RE: email security issue

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Richard H. Cotterell [mailto:seec () mail retina ar]
> Sent: June 12, 2003 16:33
> To: gillettdavid () fhda edu; security-basics () securityfocus com
> Subject: RE: email security issue
>
> Ref: David Gillett <gillettdavid () fhda edu>'s
>      message dated Thursday, June 12, 2003, 10:50 hours.
>
> >  The extra values that SpamCop (and presumably other
> > services as well) bring to this, that I cannot rely on
> > my own brain[*] to provide, are:
> >
> > 1.  Syntax analysis to spot forged Received: headers.
> > (Your message below sounds like you don't believe they
> > ever happen.  They do.)
>
> Are you suggesting that normal users who have done their homework in 
> reference to e-mail (headers included) are incapable of 
> syntax analysis?

  Not incapable, no.  But fallible, and possibly subject to error,
distraction, or ignorance.  Humans are great at telling whether 
something "looks normal"; machines do a better job of testing for
strict conformity to rules.
  The purpose of tools is to amplify human effort.  I don't have
to be incapable of doing something to benefit from using a tool
that does it better.
 
> As to what you read between the lines or directly from my 
> messsage is a result of your subjective analysis and that 
> alone and not based on a factual statement.  :(

   "all one has to do is take a good look at the *Received:* 
information" is the relevant quote.  I take "a good look" to
mean that accurate and easily-extracted information is present
there for all to see.  Since in practice the information is
often missing (anonymizing relays), wrong (forged headers or
unreliable relays), or deliberately misleading (in various ways), 
"a good look" is rarely good enough.
 
> 'When I use a word,' Humpty Dumpty said in a rather scornful 
> tone, 'it means just what I choose it to mean, -neither more 
> nor less.'  [Lewis Carrol (pen name of Charles Lutwidge Dodgson), 
> Through the Looking-Glass, ch.5.]

  So in this case, you mean "a good look" to mean expert scrutiny,
but to exclude the assistance of automated tools, right?  Unless
you say what you mean a term to mean, readers can hardly be blamed
for assuming it means what everybody else uses it to mean.

 
> > 2.  Database cross-reference to known open relays and boxes
> > that do not reliably/correctly report message sources in
> > the headers they add.  (Servers do not generally volunteer
> > this information about themselves in the headers.)
>
> Without wishing to offend in any way, these operators remind 
> me of the following story:
<story snipped>
>  
> There are compliant RFC systems and non-compliant RFC systems 
> with all the connotations that the definition implies.  There 
> are open or closed SMTP servers.  There are highjacked servers 
> and workstations, spoofed headers, and the list goes on, yet 
> you fail to state, in particular, how *spamcop* will detect and 
> pin-point the offending machine from either a no information of 
> source or a highjacked and spoofed address, for example.
> Are you trying to say that they and others like them are the 
> cyber wizards in locating offenders?

  Of course not.  These tools consult various accumulated databases of
past observations.
  I could, of course, build my own databases (and my own tools to 
maintain and to search them -- oops, no tools allowed!).  They'd 
still only hold *my* experience, not the collective experience of 
thousands of users.
  SpamCop can tell me, for instance, that the second Received: line 
is from a server that has a history of misreporting message sources, 
and so reading the third Received: line is probably a waste of time.

> > 3.  (Not always needed...) Automatic lookup of abuse-reporting
> > addresses, often with an indication of how seriously that
> > authority takes complaints.
>
> How about a normal WhoIs or DNS search?  Another aspect of 
> good computer management is to keep all these type of addresses 
> handy.  :)

  Out here in the Real World(TM), lots of ISPs have abuse 
departments that are not among the contacts listed in WhoIs or DNS.
Some are handled by a parent organization.  Some don't listen at
all.  Again, by using a *tool* like SpamCop, I avoid having to
discover these things afresh with every incident.


> > [*] ... and I modestly claim that I have more experience with 
> > this than a vast majority of users, and even many administrators.
>
> Commendable for two reasons: the first, the humbleness of the 
> statement; and the second, the possibility of employment demands 
> that don't match your experience.  Have you thought about the 
> NSA, FBI, CIA or such?

  I'm afraid I can't parse that second reason at all.  Are you saying
that an experienced fellow like myself should be seeking employment 
with agencies that unfortunately tend to require U.S. citizenship as 
a condition of employment?  Or are you suggesting that your remarks,
addressed to the "Security-BASICS" forum, really only apply to career
security professionals with scads of experience they're not allowed to
talk about?  Or is there some third interpretation that escapes me
completely?

David Gillett


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------