Archive for the ‘email’ Category

TapWalled garden

12 Oct 2007 12:56 by Rick

This idea being promoted by MAAWG looks like it could be an effective way of limiting spam at source, and, as the members are high powered, it could actually get implemented.

The problem is that a large proportion of spam and associated phishing, viruses and other attacks are sent, not from huge malicious systems in a far off place, but many thousands of small home systems each adding their little bit to the flood and under common malicious control. They were infected by a previous attack and then join in themselves—these are called zombie systems and are collectively known as a bot-net.

The principle of this proposal is for ISP’s to identify customers on their own networks who are infected. Nothing new there except that they currently don’t do it because of the administrative overhead it would trigger. The difference is that once identified, the customer would have all their internet traffic automatically routed to a sanitised area called the Walled Garden within the local domain and that all browser requests result in a link to an internal site which provides education and disinfection tools. Until the customer systems are cleaned no traffic is permitted out onto the wider internet. Think of it as a quarantine with a pharmacy on hand for self treatment. The reasoning is that the majority of customers with infected systems are unaware of it and wouldn’t know what to do if they were told. This way they don’t have a choice.

There will still be some admin overhead—in calls to the help desk—and it would need to start easy to minimise false positive alarms, but it is probably the only way to force these infected zombie systems off the network.

As I said, there are some heavyweight people on this working group, AOL, AT&T, France Telecom (Orange) but not my ISP. But when(if?) the momentum gets under way, no ISP is going to be able to ignore it and stay in business.

TapGpg4Win and Enigmail

22 Jun 2007 17:40 by Rick

There is currently a problem that Enigmail, the OpenPGP extension for Thunderbird doesn’t work with Gpg4Win. The latter is the GUI version of GnuPG for Windows. The versions tested were Enigmail 0.95.1 and Gpg4Win 1.1.0 but I understand other versions are affected.

There seems to be some dispute as to which program is at fault and the most seen recommendation is to un-install Gpg4Win and install the plain command line version of GnuPG. Although there is some overlap, both provide a key management GUI for instance, this would lose some of the useful disk management functions of Gpg4Win.

I have discovered that there is a much easier fix. In Thunderbird, go to the OpenPGP ==> Preferences menu item and in the “Files and Directories” window, tick Override and enter C:\Program Files\GNU\GnuPG\gpg.exe. Now stop and restart Thunderbird and every thing works just fine.

TapVirus Scare

16 Jun 2007 13:39 by Rick

I had a bit of a fright this morning; AVG (free) kept saying that it had found an infected object but it wouldn’t put it in the Virus Vault where it should go. I was bothered because I don’t do viruses, I consider myself too smart for that (lookout, the sky is falling in). I see a few go past in email and I used to have trouble when my anti-spam system kept a copy of recent emails in plain text (it now keeps them in a database, so that is resolved). I have just installed a trial of Prevx so wondered if that may have triggered something but I don’t think so.

Some analysis and a few blunders later I discovered.

  • The infected file was in C:\System Volume Information\_restore{DF9 …a lot of hex… F08}\RP108\A0024948.exe. If I remember rightly this is the System Restore area. I don’t recognise the file name, perhaps System Restore mangles them?
  • This accounts for why my working (LUA) account could not vault it, because I don’t have access.
  • It is reported as I-Worm/Stration.DJC. This is normally distributed by ICQ (which I don’t use) but has been seen recently in spam email—I am unlikely to have executed any attachments.

The blunder was that (in a panic) I deleted the system restore area before scanning the system; I seem to drop out of Security Analyst mode when I come home. Anyway I did a full system scan and a run of the Kaspersky Online Scanner for good measure. Nothing else was found.

What I don’t understand is

  • How it got there. I thought System Restore was backing up things that changed during an install so that you could back them out later. If that is the case, it should have been live on my system before whatever install replaced it and there should be some other traces left.
  • Why AVG should have been looking there in Resident Shield mode anyway. I thought it only checked files that you accessed, and that is not likely to be one of them.

It will, no doubt, remain a mystery.

TapBlueyonder – Spam source

25 May 2007 15:23 by Rick

One of the leading commercial anti-spam companies, Trend-Micro, who run the MAPS system compile a weekly rogues gallery of ISPs and the amount of spam generated from their networks.

