Re: HTML email, was Re: Phishing and BGP Blackholing
On Fri, Jan 19, 2007 at 06:46:00AM +, Fergie [EMAIL PROTECTED] wrote a message of 60 lines which said: a combination of retarded registry policies (pitting business interests against common technical sense) [Disclaimer: I work for a registry.] In a capitalist country, I do not see how you could do otherwise. In a non-capitalist country, there is still hope, I'll talk to Fidel about that, next time we meet.
Re: HTML email, was Re: Phishing and BGP Blackholing
On Thu, Jan 18, 2007 at 07:05:25AM -0800, Matthew Black wrote: [snip] This presupposes that corporations have a more significant claim to domain names than individuals. Wrong; that kind of policy does -and did when enforced back in the InterNIC days when the generic TLDs were meaningful- no such thing. Does anybody recall the fiasco between ETOY.COM and ETOYS.COM? The former was created by an artist years before the now defunct toy retailer. ETOYS' corporate bullying took away the artist's longstanding domain claiming it might confuse consumers. Wrong again; etoy won. I'm sure I'm not alone for having my copy of the toywar soundtrack and share[s]. That is the real problem. Post-NSF, the failure of a distributed directory naturally lead to the dns whois being treated as one. In hindsight, any managed list wasn't what was needed, but certainly seemed natual to ma bell. A more dynamic, less-intermediated service *was* needed and the collective we worked around the problem, unfortunately pushing it down into the infrastructure. The thing that rankles me most is that is where it frankly shouldn't *matter*, but there was this great hammer so naturally 'we' could pound the nail... Phishing problems will not be corrected without multinational [snip] ...reputation clearinghouses, one of the many drums long beaten by the anti-spam and general anti-abuse camp, is the answer. Like the other such drums before it, folks will listen well after it is too late and only after it directly affects them. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: HTML email, was Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Stephane Bortzmeyer [EMAIL PROTECTED] wrote: a combination of retarded registry policies (pitting business interests against common technical sense) In a capitalist country, I do not see how you could do otherwise. In a non-capitalist country, there is still hope, I'll talk to Fidel about that, next time we meet. Whatever. :-) I'm sure that all 30,090 results of a search for ebay are legit: http://domain-search.domaintools.com/?q=ebay Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFsP8Aq1pz9mNUZTMRAvxTAJ0dDPpqcUhEDirzpEQNrdBf9jWdlACg7GmU 3EeA9OZ5veYUQfooHsUFh58= =Waoa -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: HTML email, was Re: Phishing and BGP Blackholing
On 17-Jan-2007, at 21:05, Joseph Jackson wrote: Proper education for whom, the people setting up the site probably know this already. It's the bosses and marketing that don't care about DNS structure. Damn it they want mazdausa.com and not usa.mazda.com and they will have it their way! At least that's how it is most places I've seen. Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. So, to choose a company at random, General Motors Canada was welcome to GMC.CA but they couldn't also register PONTIAC.CA or GM.CA or GENERALMOTORS.CA. I think that policy was good for the DNS, but it was apparently widely hated by everybody else, despite the fact that .CA names at that time were free. .CA is no longer managed according to such rules. Joe
Re: HTML email, was Re: Phishing and BGP Blackholing
Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. So, to choose a company at random, General Motors Canada was welcome to GMC.CA but they couldn't also register PONTIAC.CA or GM.CA or GENERALMOTORS.CA. Eons ago that was also the case in .NL I think that policy was good for the DNS, but it was apparently widely hated by everybody else, despite the fact that .CA names at that time were free. .CA is no longer managed according to such rules. Same story here jaap
Re: HTML email, was Re: Phishing and BGP Blackholing
On Thu, Jan 18, 2007 at 08:43:37AM -0500, Joe Abley [EMAIL PROTECTED] wrote a message of 25 lines which said: Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. Same thing in .fr, until 2000. I think that policy was good for the DNS, but it was apparently widely hated by everybody else, The big problem with this rule is that you have to define what is a single company. It is easy (especially for a big company like the one you mention) to find or set up fronts to register more domain names.
Re: HTML email, was Re: Phishing and BGP Blackholing
On Wed, 17 Jan 2007 19:38:14 -0600 Travis H. [EMAIL PROTECTED] wrote: [...snip] The domain name system has enough problems (is mazdausa.com really related to mazda.com?) without involving javascript and ActiveX, but they could be corrected with proper education (how about keeping every URL under one second-level domain related to your company, perhaps companyname.com) This presupposes that corporations have a more significant claim to domain names than individuals. Does anybody recall the fiasco between ETOY.COM and ETOYS.COM? The former was created by an artist years before the now defunct toy retailer. ETOYS' corporate bullying took away the artist's longstanding domain claiming it might confuse consumers. Proper education cannot be achieved ever. Who should have the rights to MCDONALDS.COM or FORD.COM? A large multinational corporation or the entity which set-up an on-line presence first? Assuming here that someone isn't domain squatting or abusing trademarks, for example, FORD's hamburger company advertising automobiles. Trademarks in themselves do not grant domain rights, just exclusive use of a name as a PARTICULAR type of business. That is the real problem. Phishing problems will not be corrected without multinational government coooperation (which I fear for other reasons) because the problems cross teritorial boarders. I received a clever phishing attempt from Chase Manhattan Bank directing me to the domain chaserewards.com. This is more a matter of companies informing their customers which domain names are valid. /RANT matthew black network services california state university, long beach
RE: HTML email, was Re: Phishing and BGP Blackholing
What about companies that do business under different Dab's? I know of a lot of companies that do business under different names for different products. Joseph -Original Message- From: Stephane Bortzmeyer [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 7:04 AM To: Joe Abley Cc: Joseph Jackson; Travis H.; [EMAIL PROTECTED]; Mark Foster; Rich Kulawiec Subject: Re: HTML email, was Re: Phishing and BGP Blackholing On Thu, Jan 18, 2007 at 08:43:37AM -0500, Joe Abley [EMAIL PROTECTED] wrote a message of 25 lines which said: Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. Same thing in .fr, until 2000. I think that policy was good for the DNS, but it was apparently widely hated by everybody else, The big problem with this rule is that you have to define what is a single company. It is easy (especially for a big company like the one you mention) to find or set up fronts to register more domain names.
