Regrettably, you have failed to answer my question!
Do the security features on *your* machine give you any sort of warning?
--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)
> Regrettably, you have failed to answer my question!
That is because we completely disagree about what you are attempting to
illustrate and I am positing my arguments about the many things you are
doing wrong and how you are doing them all wrong.
You are saying - I let spam into my inbox. I read my spam's subject and
from, then I open my spam and then I click on my spam links.
I am saying - do not let spam into your inbox - do not read your spam's
subject or from receptively as you do when you look at realmail
subject/from, do *not* open your spam and render its html and **DO NOT**
click on your spam links.
I do *not* want to read your html-rendered spambody and I do *NOT* want
to lick on your spamlinks and I do not recommend that other people do
what you are doing and I'm trying to guide you and them and 'disrupt'
your efforts to misguide them.
You are profiting the spam process by what you do. Stop doing that.
The fact that you (the ubiquitous you spammees who handle spam as you
do) make spam profitable is why we all get so much spam.
--
Mike Easter
I'm not at all interested in reading the body of any SPAM message. I
want to know if other folk are being warned of Phishing sites in the
same way as I am. That's all! :)
> You are profiting the spam process by what you do. Stop doing that.
> The fact that you (the ubiquitous you spammees who handle spam as you
> do) make spam profitable is why we all get so much spam.
>
>
>
As I get a 'WARNING' and do not actually go to the URL in question, I
cannot understand the point you are trying to make here.
> If you can explain how anything in an email can 'infect' my OS X box,
I
> will pay careful attention.
You are missing the thrust of my argument. I did not use the word or
say 'infect'.
I said your behavior handling your spam is bad and you are elaborating/
emphasizing the absolute worst part of the behavior, the one which
profits spam processes and potentially endangers the spam handler, which
is opening spam, rendering html, and clicking on spam links.
> Hahaha! I do understand your (cautious) position, Mike. I simply
hope(d)
> that someone here would have a VM/Sandbox facility which they could
use
> without risk to their machines.
You don't understand at all. You are exhibiting bad behavior by playing
with your spamlinks. You want to encourage others to play with your
spam links and you want others to approach the spamlink in the same way
that you did.
I am saying - don't do any of that. I am not saying that I 'can't'
investigate whether or not the legitimate thaisuzuki.co.th website is
compromised.
> As I get a 'WARNING' and do not actually go to the URL in question, I
> cannot understand the point you are trying to make here.
I am saying that almost every time you open a spam and click a spamlink
you are (potentially) profiting the spam process and that you should
stop behaving that way every step of the way.
Don't let the spam in; don't read the spam subject/from receptively;
don't open the spam and read it receptively; don't click the link to
(try to) go there.
And incidentally, don't encourage others to click on links that you
don't know what is there because you have not done the necessary
research to find out what it there. It has nothing to do with
sandboxes. It has to do with your ill-advised behavior.
The name of this group says 'computer.security' and your spamhandling is
not wise computer security and it is not wise netizenship because you
are aiding the bad guys who profit from the spam processes.
--
Mike Easter
Your curiosity is reasonable, but your test is not. Less experienced
hacker hopefuls have tried to trick people into "checking" security with
websites that attempt to bypass security and install malware, as a way
to test their hacking ability.
Most reasonably experienced Usenet users are not going to click that
link, especially here. Those that will, though, are probably not
interested in satisfying your curiosity, so they are unlikely to reply,
except to tell you what is wrong with your inquiry.
--
KristleBawl
If you tell the truth, you don't have to remember anything. - Mark Twain
Taglines by http://tagzilla.mozdev.org
Whilst here, if one looks at *this* thread - on Google Groups -
http://groups.google.com/group/alt.computer.security/browse_thread/thread/888250bb7d11d20e?hl=en#
The first two posts are 'missing' from the thread. Any clue as to why
that might be?
....
> ** This is the URL to which one is directed above:
>
....
I can understand if you're curious, but you should not click, open, or
even respond to this kind of mail.
Better if you make sure to use a good spam filter to, at least throw them
directly into the trash and that you empty it every time you close your
email client or, better, delete them.
As already noted in the thread so you can open up and look at the source
code, which should be enough to determine what kind of letter it is.