Blueyonder (our ISP) is number 42 having generated 71.4M spam emails last week in the last 24 hours.

No wonder we keep getting blocked.

Mind you, that is nowhere near as bad as BT (number 24) or Orange (at number 8 with over 300M spam). These figures are not factored by the size of the customer base, but that is probably right because the more customers, the more collective pain they experience when they are blocked. Smaller ISPs don’t appear explicitly if they buy their network from larger suppliers.

I have commented before on the stupidity of blacklists, but at least this one is contactable and apparently accountable. Why should the misdemeanours of a few customers impact the whole community?

TapConfessions of an email spammer

7 Apr 2007 15:42 by Rick

A while ago, when this web site was really getting going, I discovered the need for a mail form to help people communicate back. At the time I was having problems with random senders being blocked and this seemed the easiest way to do it. I found what looked to be a good system in Jack’s Formmail.php v5.0!. I went through it carefully, pulled out parts which uploaded files to the server which I thought were dangerous, and used it. This has been running for a couple of years—until today.

Today I got a heap of bounced emails into an account that is not normally used much and looking at a few, it was clear that the originals had been generated by my modified script; I had signed them.

The content of a form generated email from my script is as follows, much the same as the original in fact:

 1. To: [recipient]
 2. Subject: [subject]
 3. MIME-Version: 1.0
 4. From: "[realname]" <[email]>
 5. Reply-To: [email]
 6. X-Mailer: DT Formmail5.0_RJP_2
 7. Content-Type: multipart/mixed;
 8.         boundary="----=_OuterBoundary_000"
 9. This is a multi-part message in MIME format.
11. ------=_OuterBoundary_000
12. Content-Type: multipart/alternative;
13.         boundary="----=_InnerBoundery_001"
16. ------=_InnerBoundery_001
17. Content-Type: text/plain;
18.         charset="iso-8859-1"
19. Content-Transfer-Encoding: quoted-printable
21. realname: [realname]
22. email: [email]
23. message: [message]
25. Message sent by formail.php v5.0_RJP_2 from [HTTP_REFERER]
28. ------=_InnerBoundery_001--
30. ------=_OuterBoundary_000--

Lines 1 & 2 are generated by the PHP mail() routine, lines 4 & 5 are generated by the script, lines 21-23 are obtained from the input form and the rest is pretty much fixed. I think my web host inserts Return-Path; [account email address] after line 8 and adds

Received: (from [account]@localhost)
by (8.12.11/8.12.11/Submit) id [id];
Date: [datestamp]
Message-Id: [id]

to the front before the mail leaves home. [recipient] is fixed to my email address and coded in the script so that it can’t be harvested, [subject] is, I presume, sanitised by mail(). [email], the sender’s email address, is checked using a regexp and malformed ones rejected. [message] is not checked, but is protected by being inside a MIME type text/plain part.

Have you seen the flaw yet?

Looking at the bounced messages kindly provided by Yahoo! where they quoted the incoming message in full there were some strange additions. There was a big gap between lines 4 and 5 containing the spammy message. Also lines 21-23 were in a different order and there was a lot of additional text before line 25. This consisted of the same spammy message and a very long "bcc:" list. What they had done was inject

[bogus email address at]
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
Subject: [spammy subject]
bcc: [lots of email addresses]

[Spammy content]


as the value for my variable [realname] and I hadn’t validated it. The insertion into the content of the message was benign, but in the header, it was taken and interpreted as written which is why all those bcc addresses were sent rubbish. As a last minute alteration, I thought it would be nice to have the mail come from a real person rather than just an email address and didn’t think of the consequences.

Verdict: Guilty as charged.

What I am curious about is a) why the mail stream wasn’t terminated by the “..” before line 5 as it is supposed to be and b) how they discovered the flaw. Unfortunately I haven’t been receiving mail from this form for a few weeks (this may be related) so I would have missed any test runs. Do they have a bot which picks up the variables used by a form and try injecting rubbish into them to see what happens, or has a human cracker been on the job?

I should point out that the flaw that was exploited was not in the original script, it was caused by an alteration I had made. The [subject] may also be vulnerable in a similar way, though it would depend on how mail() interprets it, the manual is vague on this. There are a lot of other things which even the original script doesn’t check so perhaps I should look around for a better one.