Re: HTML email, was Re: Phishing and BGP Blackholing
Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. So, to choose a company at random, General Motors Canada was welcome to GMC.CA but they couldn't also register PONTIAC.CA or GM.CA or GENERALMOTORS.CA. for those of us who manage smaller cctlds pro bono, it is also good for our sanity, especially when paired with the requirement that the registrant be real and in-country. it also encourages the isps in-country to take over the cctld, which is good. they can charge a bit for the service and multiple name registrants become a good thing. e.g. nigeria is finally running their own internally, though we are not moving the visible primary and admin poc until it is past test phase. this is a long-awaited day. randy
Re: HTML email, was Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Randy Bush [EMAIL PROTECTED] wrote: Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. So, to choose a company at random, General Motors Canada was welcome to GMC.CA but they couldn't also register PONTIAC.CA or GM.CA or GENERALMOTORS.CA. for those of us who manage smaller cctlds pro bono, it is also good for our sanity, especially when paired with the requirement that the registrant be real and in-country. it also encourages the isps in-country to take over the cctld, which is good. they can charge a bit for the service and multiple name registrants become a good thing. It's funny you should bring this up (or whomever). I'm actually in the process of putting together my presentation for next week's ISOI meeting in Redmond on DNS issues in the security realm, and one of the major bullet items on my check-list of why we suck is the whole mish-mash of issues w.r.t a combination of retarded registry policies (pitting business interests against common technical sense) and the lag between published domain registrations and trickle-down WHOIS information (and admittedly, there are a couple of associated social-engineering foos in there, too). We do suck. And we have created a horrible situation wherein we need to stop pointing fingers and figure out how to dig ourselves out of this sh*thole. It's deplorable. - - ferg p.s. Since I'm still putting my presentation together, I'd love to solicit comments from the field. :-) See: http://isotf.org/isoi2.html -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFsGkhq1pz9mNUZTMRAsljAKCaU9+SSpJReSPhgs6g2SPptFlxcgCguvsr wkO8LAtIBcmxwdxmcf8SQE4= =b1N5 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: HTML email, was Re: Phishing and BGP Blackholing
On Thu, Jan 18, 2007 at 07:05:25AM -0800, Matthew Black wrote: This presupposes that corporations have a more significant claim to domain names than individuals. Not necessarily; if I am providing login details to a phishing site, I have probably visited the actual business web site before to create those credentials in the first place. Were they to use a consistent naming strategy, for example always using the same suffix, then I have a simple rule for avoiding [most] phishing sites; validate the suffix. More generally, authenticating the identity of someone you share a piece of information (or history) with is a much more tractable problem than authenticating someone you don't share anything with. That is probably unsolvable via technical means. As you point out, there still exists the risk of providing personal details to the wrong site, but phishing sites so far haven't commonly focused on gathering details for future identity fraud. -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -- URL:http://www.subspacefield.org/~travis/ pgp2Xa8lzfA9b.pgp Description: PGP signature
Re: Phishing and BGP Blackholing
On Wed, Jan 03, 2007 at 03:35:30PM +0100, Florian Weimer wrote: SecureID might be helpful if you want to differentiate your product between automatic and manual use, but it doesn't do anything to authenticate the party you are relaying information to. But it's useless in a phishing context. If you want a token solution, at least use something that factors in transaction-related data. And since the whole point of using a token is having an isolated, presumably more trustworthy environment, then you also would logically need a display and input device for it. On the cryptography@metzdowd.com list, there has been some discussion of this, and also some statements that the login needs to be part of the browser chrome (whatever that is) and not just any old form on an unprotected HTML page. Furthermore, the current understanding of marketing departments and customer support is on par with the lock icon means it's secure, so even reputable companies like (IIRC) Chase are sending out emails telling their customers to log in to web sites with domain names that don't even resemble Chase, essentially training customers to be phishing victims. It's clear that the technology has progressed to the point that it is easier to confuse the user than actually exploit the security systems, and what we really need now is some leadership from UI designers (say, Apple) for browser designs and idioms that are intuitively obvious to the most casual of users. However, that's not exactly hard science and there isn't much usability research in the security community, because it's already so recondite. -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -- URL:http://www.subspacefield.org/~travis/ pgpTIFewgA7pN.pgp Description: PGP signature
HTML email, was Re: Phishing and BGP Blackholing
