Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

RE: Test (fwd)

[Subject Prev][Subject Next][Thread Prev][Thread Next]
Yeah, I thought about that.  I almost asked first, but I ended up figuring
you would not mind...plus, the suprise of it might cause a little more
up-roar, which helps illustrate the point a little better.

For those on the list paying attention, I will note that Dennis' lists
(contrary to his beliefs in his post) are no more secure.  I was able to
do the same thing on one of his lists.  In the end, it is function of the
relatively insecure format of the current email system.  There are
companies that are working on "trusted" email systems that will allow you
to verify that the sender is who they say they are, but I don't think they
are there yet.

The lesson that should be learned is that ANY email message that comes
from ANYONE should be taken with at least a slight grain of salt.  Even if
you get a message on the list from someone who appears to be say Harold
Sprague, it is entirely possible that someone may have spoofed his email
address.  Thus, even though we all know that Harold gives great advice and
expertise, it is entirely possible that somoene could offer up advice in
his name.  As such, in general it is a good idea to "know" your sender in
the sense that you can recognize their "style".  If you suspect that
something someone sends you does not match their "stlye" or you have ANY
doubts, then either ignore the message or if it is important and you
really need to know, contact that person privately to make sure they
actually sent it.  If it is a matter of spoofing the email address, then
sending to the person's email address (even if spoofed) will still end up
with the message getting to them.  The only reason it would not get to
them is if their computer/email account has been comprimised in some
manner (hacked, wormed, etc).

Regards,

Scott (is it really me? <grin>)
Adrian, MI


On Sun, 4 Jun 2006, Dennis Wish wrote:

> It would have helped if you told me you were going to send a test message to
> the SEAINT List using my name! I received a copy of the post and knew that I
> did not send it yesterday. This could only mean that someone impersonated
> me. I went searching for e-mail from people I knew and low and behold, here
> is Scott's Re: Test (fwd).
> I don't mind, but you have done something I thought was not possible and
> that was to impersonate my ISP information. For years, I believed that we
> were protected as long as the post to any list originated on the ISP address
> provided the subscriber. I've had no other problems on the Structuralist.Net
> list as each spam (and there are plenty) have been trapped.
> Each list requires he subscriber to confirm their subscription choice. I
> believed this was also required to link the subscribers IP address.
> You were correct - I don't mind and am relieved to find out it was you.
> Everything from today forward that is posted and which causes heated debate
> and disagreement originated from Scott in my name because he knows how to
> spoof my account! (Just kidding)
>
> SEAINT uses Majordomo Lists which I believe are one of the oldest. Most
> ISP's who web host will update the software as the case occurs. I believe
> that SEAINT.ORG hosts their own Server as a few years ago there was a
> concern with those who used SEAOSC to host their website and SEAOSC or
> SEAINT relocated their domain name under the web host (SEAINT) as the
> management for the web. This caused some loss of control if I recall by the
> actual domain owner and possibly set up a conflict of interest.
>
> I have not kept up with Majordomo List improvements or upgrades and inasmuch
> as SEAINT owns the server, it may be possible that they have not upgraded
> the public domain software (I believe it is public domain).
>
> My web host for the Structuralist.Net lists is Mailman Software which is
> also open source list software. In my case, I pay about $60.00 a year for
> web hosting on a three-year contract and unlimited Lists are included in my
> package along with 2 or more gig of storage space for software downloads (no
> charge for the SQL database storage). Mailman(tm) is one of the better list
> software because they frequently upgrade the software which the ISP
> maintains on their servers and which provide a tremendous amount of control
> by the list owner. I can automatically delete all messages, for example, not
> sent from the subscriber. In addition, the subscriber must send their post
> from the ISP's address that they subscribed. If I tried to log on my
> daughters machine and send any of my lists a message through her EarthLink
> account it would bounce. If I don't wish to allow Mailman to delete messages
> automatically, I can bounce them around and notify me until I review all
> accumulated messages from unauthorized subscribers. The latest update allows
> me automate the deletion process for all posts in seconds rather than going
> through each one as I had to do two years ago.
>
> Lists can also be locked and these require either a moderator or approval to
> post. I have only one or two lists that were of sensitive nature (Blast
> Resistant Structures) that require authorization after review of the post.
> In most cases, this is intended to know who the subscriber is and to provide
> specific approval to this subscriber before he can access the list.
>
> Finally, on most important point of Mailman software is that I have a choice
> to announce the lists publicly on the Usenet or not. I chose not to and each
> user has a spam prefix added to their e-mail address or may hide their
> identity from the general community so hat the e-mail list name is noted on
> the post - all other information is stripped from the header.
>
> I would strongly recommend hat since the Majordomo list or whichever one ha
> SEAINT is using will not protect against identity theft, they consider a
> change in the software to Mailman or other secure software. Most are free
> and secure. As I said before, you are welcome to join any of my
> Structuralist.Net lists and if you e-mail me a request, I will send you a
> list of those available. However, I strongly request that help to preserve
> the future of the SEAINT List. There is room for many of us with
> professional sites. I am not afraid of competition and have created the
> Structuralist lists only to move forward on my thought that "topic specific
> lists" will make it easier to filter out the information that most of us
> want and skip over that which we are not interested in reading.
>
> I guess you can blame the messenger!
> Dennis
>
> -----Original Message-----
> From: Scott Maxwell [mailto:smaxwell(--nospam--at)engin.umich.edu]
> Sent: Sunday, June 04, 2006 12:06 AM
> To: seaint(--nospam--at)seaint.org
> Cc: Dennis S. Wish
> Subject: Test (fwd)
>
> Fellow Listers:
>
> I (as little old me) send this message to the list to prove a point.  It
> is VERY easy to spoof someone else's email address such that SPAM can be
> send to the list.  In this case, a VERY simple change to the settings of
> my email client allowed me to send an email message to the list in Dennis'
> name (I choose his email address cause I figured he would not mind me
> using it to illustrate how easy it was for the spammer to do his/her
> thing with no "hacking" involved, not to mention that he is a friend).
> This is what I suspect happened with the recent spat of SPAM.  The
> spammer just spoofed the seaint-ad(--nospam--at)seaint.org email address and then
> SPAMMED the list.  Thus, the listserv thought it was a "registered" member
> of the list and accepted the messages.
>
> The point is that the list has no other "defense" other than the check of
> whether or not the person sending the message is a member of the list.  As
> this check basically only entails a check of the sender's email address
> and it is VERY easy to spoof an email address, this is a very "loose"
> defense.  Beyond that, there appears to be nothing else there to "protect"
> the list.  No SPAM filters.  No more sophisticated checks of who a sender
> proports to be (although to some degree this is general problem as there
> are no real systems in place for this as the most likely system could
> cause problems for some...one way would be to check the email sender's
> email address domain against the outgoing email server's domain, but the
> problem with this is that some email accounts/arrangements don't include
> access to an outgoing server...for example, if I choose to access this
> email account by way of a client that is local to my home computer [I am
> currently remotely logged into a Unix box thru a SSH session and using a
> text based email client called Pine from a Unix prompt] such as Outlook,
> then I have to set Outlook to use my ISP's [Comcast] outgoing email server
> as I can not send through a U of Michigan outgoing server unless I am
> "physically" on their network [i.e. on campus or "dialing-in"...in other
> words, my internet connection is provided by them such that that are my
> ISP]).
>
> The point is that it is relatively easy to post to the list in
> "non-standard" ways and unless how the list is setup is drastically
> changed, this will not change.  I don't know if there is an easy fix for
> this or not on SEAINT's part.  We may just have to live with it if there
> is not.  Personally, I don't mind the extra SPAM...I get a crap load
> already and did not even notice the "new" source until someone pointed it
> out.  On a local level, SPAM does not both me...I can always use the
> ultimate SPAM filter...the delete key.  On a global sense, it bothers me
> cause it does globally effect things like bandwidth, etc.  So, I applaude
> efforts to cutail, if not eliminate, SPAM.  But, I don't get too bend out
> of shape when I get it.
>
> Regards,
>
> Scott
> Adrian, MI
>
>
> ---------- Forwarded message ----------
> Date: Sun, 4 Jun 2006 02:44:21 -0400
> From: Dennis Wish <dennis.wish(--nospam--at)verizon.net>
> Reply-To: seaint(--nospam--at)seaint.org
> To: seaint(--nospam--at)seaint.org
> Subject: Test
>
> This is a test
>
>

******* ****** ******* ******** ******* ******* ******* ***
*   Read list FAQ at: http://www.seaint.org/list_FAQ.asp
* 
*   This email was sent to you via Structural Engineers 
*   Association of Southern California (SEAOSC) server. To 
*   subscribe (no fee) or UnSubscribe, please go to:
*
*   http://www.seaint.org/sealist1.asp
*
*   Questions to seaint-ad(--nospam--at)seaint.org. Remember, any email you 
*   send to the list is public domain and may be re-posted 
*   without your permission. Make sure you visit our web 
*   site at: http://www.seaint.org 
******* ****** ****** ****** ******* ****** ****** ********