Naturally I only react when one of these mail purporting to come from my
ISP, and then by ensuring that they will be deleted before they are sent
to one of all those who use our domain. Otherwise I do not care unless
someone wants me to.
As you can understand, I will not try the link, it is totally
uninteresting.
/Anders
> Whilst here, if one looks at *this* thread - on Google Groups -
>
http://groups.google.com/group/alt.computer.security/browse_thread/threa
d/888250bb7d11d20e?hl=en#
>
>
> The first two posts are 'missing' from the thread. Any clue as to why
> that might be?
Your message is html which may have caused it to be filtered. Or
perhaps it may have looked like spam to some filter. My message is
plaintext and looks less like spam, so that explanation doesn't work for
the 2nd post.
GG is a very very flawed archiver of usenet. It 'generously' archives
tons and tons of spam - see the spam which appears in the listing of
this groups topics for the same timeframe
http://groups.google.com/group/alt.computer.security/topics?hl=en
... while 'incompetently' failing to archive all of the thread you have
referenced.
While posts are fresh, they can be accessed faster/better by using the
message id in a capable newsagent - some agents can only access the
individual messages by mid, while others can access all of the thread
given an mid of one of the thread.
Both posts missing in the GG system are individually accessible via
Howard Knight's mid system.
--
Mike Easter
How will I ever be able to determine if other folk do/do not get the
same warnings I do ...... if nobody will 'test' something to find out
what might happen?
What I do not understand is why this newsgroup isn't monitored by some
of the security 'professionals who, presumably, have 'test' rigs upon
which to make the sort of exploration I requested.
Surely I am not alone in experimenting, knowing that a computer is
simply a machine which can be reprogrammed at the drop of a hat if/when
things go wrong? ;-)
You will not and there is no need for it.
Just throw away and forget it.
One reason to never click on links in such emails is that you then
confirm that your address is a valid address.
And that will only result in that you get more shit-mails and also so
your address will be salable to other bot-nets.
/Anders
> What I do not understand is why this newsgroup isn't monitored by some
> of the security 'professionals who, presumably, have 'test' rigs upon
> which to make the sort of exploration I requested.
>
> Surely I am not alone in experimenting, knowing that a computer is
> simply a machine which can be reprogrammed at the drop of a hat
if/when
> things go wrong? ;-)
You just don't get it.
I guess you are dense or something, or at least it appears to me that
you are behaving that way instead of grasping what is wrong with what
you are doing.
The most important issue here is not 'your issue' - your idea of how to
'experiment' - of how to 'investigate' something - namely your curiosity
about a weblink you found in a spam.
The most important issue here is your insecure daft behavior of letting
spam in and opening spam and clicking on spamlinks - which you should
not do for multiple reasons, some trivial and some large.
Computer security, in the name of this group, is about how people behave
with their computers. You are behaving insecurely and you need to learn
that. You don't need someone to tell you what is at the link you found
in the spam -- that action would simply 'support' your daft behavior
which behavior should not be supported, it should instead be thwarted.
3 reasons you shouldn't handle your spam the way you do: -1- it gets
you more spam -2- it profits spammers -3- it risks your getting phished,
scammed, or infected.
The 2nd and less important issue here is about how your safari phishing
alert system works and doesn't work.
I don't feel like going to the trouble to provide you with excellent
links, so I'm just going to give you one. I don't consider the good and
the bad about the system which alerted you in this case to be a subject
I want to discuss.
http://macmost.com/safari-32-anti-phishing-protection.html The new
version of the Safari Web browser includes a feature that will alert you
if you go to a suspected malicious Web site. Learn more about this
protection and how you can further protect yourself against phishing
attacks.
A third issue is that of a previous alert which you brought up in
another thread in another group - which is google's tool for alerting
about problem websites.
That tool tells me/us that the website link which you found in your spam
has not been reported to the google alert system as being a problem -
http://snipr.com/tjfpz Safe Browsing
Diagnostic page for www.thaisuzuki.co.th/pic_news
What is the current listing status for www.thaisuzuki.co.th/pic_news?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Google has not visited this site within the past 90 days.
Has this site acted as an intermediary resulting in further distribution
of malware?