If you don't have personal control over the mail system you are using, it's possible that you don't have control over whether or not you use HTML. As an armchair security pundit, I think phishing has adequately highlighted the ability of HTML to mislead, in the sense that its intended recipient is not a human, and that it has evolved into an unfortunately flexible language (and extensions) and the browsers are overly forgiving (because syntactically correct HTML is not really human-writable, either, for the average human who is tasked with doing so). So far I haven't seen a persuasive phishing email that wasn't HTML. The domain name system has enough problems (is mazdausa.com really related to mazda.com?) without involving javascript and ActiveX, but they could be corrected with proper education (how about keeping every URL under one second-level domain related to your company, perhaps companyname.com) -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -- URL:http://www.subspacefield.org/~travis/ pgp7x46JlAg2V.pgp Description: PGP signature
RE: HTML email, was Re: Phishing and BGP Blackholing
(Snip) but they could be corrected with proper education (how about keeping every URL under one second-level domain related to your company, perhaps companyname.com) (Snip) Proper education for whom, the people setting up the site probably know this already. It's the bosses and marketing that don't care about DNS structure. Damn it they want mazdausa.com and not usa.mazda.com and they will have it their way! At least that's how it is most places I've seen. Joseph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis H. Sent: Wednesday, January 17, 2007 5:38 PM To: [EMAIL PROTECTED] Cc: Mark Foster; Rich Kulawiec Subject: HTML email, was Re: Phishing and BGP Blackholing If you don't have personal control over the mail system you are using, it's possible that you don't have control over whether or not you use HTML. As an armchair security pundit, I think phishing has adequately highlighted the ability of HTML to mislead, in the sense that its intended recipient is not a human, and that it has evolved into an unfortunately flexible language (and extensions) and the browsers are overly forgiving (because syntactically correct HTML is not really human-writable, either, for the average human who is tasked with doing so). So far I haven't seen a persuasive phishing email that wasn't HTML. The domain name system has enough problems (is mazdausa.com really related to mazda.com?) without involving javascript and ActiveX, but they could be corrected with proper education (how about keeping every URL under one second-level domain related to your company, perhaps companyname.com) -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -- URL:http://www.subspacefield.org/~travis/
Re: Phishing and BGP Blackholing
For those of us who read nanog from a mobile device, it's incredibly annoying to have no content in the first few bytes - a lot of mobile e-mail clients (all MS Windows Mobile 5 devices and every Blackberry I've seen) pull the first 0.5KB of each message, i.e. the header, subject line and the first few lines of text, so the user can decide which ones are worth reading in full. Intention is to save bandwidth on low-speed, noncertain networks (GPRS, 1xRTT) which also tend to be metered per-bit - spending actual money to read something like the following is always a great way to start the day. NANOG User wrote: . . Steve wrote: . . Another User temporarily inconvenienced several million electrons to lucubrate anent following philosophy, and how clever silly synonyms for said are: Someone's PGP Key Someone's Smartass Sig
Re: Phishing and BGP Blackholing
For those of us who read nanog from a mobile device, it's incredibly annoying to have no content in the first few bytes - a lot of mobile e-mail clients (all MS Windows Mobile 5 devices and every Blackberry I've seen) pull the first 0.5KB of each message, i.e. the header, subject line and the first few lines of text, so the user can decide which ones are worth reading in full. Why should all 1 billion Internet users change their behavior just because your minority mail-reading system is broken? Hint: Procmail is your friend. Set up your own mail server and run procmail against all incoming email with newline-greaterthan in the first 500 bytes. You can preprocess these messages to do something like strip headers that you don't read and copy the first few reply lines to be first in the message. That way your mobile device will get more bang for the buck than most other people's. Paul Vixie's colo registry may be of help if you need to find a place to stick your own mail server http://www.vix.com/personalcolo/ --Michael Dillon
Re: Phishing and BGP Blackholing
(All right then, scroll down for content :-)) On 1/4/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For those of us who read nanog from a mobile device, it's incredibly annoying to have no content in the first few bytes - a lot of mobile e-mail clients (all MS Windows Mobile 5 devices and every Blackberry I've seen) pull the first 0.5KB of each message, i.e. the header, subject line and the first few lines of text, so the user can decide which ones are worth reading in full. Why should all 1 billion Internet users change their behavior just because your minority mail-reading system is broken? Hint: Procmail is your friend. Set up your own mail server and run procmail against all incoming email with newline-greaterthan in the first 500 bytes. You can preprocess these messages to do something like strip headers that you don't read and copy the first few reply lines to be first in the message. That way your mobile device will get more bang for the buck than most other people's. Paul Vixie's colo registry may be of help if you need to find a place to stick your own mail server http://www.vix.com/personalcolo/ --Michael Dillon Minority? A mail client has been standard-ish for the last three to four years of upgrade iterations. There are a LOT of mobiles out there. Granted not many of them are used for e-mail, but that is a percentage that is only going to go up. Anyway, I wouldn't write a letter with nothing worth reading on the first page. I don't write articles with nothing in the first paragraph. Why should over a billion users of the English language, etc, etc..
