Security Basics mailing list archives
RE: email security issue
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 12 Jun 2003 17:18:32 -0700
-----Original Message----- From: Richard H. Cotterell [mailto:seec () mail retina ar] Sent: June 12, 2003 16:33 To: gillettdavid () fhda edu; security-basics () securityfocus com Subject: RE: email security issue Ref: David Gillett <gillettdavid () fhda edu>'s message dated Thursday, June 12, 2003, 10:50 hours.The extra values that SpamCop (and presumably other services as well) bring to this, that I cannot rely on my own brain[*] to provide, are: 1. Syntax analysis to spot forged Received: headers. (Your message below sounds like you don't believe they ever happen. They do.)Are you suggesting that normal users who have done their homework in reference to e-mail (headers included) are incapable of syntax analysis?
Not incapable, no. But fallible, and possibly subject to error, distraction, or ignorance. Humans are great at telling whether something "looks normal"; machines do a better job of testing for strict conformity to rules. The purpose of tools is to amplify human effort. I don't have to be incapable of doing something to benefit from using a tool that does it better.
As to what you read between the lines or directly from my messsage is a result of your subjective analysis and that alone and not based on a factual statement. :(
"all one has to do is take a good look at the *Received:* information" is the relevant quote. I take "a good look" to mean that accurate and easily-extracted information is present there for all to see. Since in practice the information is often missing (anonymizing relays), wrong (forged headers or unreliable relays), or deliberately misleading (in various ways), "a good look" is rarely good enough.
'When I use a word,' Humpty Dumpty said in a rather scornful tone, 'it means just what I choose it to mean, -neither more nor less.' [Lewis Carrol (pen name of Charles Lutwidge Dodgson), Through the Looking-Glass, ch.5.]
So in this case, you mean "a good look" to mean expert scrutiny, but to exclude the assistance of automated tools, right? Unless you say what you mean a term to mean, readers can hardly be blamed for assuming it means what everybody else uses it to mean.
2. Database cross-reference to known open relays and boxes that do not reliably/correctly report message sources in the headers they add. (Servers do not generally volunteer this information about themselves in the headers.)Without wishing to offend in any way, these operators remind me of the following story:
<story snipped>
There are compliant RFC systems and non-compliant RFC systems with all the connotations that the definition implies. There are open or closed SMTP servers. There are highjacked servers and workstations, spoofed headers, and the list goes on, yet you fail to state, in particular, how *spamcop* will detect and pin-point the offending machine from either a no information of source or a highjacked and spoofed address, for example. Are you trying to say that they and others like them are the cyber wizards in locating offenders?
Of course not. These tools consult various accumulated databases of past observations. I could, of course, build my own databases (and my own tools to maintain and to search them -- oops, no tools allowed!). They'd still only hold *my* experience, not the collective experience of thousands of users. SpamCop can tell me, for instance, that the second Received: line is from a server that has a history of misreporting message sources, and so reading the third Received: line is probably a waste of time.
3. (Not always needed...) Automatic lookup of abuse-reporting addresses, often with an indication of how seriously that authority takes complaints.How about a normal WhoIs or DNS search? Another aspect of good computer management is to keep all these type of addresses handy. :)
Out here in the Real World(TM), lots of ISPs have abuse departments that are not among the contacts listed in WhoIs or DNS. Some are handled by a parent organization. Some don't listen at all. Again, by using a *tool* like SpamCop, I avoid having to discover these things afresh with every incident.
[*] ... and I modestly claim that I have more experience with this than a vast majority of users, and even many administrators.Commendable for two reasons: the first, the humbleness of the statement; and the second, the possibility of employment demands that don't match your experience. Have you thought about the NSA, FBI, CIA or such?
I'm afraid I can't parse that second reason at all. Are you saying that an experienced fellow like myself should be seeking employment with agencies that unfortunately tend to require U.S. citizenship as a condition of employment? Or are you suggesting that your remarks, addressed to the "Security-BASICS" forum, really only apply to career security professionals with scads of experience they're not allowed to talk about? Or is there some third interpretation that escapes me completely? David Gillett --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: email security issue, (continued)
- Re: email security issue Rus Foster (Jun 11)
- Re: email security issue Christian Lete (Jun 11)
- Re: email security issue chort (Jun 11)
- Re: email security issue Shar (Jun 12)
- RE: email security issue David Gillett (Jun 12)
- Re: email security issue Shar (Jun 12)
- RE: email security issue matt willson (Jun 11)
- RE: email security issue David Gillett (Jun 11)
- RE: email security issue Richard H. Cotterell (Jun 12)
- RE: email security issue David Gillett (Jun 12)
- RE: email security issue Richard H. Cotterell (Jun 12)
- RE: email security issue David Gillett (Jun 12)
- RE: email security issue Richard H. Cotterell (Jun 12)