Jamie wrote:
> In <EMAIL REMOVED>,
> Jerry Stuckle <EMAIL REMOVED> mentions:
>>> What determines "from me"? is this an actual, verified IP test or is it somehow
>>> based on the headers? (do you know if it's my SMTP server directly contacting
>>> their SMTP server directly?)
>>>
>> Yes, that's how it works. When you send an email to me, your SMTP
>> server contacts my SMTP server directly.
>
> I was talking about that service (lost the URL now) that allegedly knows
> how much email I'm sending out, if they count actual IP connections -vs-
> the Recieved: header (even so, it isn't totally unusual to see an increase
> in email being sent out, my product has a demo that sends email, useless
> to spammers even if that were to be compromised some how, there is no
> good way to inject any body text)
>

No one can tell without your logs just how much mail you send out. Some
of them, like www.senderbase.org, report figures - but that's based on
reported spam, nothing more.

>>> Well, there aren't any listening ports. No weird processes running, and the actual
>>> access to the contact form isn't unusual, (people /DO/ try to hack it all the time,
>>> but I have guarded against it)
>>>
>> If you can receive email, your port 25 is open. But are there any
>> strange files on your web server, for instance?
>
> Yea, my port 25 is open, but the context was that of "Maybe someone broke in
> and set up their own mail server, therefore byp***ing my logs" they would have
> had to replace netstat, ps and a host of other things to do this, all without
> me detecting it. (certainly possible, but very doubtful)
>

Yes, that would be difficult. Or they could just put their own sendmail
version in, listening to another port. I was just referring to your
comment about no listening ports. The problem is - unless you scan your
system, you don't know just which ports might be open.

>>>> If I had a web sight with webforms and had not checked them for injection
>>>> and overflow hazards I would not sleep too well this morning....
>>> Same here, thats why I made sure it guarded against it. (it does guard against
>>> injection)
>>>
>> Are you really sure it's guarded against everything? Are you sure, for
>> instance, that they can't add a newline anywhere in the headers?
>
> I'm positive of that. (in fact, every so often I see messages from would-be
> crackers who've tried to do just that)
>

OK, just checking. It's easy to make a misteak :-).

> Everything other email form is arranged in such a way that even if a cracker did
> manage to hack it, it'd be useless because the form doesn't control the text in
> any way. (furthermore the bounced email I'm getting doesn't contain any text that
> would have been inserted into the message, I can be reasonably sure it wasn't
> a contact form or web related.)
>

It's not the text you have to worry about. It's things like a newline
character (and other stuff) in the From or Subject fields. And while
your form just has them as a single-line text field, it's very easy for
a spammer to generate his own form which does have those.

> Guess I was mostly wondering how that service (a few posts back) is able to determine
> the volume of email I'm sending out.
>
> Jamie

Not possible with any level of accuracy.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

Vernon Schryver wrote:
> In article <EMAIL REMOVED>,
> Jerry Stuckle <EMAIL REMOVED> wrote:
>
>> No one can tell without your logs just how much mail you send out. Some
>> of them, like www.senderbase.org, report figures - but that's based on
>> reported spam, nothing more.
>
> That last part of that must be wrong, or non-spamming mail senders
> would have zeros in Ironport's traffic numbers. Instead I have
> always ***umed that Ironport contracts with a bunch of ISPs to snoop
> on the mail sent to their users.
>

That would be a huge invasion of privacy, and any ISP who did that
wouldn't last very long, IMHO.

They'd probably have a bunch of attorneys after them, also.

>
>> comment about no listening ports. The problem is - unless you scan your
>> system, you don't know just which ports might be open.
>
> ***uming that a naive port scan will find a serious infestation requires
> ***uming that one's enemies are stupid. I think that is a bad idea.
>

Not necessarily. They have to leave some port open to get into your
machine.

But don't do an external scan - do it internally from your system. I
forget the command - I don't use it enough. But I've got it in a book
downstairs.