Re: Phishing and BGP Blackholing
Alexander Harrowell wrote: Anyway, I wouldn't write a letter with nothing worth reading on the first page. I don't write articles with nothing in the first paragraph. Why should over a billion users of the English language, etc, etc.. We're not talking about a letter or an article. We're talking about a conversation and/or a debate. Someone speaks, someone else speaks, someone else speaks. Without context, the Nth round of the debate isn't the same. This place is full of people with opinions. Some like it hot, some like it not. We are never going to agree on top/inline/bottom posting. Why can't we all just get along and discuss operational issues? pt
Re: Phishing and BGP Blackholing
(All right then, scroll down for content :-)) It is not necessary to quote an entire message when you are only replying to one specific part of it. Minority? A mail client has been standard-ish for the last three to four years of upgrade iterations. There are a LOT of mobiles out there. Granted not many of them are used for e-mail, but that is a One could say that not many is a reasonable definition of a minority. So, yes, a MINORITY of users have need for special message formatting. Why should the other 999 million of us need to change the way we do things? Anyway, I wouldn't write a letter with nothing worth reading on the first page. I don't write articles with nothing in the first paragraph. Nor do I, but there is a well-established tradition in written English of the preamble. One could say that a brief quote to set the the context of a statement is perfectly good practice. Of course some people take it to excess like the ones who wrote this declaration a couple of hundred or so years ago: We, therefore, the Representatives of the United States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States, that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. --Michael Dillon
Re: Phishing and BGP Blackholing
On Thu, 4 Jan 2007, Pete Templin wrote: This place is full of people with opinions. Some like it hot, some like it not. We are never going to agree on top/inline/bottom posting. Why can't we all just get along and discuss operational issues? Let's throw preference out the window and speak to practicality for a minute. If you're reading nanog-l from a blackberry or mobile, and paying by the byte to do so, you're either an idiot or work for a company wealthy enough not to care (My opinion.) But, even blackberry users land at a laptop or workstation at some point. 9 times out of 10, nanog chatter isn't about life-and-death critical ops outages and the like, it's people having casual discussions. Most blackberry users are on-the-go types, running from meeting to meeting or site to site. The only reason I could see such a user reading nanog is because they're bored, have some downtime, or have a fervent need to look cool at Starbucks. Much like anything else, the world will not warp and bend to your preference. As a living organism, it's up to you to adapt to your environment. Just don't be like Randy and whiz in the pool because someone did something you didn't like and we'll all get along great. - billn
Re: Phishing and BGP Blackholing
Somewhere in the following confused ramble may actually be the only cogent argument for top-posting I've seen. On Thu, Jan 04, 2007 at 09:52:29AM +, Alexander Harrowell wrote: For those of us who read nanog from a mobile device, it's incredibly annoying to have no content in the first few bytes - a lot of mobile e-mail clients (all MS Windows Mobile 5 devices and every Blackberry I've seen) pull the first 0.5KB of each message, i.e. the header, subject line and the first few lines of text, so the user can decide which ones are worth reading in full. Intention is to save bandwidth on low-speed, noncertain networks (GPRS, 1xRTT) which also tend to be metered per-bit - spending actual money to read something like the following is always a great way to start the day. NANOG User wrote: . . Steve wrote: . . Another User temporarily inconvenienced several million electrons to lucubrate anent following philosophy, and how clever silly synonyms for said are: Someone's PGP Key Someone's Smartass Sig -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Phishing and BGP Blackholing
On Thu, Jan 04, 2007 at 02:14:43PM +, [EMAIL PROTECTED] wrote: ... Anyway, I wouldn't write a letter with nothing worth reading on the first page. I don't write articles with nothing in the first paragraph. Nor do I, but there is a well-established tradition in written English of the preamble. One could say that a brief quote to set the the context of a statement is perfectly good practice. Of course some people take it to excess like the ones who wrote this declaration a couple of hundred or so years ago: ... I'm not sure it's fair to say they took it to excess. All those words mean something, bunkie. Probably each one had a proponent who would not have signed had not that word been in there, to give just that shade of meaning to the document. It was not written at random, unlike some messages seen on the great public Internet. ;-) [Present company excepted, of course.] Much as we may snicker at the legal verbiage in some documents, many of those words are there to close some loophole or another. [The rest are just there for us to snicker at.] -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Phishing and BGP Blackholing
: It also says 'If you are not the intended recipient...' : Since the post is being made to NANOG, : ... so I fail to see why a big deal should be made out of it Because it's bad manners in a public forum. It's impolite in the same way SHOUTING! is. scott --- [EMAIL PROTECTED] wrote: From: Mark Foster [EMAIL PROTECTED] To: Randy Bush [EMAIL PROTECTED] Cc: Joy, Dylan [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Phishing and BGP Blackholing Date: Wed, 3 Jan 2007 17:44:28 +1300 (NZDT) I have to ask. The 'stock' disclaimer message says 'may'. It also says 'If you are not the intended recipient...' Key words - 'if' and 'may'. Since the post is being made to NANOG, we can assume the NANOG Audience (defined as anyone whos on the list _or_ who can read the web archive; ala; everyone) is infact the intended recipient, and we can ignore the rest of it. ... so I fail to see why a big deal should be made out of it. Especially when they're generally enforced on large companies by their lawyers, and the Network Operators likely have very little to do with it. So why the big deal? (Personally I still vote for the use of non-corporate mail addresses on mailing lists. Tends to filter out the roge out-of-office notices too...) Mark. On Tue, 2 Jan 2007, Randy Bush wrote: you have sent a message to me which seems to contain a legal warning on who can read it, or how it may be distributed, or whether it may be archived, etc. i do not accept such email. my mail user agent detected a legal notice when i was opening your mail, and automatically deleted it. so do not expect further response. yes, i know your mail environment automatically added the legal notice. well, my mail environment automatically detected it, deleted it, and sent this message to you. so don't expect a lot of sympathy. and if you choose to work for some enterprise clueless enough to think that they can force this silliness on the world, use gmail, hotmail, ... randy
RE: Phishing and BGP Blackholing
I didn't see the original post but the topic came up in 2005 here in the UK as the banks here wanted to use BGP filtering in the same light. The LINX prepared a paper on the issues with BGP blackholing and recommended that if the banks want to trade on the Internet that they should introduce authentication systems that are fit for purpose (SecureID for example (many banks had already done this)). I will try and find a link to the paper that was prepared. After we presented the paper the idea was not taken forward. Unfortunately since then an alternative technology route to do filtering in proxies and transparent caches has appeared on the scene and even more so the government here in the UK has been convinced by mad^wmarketing people and is now under the false impression that it is now technically possible to filter the Internet. The aim of this filtering is an admirable one for sure but the platform fundamentally doesn't work and even more worryingly ideas are now being muted to filter other content such as terrorism, phishing etc. Regards, Neil.