Over the past 90 days, www.thaisuzuki.co.th/pic_news did not appear
to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90
days.
I also don't consider the good and bad about the google system to be a
topic I want to discuss, especially in the context of someone being a
spamreader and clicking on spamlinks.
--
Mike Easter
.... and another thing.
This (the way you did in that message) is not the proper way to discuss
the mechanisms involved in a spam or a scam.
We are not actually seeing what we need to see because you didn't put
the message source of the spam into your message, which you shouldn't be
doing in this group anyway, because that stuff is ugly.
The proper way to discuss a spam and what it is doing is by accessing
the message source or the 'properties' of the spam, which includes the
complete headers and the unrendered spambody.
When you (ambiguously) say 'delivered by hotmail' that /could/ mean that
you received the mail in a hotmail account namely a hotmail webmail. I
don't have a hotmail account, but there are instructions available for
how to view the complete headers and unrendered body at spamcop's site
http://www.spamcop.net/fom-serve/cache/22.html Hotmail and Windows Live
Hotmail - To see the full, unmangled headers in Hotmail: <snip> To see
the full, unmangled headers if you are using Windows Live version of
Hotmail:
... but the *headers* aren't exactly the issue in this case, but the
'whole enchilada' (the entire message source including the headers) is
always the best method to examine a spam. In this case an important
consideration is exactly how the spam/scam/phish body was /constructed/
to provide *the obfuscated link*.
It is possible, as explained in the video at the link I provided in an
earlier message, that safari called the link a phishing link because of
the way it was *constructed* and put into the browser /addressline/ than
by anything either at the actual link or than by the link's address
being in some database.
People who discuss spam and its content display the spam message source
properly, not the way you posted it here, by either -1- being a reg'd
spamcop reporter and pasting it into the spamcop parser and cancelling
the report and pasting the spamcop tracker link in the group's message
where it is being discussed -2- if not a spamcop reporter then
either -2a- pasting it the message source into a website (not as a
graphic, but as the text file) or -2b- submitting it into the system
called news.admin.net-abuse.sightings - which I haven't used in a while.
There are a number of problems with simply pasting the spam's message
source into a message which you post into this group.
--
Mike Easter
>wrote ~BD~:
>> How will I ever be able to determine if other folk do/do not get
>> the same warnings I do ......
Why do you care? I don't get the warnings from Google because I
don't see any reason to be using them for mail. If your ISP has
out-sourced their mail to google, find a less incompetent ISP. If
using google (or hotmail, or a lot of other spam service providers)
for mail was YOUR decision, then you should probably reconsider the
use of a computer connected to the Internet. Not only do I not
accept mail from google and friends, I also don't accept mail where
the sender is using a gmail, hotmail, yahoo, etc. _address_ even if
the mail is being sent through an untainted mail server.
>> if nobody will 'test' something to find out what might happen?
Some one already did - the plisher who is expecting that his work
will catch the really st00pid people out there. Would you like to
confirm his findings?
>You will not and there is no need for it.
>Just throw away and forget it.
Why are you even downloading the crap in the first place? Are you
using some web mail service because the web browser is the only
application you can figure out how to operate? The POP or IMAP
protocols permit downloading headers ONLY, and that should be
enough for a dumb script or similar to filter (and delete on the
server) unwanted mail. To bad your web ``tool'' doesn't have that
capability. The only spam I see has made it past that style of
filter, and I want to see it (as raw text - I don't need to see the
shade/colo[u]r of chalk the sender used to create the mail) so I can
fine-tune the filter.
>One reason to never click on links in such emails is that you then
>confirm that your address is a valid address.
No, the mail server didn't reject the "RCPT TO:" command during the
SMTP stage, so either the idiots running the mail server are totally
incompetent (and should be shot) or the address exists.
The reason not to click on the link OR EVEN TRY THE URL MANUALLY
is that this action proves not that the address is valid, but that
there is an absolute fool who READS the crap that is sent to that
address. Wow - this must be a sucker who WANTS this kind of shit.
>And that will only result in that you get more shit-mails and also
>so your address will be salable to other bot-nets.