> If I wrote trojan spamware, it would not keep ports open. Instead it
> would listen on psuedo-random ports at infrequent, psuedo-random times
> and only for a second or two. The controller would know the psuedo-random
> sequences and so know which port to contact and when. It would be
> invisible to naive, simplistic port scanning and a lot of intrusion
> detection snakeoil, just as frequency hopping spread spectrum radios
> are invisible to simplistic radio scanning. Yes, there are some
> complications that I'd have to solve including synchronizing clocks,
> but they are all minor. I ***ume that I'm no smarter than spammers and
> bot-writers, and so ***ume that if they needed to, they'd solve those
> problems.
>

But this would be almost impossible to hit. Even slight clock
differences will throw it off. It's not at all unusual for a system
clock to run 2-3 second per day fast/slow (in fact, if that's all it was
it would be a good clock!). And simply changing the data or time would
really screw things up. Rather than a minor complication, it's a rather
major one. Probably why it hasn't been done.

Spread Spectrum works, however, because there is a signal to sync onto.
Your system isn't doing that. Or, if it is, your ISP's traffic logs
will show it.


>
>>>> Are you really sure it's guarded against everything? Are you sure, for
>>>> instance, that they can't add a newline anywhere in the headers?
>>> I'm positive of that. (in fact, every so often I see messages from would-be
>>> crackers who've tried to do just that)
>> OK, just checking. It's easy to make a misteak :-).
>
> I hope I don't understand that, because it would be wrong claim that
> evidence that some attacks have been defeated shows that all attacks
> have been defeated.
>
>
>> It's not the text you have to worry about. It's things like a newline
>> character (and other stuff) in the From or Subject fields. And while
>> your form just has them as a single-line text field, it's very easy for
>> a spammer to generate his own form which does have those.
>
> I think that is true only in what seem to be at best very dangerous
> ways to wire an MUA to an HTML form.
>
>
> Vernon Schryver EMAIL REMOVED


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

On Tue, 22 May 2007 20:46:36 -0400, Jerry Stuckle put finger to
keyboard and typed:

>Jamie wrote:
>> In <EMAIL REMOVED>,
>> Jerry Stuckle <EMAIL REMOVED> mentions:
>>>> What determines "from me"? is this an actual, verified IP test or is it somehow
>>>> based on the headers? (do you know if it's my SMTP server directly contacting
>>>> their SMTP server directly?)
>>>>
>>> Yes, that's how it works. When you send an email to me, your SMTP
>>> server contacts my SMTP server directly.
>>
>> I was talking about that service (lost the URL now) that allegedly knows
>> how much email I'm sending out, if they count actual IP connections -vs-
>> the Recieved: header (even so, it isn't totally unusual to see an increase
>> in email being sent out, my product has a demo that sends email, useless
>> to spammers even if that were to be compromised some how, there is no
>> good way to inject any body text)
>>
>
>No one can tell without your logs just how much mail you send out. Some
>of them, like www.senderbase.org, report figures - but that's based on
>reported spam, nothing more.

They don't just count spam, they count legitimate messages as well. In
fact, they don't distinguish, as they don't ever see the contents off
the messages - they just get a report of quantities.

Mark
--
Visit: http://names.orangehedgehog.com - British surname distribution profiles
"Life is both a major and a minor key"

On Tue, 22 May 2007 23:55:23 -0400, Jerry Stuckle put finger to
keyboard and typed:

>Vernon Schryver wrote:
>> In article <EMAIL REMOVED>,
>> Jerry Stuckle <EMAIL REMOVED> wrote:
>>
>>> No one can tell without your logs just how much mail you send out. Some
>>> of them, like www.senderbase.org, report figures - but that's based on
>>> reported spam, nothing more.
>>
>> That last part of that must be wrong, or non-spamming mail senders
>> would have zeros in Ironport's traffic numbers. Instead I have
>> always ***umed that Ironport contracts with a bunch of ISPs to snoop
>> on the mail sent to their users.
>>
>
>That would be a huge invasion of privacy, and any ISP who did that
>wouldn't last very long, IMHO.

They're not snooping on the content of any messages, just getting a
report of how many there were. That's not an invasion of privacy, any
more than it would be for the Post Office to say how many letters were
handled by each sorting depot.