Re: Phishing and BGP Blackholing
On Wed, Jan 03, 2007 at 05:44:28PM +1300, Mark Foster wrote: So why the big deal? Because it's very rude -- like top-posting, or full-quoting, or sending email marked up with HTML. Because it's an unprovoked threat. Because it's an attempt to unilaterally shove an unenforceable contract down the throats of everyone reading it. Because it's a tip-off that the sender does not value the time or resources of recipients. Because it's insulting. Because (borrowing from first link below) it's simply too stupid for words. Please see: Mailing and Posting Etiquette: Don't Send Bogus Legalistic Boilerplate http://www.river.com/users/share/etiquette/#legalistic Stupid Email Disclaimers http://www.goldmark.org/jeff/stupid-disclaimers/ Stupid E-mail Disclaimers and the Stupid Users that Use Them http://attrition.org/security/rants/z/disclaimers.html for longer (and much better) explanations. For a much long explanation of these and related points, see: Miss Mailers Answers Your Questions on Mailing Lists http://www.faqs.org/faqs/mail/miss-mailers/ ---Rsk
Re: Phishing and BGP Blackholing
On 3 Jan 2007, at 01:02, Joy, Dylan wrote: I'm curious if anyone can answer whether there has been any traction made relative to blocking egress traffic (via BGP) on US backbones which is destined to IP addresses used for fraudulent purposes, such as phishing sites. I'm sure there are several challenges to implementing this... I have often thought that this would be a brilliant idea (on paper), when working with one of my clients who suffer regular denial of service attacks through open http and socks proxies. They are a multi-homed end site running bgp4 on their edge networks. From a 'problem solving' perspective, a Team Cymru-style bgp peer that injected very specific routes into their routing table, and matching configuration which caused those particular routes to be dropped would be ideal. Additions and deletions would be as close to real-time as possible. From a political perspective, I could only advocate to clients such a service that had a strict policy of adding routes to addresses because of a provable policy infringement. For example, a route for 1.2.3.4/32 would only be announced by my bgp-blacklist peer if it could be demonstrated that a device reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp relay) and not because a phishing site was hosted there. Different priorities for different networks I guess .. No interest in a service which requires companies running a blocked proxy to pay before the route/block is lifted. Also no interest in a service which blocks entire networks in the event of a policy infringement, only the polluting hosts. I mention this paragraph thanks to some of the policies of DNS-based email-abuse blacklists. Phishing is content - when a service opens which filters based on content, there's a whole new can of worms being opened - what *else* is abusive content ? Does it stop being abusive content at some point ? If phishing is abusive, is pornography abuse ? A mouthy anti-West news agency ? Anyone going to talk about this at Toronto ? Trying to justify taking a week 'off' to visit ... ;-) -- Regards, Andy Davidson http://www.devonshire.it/ - 0844 704 704 7 - Sheffield, UK
Re: Phishing and BGP Blackholing
* Neil J. McRae: I didn't see the original post but the topic came up in 2005 here in the UK as the banks here wanted to use BGP filtering in the same light. The LINX prepared a paper on the issues with BGP blackholing and recommended that if the banks want to trade on the Internet that they should introduce authentication systems that are fit for purpose (SecureID for example (many banks had already done this)). Banks have deployed much more secure systems than SecureID, and there have been successful attacks against them. SecureID might be helpful if you want to differentiate your product between automatic and manual use, but it doesn't do anything to authenticate the party you are relaying information to. But it's useless in a phishing context. If you want a token solution, at least use something that factors in transaction-related data.
RE: Phishing and BGP Blackholing
SecureID might be helpful if you want to differentiate your product between automatic and manual use, but it doesn't do anything to authenticate the party you are relaying information to. But it's useless in a phishing context. If you want a token solution, at least use something that factors in transaction-related data. Florian, Sorry we didn't' specifically recommend any solution simply that they need to look are more secure authentication systems to minimize phishing issues. As you note even the most secure systems can be beaten. Neil.
Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Andy Davidson wrote: From a 'problem solving' perspective, a Team Cymru-style bgp peer that injected very specific routes into their routing table, and matching configuration which caused those particular routes to be dropped would be ideal. Additions and deletions would be as close to real-time as possible. From a political perspective, I could only advocate to clients such a service that had a strict policy of adding routes to addresses because of a provable policy infringement. For example, a route for 1.2.3.4/32 would only be announced by my bgp-blacklist peer if it could be demonstrated that a device reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp relay) and not because a phishing site was hosted there. Different priorities for different networks I guess .. disclaimer: I do development work for the company I'm about to endorse. I endorsed this product before when I was a client. I've since left my previous position and gone to work on it. This is one of the very few posts I'll ever make that's in any way representative of an employer. Mainnerve's Darknet product is exactly that: A managed blacklist of malicious/hacked sites. Currently, phishing sites and open proxies, make it into blacklist, but drone network CCs do. Darknet is intended to intercept traffic leaving your network to known CCs. Currently, this involves a device deployed to your network, that hosts a BGP peer to your network to supply the blackhole routes, redirecting the CC traffic to the darknet device for packet analysis. I'm currently working on a newer implementation that involves just a BGP peering session and a GRE tunnel, to eliminate the hardware deployment and simplify the whole process, so it functions very much like the bogon filter. - billn
Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Bill Nash wrote: malicious/hacked sites. Currently, phishing sites and open proxies, make it into blacklist, but drone network CCs do. Darknet is intended to Someone pointed out my typo. This should read 'phishing sites and open proxies don't make it into the blacklist'. Sorry for any confusion the may have inflicted. Drink more coffee! - billn
Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Rich Kulawiec wrote: On Wed, Jan 03, 2007 at 05:44:28PM +1300, Mark Foster wrote: So why the big deal? Because it's very rude -- like top-posting, or full-quoting, or sending email marked up with HTML. Because it's an unprovoked threat. Because it's an attempt to unilaterally shove an unenforceable contract down the throats of everyone reading it. Because it's a tip-off that the sender does not value the time or resources of recipients. Because it's insulting. Because (borrowing from first link below) it's simply too stupid for words. I'm as much of a netiquette-fiend as almost anyone i've ever met, but I do feel that there is a tendency to spend far too much time complaining about perceived rudeness and not enough time with focus on the point behind the message. No matter how hard you try, top-posting is here to stay. MS Outlook has seen to that. So instead of taking the extreme approach (top posting = bad) I favour a compromise approach (inconsistent posting = bad; multiple responses to multiple individual points from a single email in a top post = bad) - which I like to think is more driven by commonsense than the need to exert ones old-school-ness on the rest of the populace. I can't be the only one... I don't like disclaimers either. Theres a reason I use a privately managed mail system for contributing ot mailing lists, and not my corporate address (which, yes, gets a multiline legal disclaimer added to every post that leaves...) But there are worse offenses. HTML emails - every author has a choice there, so that ones unforgivable IMHO. Top-Posting and Legalese Addendums to messages are both things that an end-user in a COE corporate environment has little control over. Mark.
Re: Phishing and BGP Blackholing
On Thu, Jan 04, 2007 at 09:26:00AM +1300, Mark Foster wrote: ... But there are worse offenses. HTML emails - every author has a choice there, so that ones unforgivable IMHO. Top-Posting and Legalese Addendums to messages are both things that an end-user in a COE corporate environment has little control over. Mark, If you don't have personal control over the mail system you are using, it's possible that you don't have control over whether or not you use HTML. Your corporate mail system may be Dictated From On High [where the air is thin]. Sure, you can get an external mail account. But you can't even ask the vendor whether they use HTML, they may not know what you're talking about [isn't the Web the same as the Internet?], or the answer depends on the phase of the moon or other intangible variables [this has been observed]. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Phishing and BGP Blackholing
On Wed, 3 Jan 2007, Joseph S D Yao wrote: On Thu, Jan 04, 2007 at 09:26:00AM +1300, Mark Foster wrote: ... But there are worse offenses. HTML emails - every author has a choice there, so that ones unforgivable IMHO. Top-Posting and Legalese Addendums to messages are both things that an end-user in a COE corporate environment has little control over. Mark, If you don't have personal control over the mail system you are using, it's possible that you don't have control over whether or not you use HTML. Your corporate mail system may be Dictated From On High [where the air is thin]. Sure, you can get an external mail account. But you can't even ask the vendor whether they use HTML, they may not know what you're talking about [isn't the Web the same as the Internet?], or the answer depends on the phase of the moon or other intangible variables [this has been observed]. Yeah, I could believe your observations - but I assumed (incorrectly?) that _client side_ configuration items (such as whether to use plain text, rich text or HTML) would still be available to an end user. Or to put it another way, Group Policy (or similar) to forbid turning HTML _off_ would seem to be, quite simply, stupid... Thats enough of that now, anyway... Mark.
Phishing and BGP Blackholing
Happy New Year all, I'm curious if anyone can answer whether there has been any traction made relative to blocking egress traffic (via BGP) on US backbones which is destined to IP addresses used for fraudulent purposes, such as phishing sites. I'm sure there are several challenges to implementing this... Regards, Dylan Joy Network Security Analyst, BECU NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, retransmitting, disseminating, or otherwise using the information. Thank you.
Re: Phishing and BGP Blackholing
The biggest challenge I can see is scrubbing phishing reports that aren't.. themselves.. maliciously crafted phishing attacks against a registry of such addresses. Likewise, since BGP isn't application aware, when you blackhole an address that's both website and mail server, how do you inform the end user about their problem, or get a notice from them that it's been fixed? This kind of solution has a huge trust factor hole in it. Distributing a BGP based blackhole list is trivial. The intelligence that goes into it is the hard part. There are companies that provide managed services like this (bgp blackhole route servers for known problem sites, like drone CC's). (disclaimer: I do development for one.) - billn On Tue, 2 Jan 2007, Joy, Dylan wrote: Happy New Year all, I'm curious if anyone can answer whether there has been any traction made relative to blocking egress traffic (via BGP) on US backbones which is destined to IP addresses used for fraudulent purposes, such as phishing sites. I'm sure there are several challenges to implementing this... Regards, Dylan Joy Network Security Analyst, BECU NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, retransmitting, disseminating, or otherwise using the information. Thank you.