TapBritish Dictionary for Firefox

30 Mar 2007 08:18 by Rick

I know that the Add-ons for Firefox are created by volunteers but the organisation does itself no favours by allowing a fundamental extension go out of date. In most cases there is nothing wrong with the extension, just that the install package is out of date specifying a maximum version older than the current one. This has happened with the British English Dictionary so I have made available a hacked copy here.

Update: 10 Aug 2009: British English Dictionary Now supports Firefox 3.5+

Update: 24 Feb 2010: British English Dictionary Now supports Thunderbird 3.0+.


22 Feb 2007 08:50 by Rick

Sometimes you get a spam message that is so funny you can’t help laughing, mostly at their incompetence. Take this one which slipped through my filter; it looks like it is a multiple choice randomiser to generate basically the same message but each one with slightly different wording. At least, it would if it wasn’t for the fact that they have sent the source code not the generated text.

<“Hello”|”Hi”|”Hi there”|”Good day”>

I <“hope”|”sincerely hope”|”wish”> this message finds you in a great <“spirit”|”mood”>. <“For a start”|”First”|”First of all”> <“I would”|”I’d”> like to <“congratulate”|”welcome”> you on this <“offer”|”opportunity”> because our <“association”|”company”|”corporation”> just got your contact and your <“brief”|”short”> profile through an <“email”|”web”> listing affiliated with <“the UK Chamber of Commerce”|”Monster”|”Careerbuilder”|”Yahoo Jobs”|”Google Jobs”|”HotJobs”>
<“I would”|”I’d”> be <“very”|”extremely”|”highly”> interested in <“offering”|”giving”> you a <“work at home”|”great”|”flex-time”|”part-time”> <“job”|”career”> in which you <“could”|”can”|”would”> <“earn”|”get”> an extra income <“of about”|”nearly”|”up to”|”starting from”> J<“2000″|”3000″|”4000”> <“per month”|”monthly”>.

This work <“does not”|”doesn’t”|”will not”|”won’t”> affect your <“present”|”current”> <“job”|”career”> and this is a <“very “|””>limited offer in which I <“will”|”would”|”would really”> require your immediate response. I <“will be hoping”|”really hope”> to hear from you soon, since <“its”|”it’s”|”it is”|”this is”> a job that <“can”|”will”> enable you to <“work from home”|”work part-time”|”enjoy an easy work”|”work at home”>. You will also <“stand the chances”|”have a chance”|”be given the opportunity”> of being a part of our future and <“excellent”|”winning”|”our”> team in which <“you will”|”you’ll”> be highly <“appreciated”|”respected”>.
Please fill out our <“application”|”appointment”> form, <“no fees asked”|”no money upfront”>, just your <“name and a phone number”|”basic contact details”>:
[web address removed]

<“Your application”|”Your enquiry”> will be <“processed”|”answered”> <“as soon as possible”|”ASAP”>.

<“Thank you”|”Thanks”|”Have a nice day”|”Best wishes”|”Take care”|”Bye”>.

Soon afterwards I got the real thing!

TapSignature blocks

30 Jan 2007 12:52 by Rick

Signature blocks are the pieces of boilerplate text that are added to the end of every email that you send. Some are very small e.g. “cheers, Rick” and some, like corporate ones, are very big.

I consider it important that they contain a certain minimum of information; the reader needs to know who you are. First, for technical reasons, every signature block should begin with a line that contains two hyphens and a space "-- " at the start and nothing else. This is required by the email standard and allows client software to know when the content ends and the signature block starts. Many products take advantage of this and, for instance, display the signature in different colour.

The second essential item is your name. If you use multiple blocks and select each one according to the type of email, then this can be just your nickname or your full name and formal title according to circumstances, but if you use one block for everything then make sure that it is sufficient to pick you out from the crowd.

Include your email address. I know that there is a return address in the headers but in some circumstances, e.g. if the mail is forwarded, this can get stripped off.

Finally make sure that the block is appended to all mail—original notes, replies and forwards.