Mark
--
Blog: http://mark.goodge.co.uk Photos: http://www.goodge.co.uk
"Here we are now, entertain us"

Mark Goodge wrote:
> On Tue, 22 May 2007 23:55:23 -0400, Jerry Stuckle put finger to
> keyboard and typed:
>
>> Vernon Schryver wrote:
>>> In article <EMAIL REMOVED>,
>>> Jerry Stuckle <EMAIL REMOVED> wrote:
>>>
>>>> No one can tell without your logs just how much mail you send out. Some
>>>> of them, like www.senderbase.org, report figures - but that's based on
>>>> reported spam, nothing more.
>>> That last part of that must be wrong, or non-spamming mail senders
>>> would have zeros in Ironport's traffic numbers. Instead I have
>>> always ***umed that Ironport contracts with a bunch of ISPs to snoop
>>> on the mail sent to their users.
>>>
>> That would be a huge invasion of privacy, and any ISP who did that
>> wouldn't last very long, IMHO.
>
> They're not snooping on the content of any messages, just getting a
> report of how many there were. That's not an invasion of privacy, any
> more than it would be for the Post Office to say how many letters were
> handled by each sorting depot.
>
> Mark

Mark,

It depends on how you look at it. In some cases even the number of
emails being sent from a server (especially if a company has a unique
IP) can be a problem.

Just like it could be an invasion for the post office to indicate how
many letters were mailed by a particular address.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

Vernon Schryver wrote:

> fuser some UNIX including IRIX, but I think not Linux

I've got fuser on my box.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 89 days, 4:36.]

The Great Wi-Fi Controversy
http://tobyinkster.co.uk/blog/2007/05/22/wifi-scare/

In article <c4mei4-EMAIL REMOVED>,
Toby A Inkster <EMAIL REMOVED> wrote:

>> fuser some UNIX including IRIX, but I think not Linux
>
>I've got fuser on my box.

Fuser was in SVR3 and SVR4 and so, of course, Solaris. Linux
distributions tend to have a lot of AT&T SVR3/4 flavor including
fuser. They seem to include some SGI hacks to the SVR3 style
including the idea of symbolic links in rc directories, but I don't
think Linux got Brendan Eich's (or Andrew Cherenson's--I've forgotten
which) changes to fuser for displaying PIDs of processes that own
sockets ***ociated with given IP addresses.


Vernon Schryver EMAIL REMOVED

In article <EMAIL REMOVED> ,
<EMAIL REMOVED> wrote:

>> >That would be a huge invasion of privacy, and any ISP who did that
>> >wouldn't last very long, IMHO.

>> So what oracle does Ironport uses to generate the Senderbase numbers?
>> Does Ironport snoop on packets in the core of the Internet?
>> Isn't that a bigger invasion of privacy?
>> (Those are rhetorical questions.)
>
>I don't think that they are.

what are not what? rhetorical questions?

>First, if you're not familiar with them, Ironport sells large-capacity
>mailservers, like this: http://www.ironport.com/products/ironport_x1000.html
>While that's quite a stretch from "snoop on packets in the core of the
>Internet", it's still a pretty nuts-and-bolts look at an awful lot of
>SMTP traffic.

That's a good idea I'd not thought of in this context, although I use
something similar to generate the DCC graphs. It would avoid needing
to install special stuff at ISPs (for any of the many meanings of ISP)
to collect data.

> That gives them a window into spam-loads at large
>networks, and (I'm ***uming) the source of their ham-v-spam numbers.

That's true only as far as their false positive and negative numbers
go. Each unsolicited bulk email message they see as legitimate
(false negative) and each legitimate message seen as evil (false
positive) distorts their spam vs. legitimate numbers. (I hate the
use of "ham" for "legitimate mail".)


>And I don't think data of the form "IP address a.b.c.d has sent
>approximately 10,000 messages in the last day or so, around 1,000 of
>which looked like spam" represent a privacy issue any more than a
>DNSBL does.

Both can involve privacy issues. For example, if Bill Gates' personal
SMTP server asks your DNS server for your DNSBL's entry for the IP
address of Steve Jobs's personal SMTP client, you might conclude that
Steve Jobs is sending email to Bill Gates, and that could be valuable
information. There are good reasons why old telephone pen recorders
needed court orders and for the outrage about the Bush Administration's
traffic analysis against U.S. citizens.


Vernon Schryver EMAIL REMOVED

In <EMAIL REMOVED>,
Jerry Stuckle <EMAIL REMOVED> mentions:
>No one can tell without your logs just how much mail you send out. Some
>of them, like www.senderbase.org, report figures - but that's based on
>reported spam, nothing more.

Ah, reported spam, that makes sense. (in an unfortunate sort of way..)

Thanks!