Re: Phishing and BGP Blackholing
you have sent a message to me which seems to contain a legal warning on who can read it, or how it may be distributed, or whether it may be archived, etc. i do not accept such email. my mail user agent detected a legal notice when i was opening your mail, and automatically deleted it. so do not expect further response. yes, i know your mail environment automatically added the legal notice. well, my mail environment automatically detected it, deleted it, and sent this message to you. so don't expect a lot of sympathy. and if you choose to work for some enterprise clueless enough to think that they can force this silliness on the world, use gmail, hotmail, ... randy
Re: Phishing and BGP Blackholing
Hi. You have sent a message to the entire list that seems to be some sort of automatically generated product of the Smugotron-2000, intended to annoy a single person but is actually annoying everyone. Your mail user agent detected something you didn't like, and instead of simply deleting it, went out of it's way to be annoying. I do not accept such mail. Yes, I know your mail environment automatically responded to it, but seriously, why inflict your curmudgeonly attitude on everyone else? Thankfully, I'm not quite as pedantic as all that, so I took the time to hand craft this missive, just for you! When I'm done, I'll think about coding myself an auto-responder that sends you something else, just like it, whenever you post. Because that's cool, right? /troll - billn On Tue, 2 Jan 2007, Randy Bush wrote: you have sent a message to me which seems to contain a legal warning on who can read it, or how it may be distributed, or whether it may be archived, etc. i do not accept such email. my mail user agent detected a legal notice when i was opening your mail, and automatically deleted it. so do not expect further response. yes, i know your mail environment automatically added the legal notice. well, my mail environment automatically detected it, deleted it, and sent this message to you. so don't expect a lot of sympathy. and if you choose to work for some enterprise clueless enough to think that they can force this silliness on the world, use gmail, hotmail, ... randy
Re: Phishing and BGP Blackholing
On Tue, 02 Jan 2007 17:02:02 PST, Joy, Dylan said: I'm curious if anyone can answer whether there has been any traction made relative to blocking egress traffic (via BGP) on US backbones which is destined to IP addresses used for fraudulent purposes, such as phishing sites. I'm sure there are several challenges to implementing this... Well, there's the whole collateral damage issue - often, these things pop up on hosting sites, where trying to null-route www.phishers-r-us.com will also break access to several thousand other domains hosted on the same set of hardware (notice that same exact issue of collateral damage ended up derailing a Pennsylvania law regarding the blocking of sites hosting child pornography). Then there's the whole trust issue - though the Team Cymru guys do an awesome job doing the bogon feed, it's rare that you have to suddenly list a new bogon at 2AM on a weekend. And there's guys that *are* doing a good job at tracking down and getting these sites mitigated, they prefer to get the sites taken down at the source. I'm not sure they would *want* to be trying to do a BGP feed. NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. After you post to NANOG, it's not confidential, no matter what your legal eagles pretend. pgppmdFzJQI2I.pgp Description: PGP signature
Re: Phishing and BGP Blackholing
Le Tue, Jan 02, 2007 at 09:52:26PM -0500, [EMAIL PROTECTED] a écrit : After you post to NANOG, it's not confidential, no matter what your legal eagles pretend. There has been some issue recently on a French similar mailing-list (FRnOG), an CTO of a major ISP said something vague about a technology in an example and in a few hours that created a hearsay among popular news websites. Quickly the rumor became a certainty and once the information was refuted, it was difficult for thoses websites to ruin their news which was often tagged scoop, attributing words to this admin that he even never said. Think before you post is more effective than a legal disclaimer. -- Vassili Tchersky Réseau Koumbit Network VTC1-ARIN signature.asc Description: Digital signature
Re: Phishing and BGP Blackholing
On Tue, Jan 02, 2007 at 06:20:01PM -0700, Bill Nash wrote: The biggest challenge I can see is scrubbing phishing reports that aren't.. themselves.. maliciously crafted phishing attacks against a registry of such addresses. Can you rephrase that? I want to understand but I'm failing. Likewise, since BGP isn't application aware, when you blackhole an address that's both website and mail server, how do you inform the end user about their problem, or get a notice from them that it's been fixed? This kind of solution has a huge trust factor hole in it. However, it has been done with MAPS... they do indeed have a BGP-compatible DNS lookup thingamabob, and for a while Above.net was using it. Apart from MAPS blacklisting the whole netblock of a site that was selling (but not using) spam software, there are also externalities involved. Above.net started blackholing traffic to those sites, but they did it for all the traffic that crossed their network, not just the traffic they originated. So the net result was that some of these sites were not reachable, just because your traffic traversed above.net, and sometimes they were. And as you point out, there was no way to know what was happening without effort. For the kind of user that gets fooled by a phishing site, I'm sure it could get very confusing. Distributing a BGP based blackhole list is trivial. The intelligence that goes into it is the hard part. There are companies that provide managed services like this (bgp blackhole route servers for known problem sites, like drone CC's). (disclaimer: I do development for one.) As another poster discusses, collateral damage is of concern. I do some forensics for a web hosting company and occasionally someone sets up a phishing web site instead of spambots and IRC connections. Typically we can make it inoperable within a few minutes of knowing exactly what is going on (chmod -R 000 ...), so I think a detailed email to abuse is going to be more effective, as long as they have the ability to read and respond to the email in a timely fashion. For companies that aren't that timely, I would think that'd be a good candidate for firewalling. I know next to nothing about BGP yet, but I suspect that you could direct traffic for that IP to go through a firewall device (or implement an ACL, though I suppose that would mandate the slow path in a router), to block TCP ports 80 and 443 with a TCP reject, to give some feedback, or an ICMP administratively unreachable. This also gives