap... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Thu, Sep 01, 2011, Always Learning wrote: On Thu, 2011-09-01 at 12:43 -0700, Scott Silva wrote: I get TONS of spam with legitimate DKIM signatures... How is that possible ? The spam comes from Yahoo! or perhaps Google groups? Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 Good luck to all you optimists out there who think Microsoft can deliver 35 million lines of quality code on which you can operate your business. -- John C. Dvorak ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 01/09/11 22:10, Always Learning wrote: On Thu, 2011-09-01 at 12:43 -0700, Scott Silva wrote: I get TONS of spam with legitimate DKIM signatures... How is that possible ? Because spammers know how to sign their email with DKIM signatures too, same as spammers can set an SPF record in DNS. These are NOT specifically anti-spam techniques, they are designed to prevent forgeries, not spam per se. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] dealing with spoofing
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 08/31/2011 01:16 PM, m.r...@5-cent.us wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? There are two parts to an email that relate to routing; envelope header and email header. The only consideration given to routing is the envelope header which has sender and recipient, nothing else. Reply-To is part of the email header and is there for the email client to use. (See RFCs 2821, 2822.) HTH, -- Josh Miller Open Source Solutions Architect http://itsecureadmin.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem! Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem! Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
Spam filter that'll authorize the sending before receiving? Just a thought to stop the hundreds of emails... On Wed, Aug 31, 2011 at 4:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem! Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 08/31/2011 01:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem! Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced. Mark, The Reply-To address is an optional component of the email header and is not used in email routing by mail servers. If the Reply-To is absent, mail clients compose a message to be sent to the sender listed in the From field instead. Mail server will send NDRs (non-delivery receipts) back to the envelope sender every time with no regard for From or Reply-To. -- Josh Miller Open Source Solutions Architect http://itsecureadmin.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
Josh Miller wrote: On 08/31/2011 01:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from snip Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten The Reply-To address is an optional component of the email header and is not used in email routing by mail servers. I'm well aware that it's an optional component. snip Mail server will send NDRs (non-delivery receipts) back to the envelope sender every time with no regard for From or Reply-To. You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: Josh Miller wrote: On 08/31/2011 01:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from snip Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten The Reply-To address is an optional component of the email header and is not used in email routing by mail servers. I'm well aware that it's an optional component. Thank you for that clarification. snip Mail server will send NDRs (non-delivery receipts) back to the envelope sender every time with no regard for From or Reply-To. You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. You are seeing the full email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc.. -- Josh Miller Open Source Solutions Architect http://itsecureadmin.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 08/31/2011 01:37 PM, Josh Miller wrote: On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: Josh Miller wrote: On 08/31/2011 01:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from snip Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten The Reply-To address is an optional component of the email header and is not used in email routing by mail servers. I'm well aware that it's an optional component. Thank you for that clarification. snip Mail server will send NDRs (non-delivery receipts) back to the envelope sender every time with no regard for From or Reply-To. You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. You are seeing the full email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc.. Mark, Why don't you use your SPF record to prevent spoofing (to most providers...)? dig -t txt 5-cent.us ... 5-cent.us. 14400 IN TXT v=spf1 a mx ptr include:hostmonster.com ?all ... You have one but you're not using it to prevent spoofing. -- Josh Miller Open Source Solutions Architect http://itsecureadmin.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Wed, Aug 31, 2011 at 04:27:00PM -0400, m.r...@5-cent.us wrote: Stephen Harris wrote: Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced. Envelopes can be forged just as easily as any header. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 8/31/2011 4:37 PM, Josh Miller wrote: On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. You are seeing the full email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc.. Actually, what you are interested in is the envelope sender that the remote server saw. And there is no way for you to see that unless you have access to the remote server's logs. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