I haven't bothered looking lately - what is the current price of a
"Millions" CD - or are they DVDs now? (After all, a CD will only
hold 676 million bytes, and that's only 15-20 million email
addresses of proven fools.)
Old guy
> On Thu, 3 Dec 2009, in the Usenet newsgroup alt.computer.security, in
> article <hf82d1$mhg$1...@news.albasani.net>, anders wrote:
>
>>You will not and there is no need for it. Just throw away and forget it.
>
> Why are you even downloading the crap in the first place? Are you using
> some web mail service because the web browser is the only application
> you can figure out how to operate? The POP or IMAP protocols permit
> downloading headers ONLY, and that should be enough for a dumb script or
> similar to filter (and delete on the server) unwanted mail. To bad your
> web ``tool'' doesn't have that capability. The only spam I see has made
> it past that style of filter, and I want to see it (as raw text - I
> don't need to see the shade/colo[u]r of chalk the sender used to create
> the mail) so I can fine-tune the filter.
>
I'll pick only the letters found on the server provided by my ISP, which
in it's turn is supplied by the company my ISP buys the service of (if
you want to bark at anyone bark on them, not me, I'm just a
customer ;-) ).
What I do is mostly nothing more than see that something ended up in the
trash, and this in it's turn will be deleted when I close Thunderbird.
The filter is self-learning and are doing really well, better than
expected.
>>One reason to never click on links in such emails is that you then
>>confirm that your address is a valid address.
>
> No, the mail server didn't reject the "RCPT TO:" command during the SMTP
> stage, so either the idiots running the mail server are totally
> incompetent (and should be shot) or the address exists.
>
> The reason not to click on the link OR EVEN TRY THE URL MANUALLY is that
> this action proves not that the address is valid, but that there is an
> absolute fool who READS the crap that is sent to that address. Wow -
> this must be a sucker who WANTS this kind of shit.
>
>>And that will only result in that you get more shit-mails and also so
>>your address will be salable to other bot-nets.
>
> I haven't bothered looking lately - what is the current price of a
> "Millions" CD - or are they DVDs now? (After all, a CD will only hold
> 676 million bytes, and that's only 15-20 million email addresses of
> proven fools.)
>
> Old guy
I do not know, do not care. But surely a few cents per address.
/Anders
| ~BD~ wrote:
>> What I do not understand is why this newsgroup isn't monitored by some
>> of the security 'professionals who, presumably, have 'test' rigs upon
>> which to make the sort of exploration I requested.
>> Surely I am not alone in experimenting, knowing that a computer is
>> simply a machine which can be reprogrammed at the drop of a hat
| if/when
>> things go wrong? ;-)
| You just don't get it.
Mike:
He's a dope. He won't get it. Plaese stop wasting your time.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>wrote Moe Trin:
>What I do is mostly nothing more than see that something ended up in the
>trash, and this in it's turn will be deleted when I close Thunderbird.
>The filter is self-learning and are doing really well, better than
>expected.
If your mail tool speaks POP or IMAP (standards that predate the web),
it speaks to the mail server in a very simple language of less than 20
four letter commands. One of those commands is 'DELE' which takes one
or more arguments (message numbers). That command tells the mail
server to delete that message. Obviously you used a different command
like 'TOP' or 'LIST' to see the headers (and perhaps a few lines of the
body). The majority of spam is trivially identified looking at those
headers. Download to the trash? Why bother?
>>> And that will only result in that you get more shit-mails and also
>>> so your address will be salable to other bot-nets.
>> I haven't bothered looking lately - what is the current price of a
>> "Millions" CD - or are they DVDs now? (After all, a CD will only
>> hold 676 million bytes, and that's only 15-20 million email
>> addresses of proven fools.)
>I do not know, do not care. But surely a few cents per address.
The prices several years ago were on the order of 15-20 million
addresses for US$250 - if you do the math, that's about 700 for a
single cent. Selling addresses is not a lucrative business. What
seems to be more common today is using dictionary attacks (where the
bad guy takes a list of common names such as a telephone directory
and tries variations of those names) and the common viruses (that read
your address book to get a list of names you know to be valid). The
whole world knows there are millions of idiots out there who will
auto-run anything that has a URL. 'bot-nets use that technique
fairly frequently - recall the bad guy doesn't pay for the computer
time in 'bots'.
Old guy
> I appreciate and understand you detailed and helpful reply, for which I
> thank you.
>
> Regrettably, you have failed to answer my question!
>
> Do the security features on *your* machine give you any sort of warning?
Don't need to, I have a built in Idiot/Troll Meter which is going off
like a fooken air raid siren right now.
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
> If your mail tool speaks POP or IMAP (standards that predate the web),
> it speaks to the mail server in a very simple language of less than 20
> four letter commands. One of those commands is 'DELE' which takes one or
> more arguments (message numbers). That command tells the mail server to
> delete that message. Obviously you used a different command like 'TOP'
> or 'LIST' to see the headers (and perhaps a few lines of the body). The
> majority of spam is trivially identified looking at those headers.
> Download to the trash? Why bother?
I have found a predefined filter rule that will allow me to delete
directly on the server.
Should be the GUI-equal to what you call 'DELE'.
As it looks like, it has already deleted 3 junk mail directly from the
server, so thank you for telling me about the DELE-option.
I had probably not been looking for this option otherwise.
>>> I haven't bothered looking lately - what is the current price of a
>>> "Millions" CD - or are they DVDs now? (After all, a CD will only hold
>>> 676 million bytes, and that's only 15-20 million email addresses of
>>> proven fools.)
>
>>I do not know, do not care. But surely a few cents per address.
>
> The prices several years ago were on the order of 15-20 million
> addresses for US$250 - if you do the math, that's about 700 for a single
> cent. Selling addresses is not a lucrative business. What seems to be
> more common today is using dictionary attacks (where the bad guy takes a
> list of common names such as a telephone directory and tries variations
> of those names) and the common viruses (that read your address book to
> get a list of names you know to be valid). The whole world knows there
> are millions of idiots out there who will auto-run anything that has a
> URL. 'bot-nets use that technique fairly frequently - recall the bad
> guy doesn't pay for the computer time in 'bots'.
>
> Old guy
As you notice, I know nothing about this kind of buying/selling
addresses, or this spiders that crawl around on the net collecting
addresses from all kinds of public servers on the net.
You should probably not try to let silence kill any problems, but with
spam, I am not so sure about that...
/Anders
You are entitled to say your piece - just as I am!
The live links in your 'signature' may, themselves direct folk to pages
which are 'infected' - how would they ever know?
Regardless - I explored there and discovered that you have no suggested
means to 'clean' malware from an Apple Mac OS X computer.
Why is that? Mike Easter seems to think my experimentation might be
dangerous. How, exactly?
> Mike Easter seems to think my experimentation might be
> dangerous. How, exactly?
What I said was:
Mike Easter wrote:
> 3 reasons you shouldn't handle your spam the way you do: -1- it gets
> you more spam -2- it profits spammers -3- it risks your getting
phished,
> scammed, or infected.
I also said that relying on safari browser or google safe browsing
alerts was not a guarantee to not visit a malware site. You are asking
for trouble when you open your spam and click on its links - and the
resultant trouble might be minor or significant as 1-3 above and others.
I also gave a sophos link about websites infecting mac systems.
I also said that your method of 'illustrating' the spam in your first
post was insufficient to determine how, in what obfuscated structure,
the payload of the spam was 'delivered' to you the recipient.
--
Mike Easter
Once again, Mike, you have missed the point I was trying to make!
Clicking on a link - *any* link - in a newsgroup post is, IMO, *far*
more dangerous than opening a SPAM message in ones 'in-box'.
David Lipman purports to be God's gift to malware cleaning and
prevention - he may, though, be responsible for its spread. I don't
believe you have any way of telling that he is one of the 'good guys'
for sure! ;)
No 'newbie' happening across one of his posts has any idea what payload
they may receive if they click on a link in his 'signature' - do they?
I do appreciate the help which you so generously offer. I hope others
benefit from your advice too. I'd like you to know, though, that I have
been experimenting with malware detection for almost 10 years and have
used a number of computers as a 'honey-pot' to attract every type of
malware you might imagine. I do fully appreciate that there is
absolutely *no* way to guarantee that one cannot be 'infected' if one
connects a machine to the Internet - no matter *what* protection one has
put in place beforehand!
> Clicking on a link - *any* link - in a newsgroup post is, IMO, *far*
> more dangerous than opening a SPAM message in ones 'in-box'.
Wrong.
All spam is designed to take advantage of the fools who allow it into
their inbox - in one way or another. Sometimes only to deliver more
spam, sometimes only to profit the payload link, sometimes to scam or
phish or deliver malware directly or indirectly. Handling spam the way
you do is always bad; misguided.
In the case of newsgroup posts, you have all kinds of different links.
Some of them are links of friends or goodguys, some of them are links
which belong to usenet spam or usenet malware distribution. Typically
for most people except html foolish, newsgroup reading is done in
plaintext, reducing its potential for direct harm to zero; whereas spam
is most often delivered as html, which greatly enhances its potential
for obfuscated harm.
I don't consider whatever has been your 'experience' in your type of
investigating to have been beneficial to you in enhancing your wisdom,
judgment, or expertise, regardless of how many years you have been doing
it.
--
Mike Easter
> .. I'd like you to know, though, that I have been experimenting with
> malware detection for almost 10 years
Your posting history would seem to contradict that statement, in my
opinion.
--
-bts
-Friends don't let friends drive Windows
That is, after all, your *opinion* - not fact.
> All spam is designed to take advantage of the fools who allow it into
> their inbox - in one way or another. Sometimes only to deliver more
> spam, sometimes only to profit the payload link, sometimes to scam or
> phish or deliver malware directly or indirectly. Handling spam the way
> you do is always bad; misguided.
>
You have no idea how I handle SPAM in normal course. You should not
simply assume that you know what I do in practice.
> In the case of newsgroup posts, you have all kinds of different links.
> Some of them are links of friends or goodguys, some of them are links
> which belong to usenet spam or usenet malware distribution.
Any active link, regardless of where it may indicate it is going to send
you, may be redirected to anywhere at all. One has absolutely no idea
where one might end up!
> Typically
> for most people except html foolish, newsgroup reading is done in
> plaintext, reducing its potential for direct harm to zero; whereas spam
> is most often delivered as html, which greatly enhances its potential
> for obfuscated harm.
>
I won't argue with that! ;)
> I don't consider whatever has been your 'experience' in your type of
> investigating to have been beneficial to you in enhancing your wisdom,
> judgment, or expertise, regardless of how many years you have been doing
> it.
>
I don't really care what *you* think about my experience, Mike.
*You* have much to learn about the human psyche!
Ah, 'twas designed to fool you, sir! ;)
> Beauregard T. Shagnasty wrote:
>> ~BD~ wrote:
>>> .. I'd like you to know, though, that I have been experimenting with
>>> malware detection for almost 10 years
>>>
>> Your posting history would seem to contradict that statement, in my
>> opinion.
>
> Ah, 'twas designed to fool you, sir! ;)
So it was a lie then. Credibility dips even further into the abyss.
> You have no idea how I handle SPAM in normal course. You should not
> simply assume that you know what I do in practice.
> *You* have much to learn about the human psyche!
Should I worry about treading on your personal self-pumped up psyche?
You started this thread by your demonstrating a typical newbie behavior
of allowing spam into your inbox, then reading that sapm subject/from,
then further opening that spam and rendering that spam's html and then
further clicking on that spamscam phish's spamlinks. You continued that
insecure ineptitude by illustrating that spam here in a typical newbie
fashion. Thus you instigated an newbie browser approach to a spamlink,
for which you get an alert which you cowered away from like a baby and
came running to this newsgroup for someone to investigate what you
incompetently approached.
Then, and subsequently, at this end of the thread, you are trying to
allege that you are some kind of experienced investigator of such as
spamscams and malware links and also that you control honeypots and have
a decade of experience as some kind of an alleged 'investigator' (in
your dreams) of various spams and scams and malware links.
Your allegations of such expertise are completely and totally
unbelievable. You portray some characteristics of not only an ordinary
troll but also some kind of delusional braggart regarding skills you
don't possess in addition to being a general ordinary and run of the
mill usenet liar.
--
Mike Easter