the end-user the ability to figure out who is doing the blocking and get in touch with them (or at least their network guy acting as their agent, I suspect most end-users can't track down a provider by IP or sniff to get the IP in the first place). IIRC, Riverhead DoS-mitigation systems use a similar mechanism for filtering out DoS packets en route. Oh, and yes, even for one IP, you're still going to have collateral damage if they're doing shared hosting, since one IP serves many sites. The only way around this is to actually do layer 7 decoding, but if the intruder can already set up one phishing account, I would be hesitant to assume the other co-located sites are really safe to browse. I suspect the trust problem is pretty easy to deal with, if you have a human and GPG. Usenet cancel messages, rmgroup messages, key distribution for mixmaster remailers... the hardest problem is deciding who you trust, and getting their key securely; the rest is easily automated. Although some sites might be difficult to distinguish from phishing sites; recently discussed on the cryptography list was (IIRC) a Citibank email that told users to log into some site and enter confidential data... the site was legit but did not have citi anywhere in the domain name, and was located in New Zealand. Some people tried to explain why this was bad to Citibank, and apparently a clue was nowhere to be found. And yet, people trust them with their money. -- A: No. Q: Should I include quotations after my reply? URL:http://www.subspacefield.org/~travis/ -- pgpfvuVKvuUxf.pgp Description: PGP signature
Re: Phishing and BGP Blackholing
[EMAIL PROTECTED] wrote: Then there's the whole trust issue - though the Team Cymru guys do an awesome job doing the bogon feed, it's rare that you have to suddenly list a new bogon at 2AM on a weekend. And there's guys that *are* doing a good job at tracking down and getting these sites mitigated, they prefer to get the sites taken down at the source. I'm not sure they would *want* to be trying to do a BGP feed. As an operator of a large collections of Web hosting sites, I appreciate the work of those guys who track down sites and send alerts. I can then surgically remove the offending phishing sites quickly. When a customer does the sites (and I've had a few of those) I usually find multiple phishing payload sites...and the account is so closed so quickly that the perps don't even have time to fetch the data they collected. The champaionship record is nine payload-sites for different phishing targets.
Re: Phishing and BGP Blackholing
I have to ask. The 'stock' disclaimer message says 'may'. It also says 'If you are not the intended recipient...' Key words - 'if' and 'may'. Since the post is being made to NANOG, we can assume the NANOG Audience (defined as anyone whos on the list _or_ who can read the web archive; ala; everyone) is infact the intended recipient, and we can ignore the rest of it. ... so I fail to see why a big deal should be made out of it. Especially when they're generally enforced on large companies by their lawyers, and the Network Operators likely have very little to do with it. So why the big deal? (Personally I still vote for the use of non-corporate mail addresses on mailing lists. Tends to filter out the roge out-of-office notices too...) Mark. On Tue, 2 Jan 2007, Randy Bush wrote: you have sent a message to me which seems to contain a legal warning on who can read it, or how it may be distributed, or whether it may be archived, etc. i do not accept such email. my mail user agent detected a legal notice when i was opening your mail, and automatically deleted it. so do not expect further response. yes, i know your mail environment automatically added the legal notice. well, my mail environment automatically detected it, deleted it, and sent this message to you. so don't expect a lot of sympathy. and if you choose to work for some enterprise clueless enough to think that they can force this silliness on the world, use gmail, hotmail, ... randy
Re: Phishing and BGP Blackholing
On Tue, 2 Jan 2007, Travis H. wrote: On Tue, Jan 02, 2007 at 06:20:01PM -0700, Bill Nash wrote: The biggest challenge I can see is scrubbing phishing reports that aren't.. themselves.. maliciously crafted phishing attacks against a registry of such addresses. Can you rephrase that? I want to understand but I'm failing. If you decide to operate some sort of registry for these sites, what's to stop a user from crafting what appears to be a malicious submission, with the intent of getting someone blackholed, just for grins and giggles? Again, trust factor. IIRC, Riverhead DoS-mitigation systems use a similar mechanism for filtering out DoS packets en route. I think Prolexic also uses a similiar method. Oh, and yes, even for one IP, you're still going to have collateral damage if they're doing shared hosting, since one IP serves many sites. The only way around this is to actually do layer 7 decoding, but if the intruder can already set up one phishing account, I would be hesitant to assume the other co-located sites are really safe to browse. Well, in many of those cases, you're talking about shared hosting environments, hundreds of mom and pop sites that actually are safe to browse, but running whatever vulnerable content-management kit was provided to them that got the box popped in the first place. - billn
Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Instead of quoting earlier submissions, let me just add two thoughts to this Bad Idea (tm): (1) Proxy bypasses; and (2) Fast-Flux place-shifters... These are two hard problems, by themselves, although not impossible. Having said that, injecting candidate host-routes into BGP (given the already intolerable churn) is a horribly worse idea. Good luck with all that... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFm1DNq1pz9mNUZTMRAqyxAJwOrUTIs1Olrj8Gt2jB+Uc9557WqgCfQO+R LSsa8HsYTOkZPi4sjtQFUyY= =HvaD -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One more thing: If anyone thinks that fast-flux hosting isn't a problem, then you haven't dealt with it. I cannot imagine inject a /32 continuously into a BGP community-set. That just sounds... insane. More: http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 Cheers! - - ferg - -- Fergie [EMAIL PROTECTED] wrote: Instead of quoting earlier submissions, let me just add two thoughts to this Bad Idea (tm): (1) Proxy bypasses; and (2) Fast-Flux place-shifters... These are two hard problems, by themselves, although not impossible. Having said that, injecting candidate host-routes into BGP (given the already intolerable churn) is a horribly worse idea. Good luck with all that... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFm1dTq1pz9mNUZTMRAgN2AJ0ZvWf0ikxt8dpmzdVjuRX5MmcEagCg668t NNFPoVJlAH1cNvSaiY+DmT4= =3zHg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