>Yes, that would be difficult. Or they could just put their own sendmail
>version in, listening to another port. I was just referring to your
>comment about no listening ports. The problem is - unless you scan your
>system, you don't know just which ports might be open.

I do scan my system as part of a regular system check. I don't want to say
all the things I monitor, partly because of the whole "pride before fall"
belief LOL

But.. I do monitor things like that.

>It's not the text you have to worry about. It's things like a newline
>character (and other stuff) in the From or Subject fields. And while
>your form just has them as a single-line text field, it's very easy for
>a spammer to generate his own form which does have those.

Gotcha, and, yea, I do inspect them for that.

I reckon, if you want to do CGI/PHP programming, you really MUST try telnet
port 80 a few times until you can see, intuitively, how all the parts fit
together. Then, \r's (and other characters) in form inputs make a lot of
sense. Even for checkboxes/radio/select/ etc..

Not that I *always* catch it.. (though I certainly do try)

>> Guess I was mostly wondering how that service (a few posts back) is able to determine
>> the volume of email I'm sending out.
>>
>> Jamie
>
>Not possible with any level of accuracy.

Thanks! I couldn't see how they could know all the email I'm sending out unless
they some how received it directly. Glad to hear it confirmed from someone else.

The "good news" is that it would appear Mr. Spammers done with me for awhile, as
the bounced spam seems to have stopped.

Was really shocking to see them forging Recieved: headers, that one took me by
surprise. (and I wonder how many people I've falsely accused of spamming because
of forged Recieved: headers.. for some stupid reason, I thought they were reliable
up until this point anyway.)

Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

Vernon Schryver wrote:
> In article <5eadnaYH2qr1Js7bnZ2dnUVZ_s-EMAIL REMOVED>,
> Jerry Stuckle <EMAIL REMOVED> wrote:
>
>>>> No one can tell without your logs just how much mail you send out. Some
>>>> of them, like www.senderbase.org, report figures - but that's based on
>>>> reported spam, nothing more.
>>> That last part of that must be wrong, or non-spamming mail senders
>>> would have zeros in Ironport's traffic numbers. Instead I have
>>> always ***umed that Ironport contracts with a bunch of ISPs to snoop
>>> on the mail sent to their users.
>> That would be a huge invasion of privacy, and any ISP who did that
>> wouldn't last very long, IMHO.
>>
>> They'd probably have a bunch of attorneys after them, also.
>
> So what oracle does Ironport uses to generate the Senderbase numbers?
> Does Ironport snoop on packets in the core of the Internet?
> Isn't that a bigger invasion of privacy?
> (Those are rhetorical questions.)
>

I have no idea. But my customers typically have unique IP addresses
(not shared hosts). And if they found their ISP was reporting the
number of emails sent, at least a couple of them would have their
attorneys all over the host.

Some of this is quite privileged information - and even the statistics
can prove interesting. For instance, if there's a sudden spike of
200-300% going out of their server, one could reasonably ***ume that
something is going on behind the scenes - and that a major announcement
could be coming soon - i.e. a buyout, filing for bankruptcy, etc. Not
good for a publicly traded company.

>
>>>> comment about no listening ports. The problem is - unless you scan your
>>>> system, you don't know just which ports might be open.
>>> ***uming that a naive port scan will find a serious infestation requires
>>> ***uming that one's enemies are stupid. I think that is a bad idea.
>> Not necessarily. They have to leave some port open to get into your
>> machine.
>
> If the malware used varying ports and kept each open only for 2 seconds
> every 300 seconds, you would never notice.
>

And it would be almost impossible to synchronize with those ports.

>
>> But don't do an external scan - do it internally from your system. I
>> forget the command - I don't use it enough. But I've got it in a book
>> downstairs.
>
> So you are arguing with me how the DDN Protocol Suite works based
> on a book you have downstairs and don't remember very well?
> http://www.google.com/search?q=DDN+Protocol+Suite
> Is the proverb about teaching your grandmother how to suck eggs familiar?
> http://www.google.com/search?q=prove...grandmother%22
>

No, I'm arguing on how it works. I've been in TCP/IP and networking for
30 years - both hardware and software. I just don't remember the Linux
commands; nor do I try to remember every command I use once or twice a year.

> Commands I might use for that job include
> netstat on Windows and many flavors of UNIX
> fstat some UNIX
> sockstat some UNIX
> fuser some UNIX including IRIX, but I think not Linux
> lsof some UNIX
> systat -netstat 1 FreeBSD UNIX (and others?)
>
> I think there are other relevant Windows commands that I can't seem to
> recall.
> Systat and the IRIX version of netstat that uses curses(3) are nice
> if you want a continuous display.
>
>
>>> If I wrote trojan spamware, it would not keep ports open.
>
> Or if I wrote trojan malware, it might phone home at random times. It
> might use a port you would not think unusual to see active such as 53,
> 80, or 443, perhaps after using setsockopt(SO_REUSEADDR) or SO_REUSEPORT
> so that bind() would not complain about conflicts with legitimate local
> services.
>

And that "phone home" could easily be blocked if you have your firewall
set up properly. In fact, even the incoming ports would be blocked if
you set up your firewall correctly.

>
>> Instead it
>>> would listen on psuedo-random ports at infrequent, psuedo-random times
>>> and only for a second or two. The controller would know the psuedo-random
>>> sequences and so know which port to contact and when. It would be
>
>> But this would be almost impossible to hit. Even slight clock
>> differences will throw it off. It's not at all unusual for a system
>> clock to run 2-3 second per day fast/slow (in fact, if that's all it was
>> it would be a good clock!). And simply changing the data or time would
>> really screw things up. Rather than a minor complication, it's a rather
>> major one. Probably why it hasn't been done.
>
> That is entirely wrong. Modern hardware is rarely as wrong as 2
> seconds/day, but if it is, it is no problem is to disciplining the clock
> to within milliseconds of UTC. Similarly, time changes are no problem.
> Knowing clock differences to within a second or two is easy. That's
> why I wrote about keeping ports open for a few 1 or 2 seconds instead
> of the milliseconds that are actually needed. NTP uses one check every
> 90 seconds to get to within milliseconds or better of UTC. See
> http://www.google.com/search?q=ntp
> I'm not sure what XP (not to mention Vista) uses for clock syncrhonization.
> On my Microstupid boxes, I no longer use the Dimension NTP client.
> Instead I tell Samba on a UNIX box to provide ticks.
> http://www.google.com/search?q=%22di...%22+ntp+client
> Perhaps Microsoft uses SNTP instead of (I think) their NETBUI or whatever
> protocol.
> http://www.google.com/search?q=xp+ntp
>

No, modern hardware is often off more than 2 seconds a day. That's one
minute a month, and most computers don't do that well. Internal clocks
run on an oscillator - and they are not accurate to less than 0.00231%
(2 seconds per day). In fact, your line-powered alarm clock is much
more accurate - because the 50/60 hz line current is very accurate -
typically off less than 1 cycle per day.

>
>> Spread Spectrum works, however, because there is a signal to sync onto.
>> Your system isn't doing that. Or, if it is, your ISP's traffic logs
>> will show it.
>
> That makes the pair of bad ***umptions that your your ISP logs all
> packets or at least all TCP SYNs and that rare oddities would be noticed.
>

ISP's do log all traffic - that's how they figure how much bandwidth you
use each month. Just try going over your monthly allocation and see how
long your site remains up (without an extra charge, that is).

>
> people from alt.www.webmaster who wander into NANAE, frequently
> amaze me with the enthusiasm with which they play Cliff Claven.
> They even make many of the NANAE poseurs seem modest and knowlegable.
> http://www.google.com/search?q=cliff+claven
>
>
> Vernon Schryver EMAIL REMOVED

I really don't care about Cliff Claven. I'm speaking from a long
history in the computer industry. I started out designing digital
hardware back in the 70's - even before the 4004 processor came out.
And even though most of my work is now software, I have maintained the
hardware background. And I still maintain my FCC engineer license -
although I'm no longer in that end because it doesn't pay worth a darn.

And while working for IBM I got a huge exposure to the software side of
networking - including how to monitor network traffic, set up firewalls,
etc. Just none of it was Unix based.

And I'm really amazed how much some of the people in n.a.n.e. think they
know about what's happening, when all they have is a little admin
experience on one OS. And not that much real admin experience at that.

Try working on the internals of your OS, networking products, etc. See
how they work - and I mean all the way down to the bits and bytes sent
to your network adapter. Get an understanding about how it really works.

Then go back and get an electronics background and see how all of that
works, and how you can tell exactly what's going on, and how to stop it.

Then you can come back and speak of this with a bit of intelligence.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================