Putting large graphics and logos into signatures is considered bad form but other contact details can be very useful. I think I am unusual but I have always included my full address, telephone number, email address and web site URL in every email I send. There used to be a netiquette rule that 4 lines were the maximum but you can go over that if it is informative, just don’t overdo it.

The requirements for company emails are different and the (UK) regulations have just changed. You are now required to show the company name, registration number, place of registration and registered office address, also your VAT number if you have one. It is also recommended to include membership of any professional or trade association. Most companies are telling their employees to include this information on every email, internal or external, whether or not it is a formal communication, just in case they should be interpreted as such and leak to the outside.

On business emails there are often two other wordy blocks of legalese. The confidentially clause which tells you not to read the message if it wasn’t intended for you; a bit late that one as they are almost always after the content so you have just read it. Even so they are considered worthwhile as they should serve as a brake to forwarding them on to other people. If you really want to keep your messages confidential, encrypt them.

The other is the disclaimer clause which says that you can’t rely on or trust anything you have just read; This is a complete waste of time as you wouldn’t have sent if if you didn’t mean it (I hope). They are also legally ineffective. If you really want your messages to be validated, then digitally sign them.

TapSecurity alert

10 Jan 2007 10:59 by Rick

According to the news you can now sign up to receive security alerts from MI5 direct. I was going to write about this yesterday but I had no luck in finding it on their web site. Even the What’s New page doesn’t mention it—to save you the effort, the page is here (Contact Us) though I see that there is now (sometimes) a link under the What’s New paragraph on the front page (the secure and plain versions of the home page have different content).

Anyway, I am rather disappointed that they have only set this up using a communication system that is, itself, fundamentally insecure. By this I mean e-mail. It is not that there is any particularly sensitive information being sent, but that is not all security is about. Spoof e-mails are widespread and all sorts of fun and games could be had by issuing bogus MI5 alerts, even if they are not strictly on topic. There is widespread misunderstanding of what MI5 does anyway.

A much better system would be to use an RSS feed, especially as systems to use them are now widely available (IE7, Firefox, Thunderbird etc.) The thing that is lacking is public understanding of the system, but what a good opportunity for education; there is nothing better than a want-to-know to get people to learn.

You can get a Firefox plugin that displays the threat level.
The implementation was a shambles. Although the form may be on a secure page (depending on how you get to it), the data is transmitted in plain text straight to a commercial direct mail organisation in the USA.

TapSpam challenged

24 Nov 2006 12:31 by Rick

There are a number of systems around which try to verify the sender’s email address before passing the incoming mail onto you. One of the popular ones is Challenge-Response. What it does is work with a whitelist of known email addresses. If the mail comes from one of these it passes it into your inbox. Fine. If it comes from an unknown address then it doesn’t just delete it, which is good, but it sends back an automated reply to the sender asking them to verify that they really did send the email in the first place. This sounds good; what happens is the person who wrote to you has to reply in a particular way or visit a web site to verify their address and then the original email is passed into your inbox. However if the email came from a spammer then they won’t reply and you will never see the original mail.

What is wrong with this; I am getting the mail I want and not getting the spam?

There are a number of answers to this. Firstly, you are making your correspondents jump through hoops just to write to you. Of course you will have put all your known correspondents into your whitelist already but that unexpected enquiry from someone who has read your blog, or auntie Jean who has just got an AOL account or a friend who has had to change providers will have to perform unnatural acts. Auntie Jean may never figure it out. Do you mind if you never receive the receipt from that widget you bought online.

Secondly, if you are a member of any mailing list, what happens if someone new joins. Their first mail goes to the list which is passed on to you. Your system replies asking for validation—but he has never heard of you. Worse still, your challenge may go to the list for everyone to see.

Third, what if the sender is using a similar system, what happens to your response (exercise for the reader).

Finally, and most importantly, it makes YOU a spammer. All those challenge replies you send, an equal number to the spam you receive, contribute to the network load. And where do you think they are going? Not to the spammer because he was careful not to put his own address on it; the return addresses are all forged, and a good percentage of them will belong to real users who not only get their normal ration of spam but are now also getting yours as well. And don’t think your ISP won’t notice either. They are used to large volumes of incoming mail because they know about spam but suddenly you are generating large volumes of outgoing mail as well; and they know about spam so are liable to cut you off.

^ Top