http://www.openspf.org/Introduction - SPF FTW On Wed, Aug 31, 2011 at 4:47 PM, Stephen Harris li...@spuddy.org wrote: On Wed, Aug 31, 2011 at 04:27:00PM -0400, m.r...@5-cent.us wrote: Stephen Harris wrote: Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced. Envelopes can be forged just as easily as any header. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 08/31/2011 01:48 PM, Bowie Bailey wrote: On 8/31/2011 4:37 PM, Josh Miller wrote: On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. You are seeing the full email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc.. Actually, what you are interested in is the envelope sender that the remote server saw. And there is no way for you to see that unless you have access to the remote server's logs. That is not true as the remote server will present the envelope header to your mail server upon connection. -- Josh Miller Open Source Solutions Architect http://itsecureadmin.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
Josh Miller wrote: On 08/31/2011 01:37 PM, Josh Miller wrote: On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: Josh Miller wrote: On 08/31/2011 01:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some snip Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. snip Why don't you use your SPF record to prevent spoofing (to most providers...)? dig -t txt 5-cent.us ... 5-cent.us. 14400 IN TXT v=spf1 a mx ptr include:hostmonster.com ?all ... You have one but you're not using it to prevent spoofing. Um, because I'm not that deep into that? Thank you, I'll look at setting that up. One question: is that in my registrar, or my hosting site? Given it's an MX record, I'm guessing it's the former. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 08/31/2011 01:57 PM, m.r...@5-cent.us wrote: Josh Miller wrote: On 08/31/2011 01:37 PM, Josh Miller wrote: On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: Josh Miller wrote: On 08/31/2011 01:27 PM, m.r...@5-cent.us wrote: Stephen Harris wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some snip Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses. snip Why don't you use your SPF record to prevent spoofing (to most providers...)? dig -t txt 5-cent.us ... 5-cent.us. 14400 IN TXT v=spf1 a mx ptr include:hostmonster.com ?all ... You have one but you're not using it to prevent spoofing. Um, because I'm not that deep into that? Thank you, I'll look at setting that up. One question: is that in my registrar, or my hosting site? Given it's an MX record, I'm guessing it's the former. It's a DNS record. Hostmonster is authoritative for your domain, so you'll likely use them. -- Josh Miller Open Source Solutions Architect http://itsecureadmin.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On 8/31/2011 4:50 PM, Josh Miller wrote: On 08/31/2011 01:48 PM, Bowie Bailey wrote: On 8/31/2011 4:37 PM, Josh Miller wrote: On 08/31/2011 01:33 PM, m.r...@5-cent.us wrote: You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. You are seeing the full email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc.. Actually, what you are interested in is the envelope sender that the remote server saw. And there is no way for you to see that unless you have access to the remote server's logs. That is not true as the remote server will present the envelope header to your mail server upon connection. Yes, but the issue was in confirming which email address was used in that connection. If you assume that the remote server is replying to the envelope header, then yes. But if you are trying to confirm that, then you do not have enough data. You could, of course, create your own message with known (and differing) From, Reply-To, and envelope headers and watch the result. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Wed, 2011-08-31 at 16:16 -0400, m.r...@5-cent.us wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? May I suggest you create a sub-domain and a user name the use that in public places ? For example:- m...@xyz.5-cent.us As soon as the nasty get that email address simple change the sub-domain. If you receive your own mails (meaning run your own mail server) then do not accept emails from sites where the host name does not exist or does not resolve to the HELO / EHLO or the IP address of the sending server. There are lots of other things you can do to reduce the spam, but only if you run your own mail server or use Google to filer-out the spam. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Wed, 2011-08-31 at 16:33 -0400, m.r...@5-cent.us wrote: You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To. Will you tell us what mail server (MTA) is doing that ? Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Wed, 2011-08-31 at 13:50 -0700, Josh Miller wrote: That is not true as the remote server will present the envelope header to your mail server upon connection. Surely the FROM is ? Paul ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dealing with spoofing
On Wed, Aug 31, 2011, m.r...@5-cent.us wrote: Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From? This type of forging is generally referred to as a Joe Job, and may be a conscious effort to impair the reputation of the forged sender or domain or perhaps an attempt to flood the mailboxes of antispammers (e.g. mail forged like ab...@antispam.example.com). Sending spam complaints to these addresses or to their ISPs is generally a waste of time and effort as the forged sender has nothing to do with the message as any cursory examination of the Received: headers in the message will confirm. The spam complaints are in themselves a type of abuse, and are referred to as Blowback. Sometimes these complaints are the result of ignorance when they are manual complaints, or incompetence (e.g. early Barracuda e-mail appliances that did this by default). Configuring an MTA to bounce to the Reply-To: header is probably worse than useless as it could well flood poorly configured mailing lists with garbage when spam gets through the lists spam filters, then the complaints go back to the mailing list. Probably the best thing to do with this kind of delivery failure message which come in is to ignore them unless you feel like Don Quixote and like tilting at windmills. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos