Re: Pointer: Foiling spam and other procmail email-filter tips
Jari Aalto
|
| Foiling Spam with an Email Password System
| http://www.uwasa.fi/~ts/info/spamfoil.html
| Last-Modified: Mon 24-May-2004 09:50
|
| 1. An Email Password System
| (Blacklisting, Whitelisting, Requiring the password)
In current Internet mail delivery situation using automatic response
tools is questionable. The problem is in the design of SMTP and not
tied to particular implementation were it:
- a simple vacation recipe
- TMDA
- Challenge-Response
- Password system
All of these are instruments that can be used to mail bomb innocent
third parties. The reader is encouraged to read following document
which describes the problems and possibilities to use similar systems
for mass abuse.
http://pm-lib.sourceforge.net/README.html
In short, see this picture from the document:
http://pm-lib.sourceforge.net/pic/cr-system-joe-job.png
....Picture 4. Challenge-Response system and its fundamental flaw. It
is not possible to know the sender's address, so any challenges
being sent are possibly returned to innocent third parties, whose
email addresses have been hijacked. This is the current spammers
strategy - They collect addresses from web pages and pretent to be
someone else by forging the identity at SMTP RCPT MAIL FROM time.
All C-R system where spammer injects the false address shoot in
the dark and the innocent victim is under attack of so called
"Joe-Job".
Jari
Timo Salmi
> * 2004-11-03 ts AT UWasa.Fi (Timo Salmi) comp.mail.misc
> | Foiling Spam with an Email Password System
> | 1. An Email Password System
> | (Blacklisting, Whitelisting, Requiring the password)
> In current Internet mail delivery situation using automatic response
> tools is questionable. The problem is in the design of SMTP and not
Jari, point taken. I have removed that link from my information
posting. In the future only the link to proctips will be presented.
Furthermore I have added a Google reference to your posting in the
web page text. I am not removing the page, but I'll cease posting
the link.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo's procmail tips at http://www.uwasa.fi/~ts/info/proctips.html
Alan Connor
The above post is a forgery. Check the headers.
The only people that don't like Challenge-Responses are spammers,
those that use their services, and mail professionals who make
a living via their expertise with outmoded spam-filters.
The links in Jari Aalto's response to the real Timo Salmi are
full of of outright falsehoods and exagerrations and omissions.
Even Earthlink, one of the largest ISPs on the planet, offers
Challenge-Response filters as a part of its standard spam-
fighting package, to all of its customers.
Nice try, spammer scum.
Oh. Stay out of my mailboxes.
Done.
AC
--
Pro-Active Spam Fighter
Pass-list --> Block-list --> Challenge-Response
http://tinyurl.com/2t5kp
Jari Aalto
| Jari Aalto <jari.aalto AT cante.net> wrote:
|
| > * 2004-11-03 ts AT UWasa.Fi (Timo Salmi) comp.mail.misc
| > | Foiling Spam with an Email Password System
|
| > | 1. An Email Password System
| > | (Blacklisting, Whitelisting, Requiring the password)
|
| > In current Internet mail delivery situation using automatic response
| > tools is questionable. The problem is in the design of SMTP and not
|
| Jari, point taken. I have removed that link from my information
| posting. In the future only the link to proctips will be presented.
| Furthermore I have added a Google reference to your posting in the
| web page text. I am not removing the page, but I'll cease posting
| the link.
Hi Timo,
I intended to send you message before but then noticed this posting at
newsgroup. I know your feeling to force to drop a feature that looked
so useful :-)
After looking at the SMTP protocol, I had to conclude that there is no
way to guarantee that the response goes to the intended sender.
For example I get lot of forged mail coming in "my name" and I have
even received mail from address
ts AT uwasa.fi
which obviously was forged (as Received headers revealed too)
I've even changed my mail server to NOT RETURN messages for certain
types, which from purist side
is against the current RFCs
but which saves innocent parties from false mail bombing because the
addresses may be forged. There is no point of sending VIRUS/SPAM back
if mail filters have catched them. So I just drop those messages to
/dev/null instead of the normal RCPT REJECT that many mail servers
issue.
I appreciate your work, and we just hope to spread the word which
practices are good and which bad.
Jari
Sam
> On 6 Nov 2004 20:05:28 +0200, Timo Salmi <t...@UWasa.Fi> wrote:
>
>> Jari, point taken. I have removed that link from my information
>> posting. In the future only the link to proctips will be
>> presented. Furthermore I have added a Google reference to your
>> posting in the web page text. I am not removing the page, but
>> I'll cease posting the link.
>>
>
> The above post is a forgery. Check the headers.
Ok Beavis, you ignorant slut, let's check the headers:
Path: ...!newsfeeds.funet.fi!news.uwasa.fi!not-for-mail
From: t...@UWasa.Fi (Timo Salmi)
The headers look good to me!
> The only people that don't like Challenge-Responses are spammers,
I guess that makes your hero, Timo Salmi, a spammer, right Beavis?
> Even Earthlink, one of the largest ISPs on the planet, offers
> Challenge-Response filters as a part of its standard spam-
> fighting package, to all of its customers.
And that's why they mail servers got blacklisted, Beavis.
> Oh. Stay out of my mailboxes.
Beavis: stay out of my mailbox. I really mean it.
Jari Aalto
| On 6 Nov 2004 20:05:28 +0200, Timo Salmi <ts AT UWasa.Fi> wrote:
|
| The above post is a forgery. Check the headers.
Heh, you made my day. By all means. While you're at it, check the
www.sourceforge.net for "Jari Aalto"
| The only people that don't like Challenge-Responses are spammers,
| those that use their services, and mail professionals who make
| a living via their expertise with outmoded spam-filters.
|
| The links in Jari Aalto's response to the real Timo Salmi are
| full of of outright falsehoods and exagerrations and omissions.
This is better than watching a play. Can we have some more of this.
| Even Earthlink, one of the largest ISPs on the planet, offers
| Challenge-Response filters as a part of its standard spam-
| fighting package, to all of its customers.
|
| Nice try, spammer scum.
And if Earthlink uses the C-R system ... it proves what? That they are
not up to the full information of the consequences or how SMTP
protocol really works?
Hm, I'll try to write them again. Maybe Earthlink comes to their
senses and listen some grass root level appeals.
| Oh. Stay out of my mailboxes.
|
| Done.
*LOL*
Best play I have read for a long time....
Jari
Jari Aalto
| those that use their services, and mail professionals who make
| a living via their expertise with outmoded spam-filters.
When I don't have no better things to do, I may get an inspiration to
review your procmail code that you call a C-R implementation.
For interested parties, Alan's "Super spam catcher" implementation,
which "guarantees to stop spam 100 %", is available at:
http://home.earthlink.net/~alanconnor/elrav1/
and mirror at
http://cante.net/mirror/users/connor-alan/
The code is, how would I put it mildly, entertaining and amusing.
Jari
Alan Connor
<jari....@cante.net> wrote:
> * Sat 2004-11-06 Alan Connor <zzzzzz AT xxx.yyy> comp.mail.misc
>
>| On 6 Nov 2004 20:05:28 +0200, Timo Salmi <ts AT UWasa.Fi>
>| wrote:
>|
>| The above post is a forgery. Check the headers.
>
> Heh, you made my day. By all means. While you're at it, check
> the www.sourceforge.net for "Jari Aalto"
>
I wasn't responding to your post nor referring to it, you
blithering idiot.
But thanks. This should give the readers some real insight into
your credibility.
Now, about those anti-Challenge-Response links on your post to
Timo Salmi in this thread.
Most of it is based upon the original C-R systems, which no one
but idiots have used in years.
The link in my sig leads to a very brief outline of the structure
and function of a modern spam filter that incorporates C-Rs.
They work very well indeed.
Which is why the spammers are so freaked out about them.
Jari is the worst sort: His un-solicited commercial bulk email
isn't really spam; it's only the _other_ guys un-solicited bulk
commercial email that's _really_ spam.
Yes, that is exactly how people like him think.
<shrug> But who would expect a spammer to have ethics?
Don't like C-Rs, Jari?
Tough titty.
Stay out of my mailbox.
That's not a request, it is a done deal.
I won't even know you tried.
And no one I want to hear from has the slightest difficulty
reaching me.
<snip>
Would you please get a fucking life?
You lost this fight long ago.
For God's sake, one of the *major ISPs* uses C-Rs now.
There is no point in continuing your sophomoric anti-C-R
propaganda campaign.
Unless you are simply insane, which is possible.
Sam
> On Sun, 07 Nov 2004 02:16:35 +0200, Jari Aalto
> <jari....@cante.net> wrote:
>
>
>> * Sat 2004-11-06 Beavis <zzzzzz AT xxx.yyy> comp.mail.misc
>>
>>| On 6 Nov 2004 20:05:28 +0200, Timo Salmi <ts AT UWasa.Fi>
>>| wrote:
>>|
>>| The above post is a forgery. Check the headers.
>>
>> Heh, you made my day. By all means. While you're at it, check
>> the www.sourceforge.net for "Jari Aalto"
>>
>
> I wasn't responding to your post nor referring to it, you
> blithering idiot.
“Blithering idiot” is something that I often say, and usually when I'm
referring to you, Beavis.
I'm humbled by your reference for my personal vocabulary, Beavis. I hope
that you can put it to good use.
> But thanks. This should give the readers some real insight into
> your credibility.
And how much exactly credibility you yourself have, Mr. "zzz...@xxx.yyy"?
> Most of it is based upon the original C-R systems, which no one
> but idiots have used in years.
Right, Beavis, and the proof of them being idiots is the fact that despite
their proclaimed usage of C-R systems, they still feel the need to munge
their Usenet posting address. Right?
> The link in my sig leads to a very brief outline of the structure
> and function of a modern spam filter that incorporates C-Rs.
Oh, my goodness! You mean, finally people will be able to use their real
E-mail address, when posting to Usenet?
> They work very well indeed.
Splendid, Beavis! And when can we expect you to begin using such a
marvelous system?
> Stay out of my mailbox.
You stay out of my mailbox too, Beavis. And I REALLY REALLY mean it. If
you don't, I'll just make fun of you. And make mean faces at you. And tell
everyone that you have cooties!
Timo Salmi
> On 6 Nov 2004 20:05:28 +0200, Timo Salmi <t...@UWasa.Fi> wrote:
> > Jari, point taken. I have removed that link from my information
> > posting. In the future only the link to proctips will be
> The above post is a forgery. Check the headers.
This brings up an interesting, related topic. How does one detect a
news posting forgery? Or, in particular now, how can one
authenticate to the communicty one's own posting, if need be?
I have one idea for the latter. Usenet news postings and email are
notoriously easy to forge. Web pages are not as easy to crack. Thus
the following page http://www.uwasa.fi/~ts/http/verify.html should
serve as an example of verifying the authenticity of a Usenet news
posting with a resonable certainty. In this case my posting with
Message-Id: cmj3p8$p...@poiju.uwasa.fi
Andrzej Adam Filip
Could you post a few most interesting pieces? :-)
Add your comments to allow easy references in future replies to Alan.
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :
Life is a limited choice game.
-- 2004
Andrzej Adam Filip
> [...]
> This brings up an interesting, related topic. How does one detect a
> news posting forgery? Or, in particular now, how can one
> authenticate to the communicty one's own posting, if need be?
One very nice option is provided by PGPControl standard for signing usenet
control messages. It is transparent to news readers unaware about it. It adds
one extra header with PGP/GPG signature of message body and a few chosen
headers. I use it to sign my posts to this group.
ftp://ftp.isc.org/pub/pgpcontrol/README.html
> I have one idea for the latter. Usenet news postings and email are
> notoriously easy to forge. Web pages are not as easy to crack.
I sign my web pages using external "detached" signature file e.g.
http://anfi.homeunix.net/index.html
http://anfi.homeunix.net/index.html.asc
<link rel="signature" href="./index.html.asc" title="GnuPG Signature"
type="application/pgp-signature" />
[Embedded signatures created some problems with some browser, "Show source"
suggested broken/invalid signature ]
> Thus the following page http://www.uwasa.fi/~ts/http/verify.html should
> serve as an example of verifying the authenticity of a Usenet news
> posting with a resonable certainty. In this case my posting with
> Message-Id: cmj3p8$p...@poiju.uwasa.fi
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :
Though the bird may fly over your head, let it not make its nest in your hair.
-- Danish Proverb
Jari Aalto
| On Sun, 07 Nov 2004 02:16:35 +0200, Jari Aalto
| blithering idiot.
That's very kind of you :-)
| Most of it is based upon the original C-R systems, which no one
| but idiots have used in years.
|
| The link in my sig leads to a very brief outline of the structure
| and function of a modern spam filter that incorporates C-Rs.
|
| They work very well indeed.
Right.
1. Would you care to educate us, when was the SMTP standard changed to
accommodate those "modern C-R systems" you're referring to.
2. Please state the C-R systems and their web links you're
referring to as "modern" that do not have those underlying problems
caused by current SMTP protocol in use.
I understand that your C-R is only part of the chain, but that
"C-R" part I'm interested in those 1 and 2.
| Would you please get a fucking life?
| You lost this fight long ago.
| For God's sake, one of the *major ISPs* uses C-Rs now.
|
| There is no point in continuing your sophomoric anti-C-R
| propaganda campaign.
|
| Unless you are simply insane, which is possible.
Let's see if people can use their own brains shall we? Truth has
nothing to fear about.
I'm confident that people are able to read your grounded arguments as
opposed to the what SMTP standard enables to spammers to do; namely to
forge addresses without restrictions.
If you consider that a major ISP is the proof, you should know better.
Big companies make mistakes all the time.
How about that oil accident near the coast of Alaska years ago? And
then it happened on the other side of Atlantic again ...
Greenpeace : Ruptured oil tanker sinking off coast of Spain
http://www.greenpeace.org.nz/news/news_main.asp?PRID=437
Fifteenth Anniversary of Exxon Valdez Disaster
...The Exxon Valdez spill is still considered as the most damaging
oil spill in U.S. history, and it ranks as number one worldwide in
terms of environmental damage.
http://environment.about.com/cs/waterissues/a/aa032404a.htm
Jari
Alan Connor
> Alan Connor <xx...@yyy.zzz> wrote:
>
>> On 6 Nov 2004 20:05:28 +0200, Timo Salmi <t...@UWasa.Fi> wrote:
>>
>> > Jari, point taken. I have removed that link from my
>> > information posting. In the future only the link to proctips
>> > will be
>
>> The above post is a forgery. Check the headers.
>
> This brings up an interesting, related topic. How does one
> detect a news posting forgery? Or, in particular now, how can
> one authenticate to the communicty one's own posting, if need
> be?
>
> I have one idea for the latter. Usenet news postings
> and email are notoriously easy to forge. Web pages
> are not as easy to crack. Thus the following page
> http://www.uwasa.fi/~ts/http/verify.html should serve as an
> example of verifying the authenticity of a Usenet news posting
> with a resonable certainty. In this case my posting with
> Message-Id: cmj3p8$p...@poiju.uwasa.fi
>
> All the best, Timo
>
It's a good idea, much better that PGP, and could be scripted
easily, the code incorporated into any newsreader.
But *this* time, Professor, I am way ahead of you:
http://home.earthlink.net/~alanconnor/post.html
And I published the concept long before that page went up, on
comp.os.linux.misc during a discussion about PGP sigs on the
Usenet.
AC
Alan Connor
Postscript
That being said, I am not planning on putting up a webpage
promoting the concept, which you have already done and are in a
much better position to do a good job of, so it is all yours.
I will lend what support I can.
Some thoughts:
A post that can be validated in this way should have a single
line, part of a legal sig (per Netiquette guidelines) that is
composed of the URL to the validation webpage prefaced by a
string (regular expression) easily isolated by common nix tools
like sed and grep.
TSV=http://home.earthlink.net/~alanconnor/post.html
It should be the last line in the sig, which would be the last
line of the post.
Now, when someone sees that line in a sig, they can pipe the post
(using a keyboard macro) to a script that parses the URL and
hands it to wget, which retrieves the webpage and looks for the
correct From header, Message-ID and Subject Line and *general*
date (tricky), as well as the correct newsgroups in that header,
and the right References.
Now, the other side of the coin.
I post an article to alt.whatever. When I exit the
newsreader, a script searches the local file containing
copies of my outgoing posts for new entries and extracts the
Subject/References/From/Newsgroups information and sends it to
a temp file. When next my newsreader downloads posts from the
server, that post is located by the script and the Message-ID is
extracted, the local copy of the current day's page edited and
ftped to the website.
There would be one page for each day (GMT), to keep the process
short and sweet, with an option to search earlier days written
into the script; or a range of days.
(The script would have an option to set the number of days of
back searches according to the habits of the user. for someone
that only checked for new posts once a week, then they could
set their script to look back seven days whenever they chose
to validate a post.)
So my validation page above would be divided into many
short pages, and a hypothetical current page would actually be
titled:
http://home.earthlink.net/~alanconnor/TSV/110704
But all anyone would see in the sig would be:
http://home.earthlink.net/~alanconnor/TSV/
With the script filling in today's date before going to the
website.
To conserve inodes on the server, validation pages older than
a month (?) could be concatenated and compressed/archived.
What do you think, Professor?
Timo Salmi
> On Sun, 07 Nov 2004 19:08:04 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
> > On 7 Nov 2004 09:18:50 +0200, Timo Salmi <t...@UWasa.Fi> wrote:
> >> I have one idea for the latter. Usenet news postings
> >> and email are notoriously easy to forge. Web pages
> >> are not as easy to crack. Thus the following page
> >> http://www.uwasa.fi/~ts/http/verify.html should serve as an
> > But *this* time, Professor, I am way ahead of you:
> > http://home.earthlink.net/~alanconnor/post.html
Ok. Readily noted. A parallel from FAQ writing: "The initial origins
of many of the ideas are often ambiguous and may have been
discovered separately by several authors." This time, at least, I
thus know of a case (yours) that clearly precedes mine.
> > And I published the concept long before that page went up, on
> > comp.os.linux.misc during a discussion about PGP sigs on the
> > Usenet.
> Some thoughts:
> A post that can be validated in this way should have a single
> line, part of a legal sig (per Netiquette guidelines) that is
> What do you think, Professor?
I have not thought of the details, especially since one posts so
much. This just came as a special thought of what to do if any of
one's posting ever is challenged.
Another, but very much related question is how does one prove one's
own identity, that is verifies that one is who one claims one is
(should anyone care :-). Role-playing is such a common thing on
electronic channels.
One potential solution goes to the complexity of one's environment
and the difficulty of setting up a fictitious one. That facet is
something that has come up earlier. In my case first in a Finnish
newsgroup. My personal situation in that respect is a fortunate one.
"Forging an entire Finnish university with its thousands of www
pages, surface addresses, phone numbers, personal rosters, lectures
and everything, year after year is a practical impossibility."
Alan Connor
> Alan Connor <xx...@yyy.zzz> wrote:
>
>> On Sun, 07 Nov 2004 19:08:04 GMT, Alan Connor <zzz...@xxx.yyy>
>> wrote:
>>
>> > On 7 Nov 2004 09:18:50 +0200, Timo Salmi <t...@UWasa.Fi>
>> > wrote:
>> >
>
<snip>
>> What do you think, Professor?
>
> I have not thought of the details, especially since one posts
> so much. This just came as a special thought of what to do if
> any of one's posting ever is challenged.
>
> Another, but very much related question is how does one prove
> one's own identity, that is verifies that one is who one claims
> one is (should anyone care :-). Role-playing is such a common
> thing on electronic channels.
>
> One potential solution goes to the complexity of one's
> environment and the difficulty of setting up a fictitious
> one. That facet is something that has come up earlier. In my
> case first in a Finnish newsgroup. My personal situation in
> that respect is a fortunate one. "Forging an entire Finnish
> university with its thousands of www pages, surface addresses,
> phone numbers, personal rosters, lectures and everything, year
> after year is a practical impossibility."
>
> All the best, Timo
>
Hard to argue with that, but I don't think one needs that much.
It is very difficult to forge an IP. They are, by definition,
unique.
No one but me, barring a compromised server, can post at
or modify http://home.earthlink.net/~alanconnor/
That doesn't prove that I am Alan Connor, but then, neither
does a PGP public key pair: They merely prove that one has
created a pair using a particular name.
http://home.earthlink.net/~alanconnor/pubkey.html
But that's fine for the Usenet and most mail. We can respect
privacy and still prevent alias forgery.
It doesn't matter to me whether you are Timo Salmi
or not.
It just matters that you are the same person who was posting
using that name in the past.
Jonathan de Boyne Pollard
Verification of digital signatures.
TS> I have one idea for the latter.
It's a half-baked one. Prove to us that the message that you wrote and
attached the message ID <cmj3p8$p...@poiju.uwasa.fi> to is the same as
the message that (say) Seth Breidbart sees with the message ID
<cmj3p8$p...@poiju.uwasa.fi> attached to it.
This ground has been trod before, years ago. Don't re-invent half-baked
ideas. Learn from history.
Timo Salmi
> | Foiling Spam with an Email Password System
> | http://www.uwasa.fi/~ts/info/spamfoil.html
> |
> | (Blacklisting, Whitelisting, Requiring the password)
> In current Internet mail delivery situation using automatic response
> tools is questionable. The problem is in the design of SMTP and not
Jari, one obvious further comment (while not changing what I
responded earlier). Requiring a password and an automatic response
are not necessarily the same thing. They can be, and often are. But
passwording can be used detached from any autoresponding. The
question is how one delivers the password. Automated C/R is one of
the methods, but certainly not the only one.
Andrzej Adam Filip
> Jari Aalto <jari.aalto AT cante.net> wrote:
>
>>* 2004-11-03 ts AT UWasa.Fi (Timo Salmi) comp.mail.misc
>>| Foiling Spam with an Email Password System
>>| http://www.uwasa.fi/~ts/info/spamfoil.html
>>|
>>| 1. An Email Password System
>>| (Blacklisting, Whitelisting, Requiring the password)
>
>>In current Internet mail delivery situation using automatic response
>>tools is questionable. The problem is in the design of SMTP and not
>
> Jari, one obvious further comment (while not changing what I
> responded earlier). Requiring a password and an automatic response
> are not necessarily the same thing. They can be, and often are. But
> passwording can be used detached from any autoresponding. The
> question is how one delivers the password. Automated C/R is one of
> the methods, but certainly not the only one.
Timo,
Have you investigated implementig the feature at MTA level?
MTA may send back "hints" in reponce to "RCPT TO:" command.
+ It should be possible to implement the feature as sendmail's miter
[e.g. an extra function to GPL licensed perl based MIMEDefang milter]
- some mail readers "hide" rejecting MTA replies.
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :
For men use, if they have an evil turn, to write it in marble:
and whoso doth us a good turn we write it in dust.
-- Sir Thomas More
Timo Salmi
> Timo Salmi wrote:
> > are not necessarily the same thing. They can be, and often are. But
> > passwording can be used detached from any autoresponding. The
> > question is how one delivers the password. Automated C/R is one of
> > the methods, but certainly not the only one.
> Timo,
> Have you investigated implementig the feature at MTA level?
> MTA may send back "hints" in reponce to "RCPT TO:" command.
I have to stay at the "ordinary user privileges" level.