Matt Blaze said it well: "A commercial CA will protect you from anyone
from whom they won't take money."
Put another way, what's your threat model? Against what threats are
you trying to defend yourself? Rob Seastrom seems to be trying to
defend himself against passive eavesdroppers, for which SSL without
certificate verification is an entirely adequate defense. If your
concern is phishing, however, you need to check the certificate chain,
the policies of the trust anchor (AKA "root CA"), and its reputation
for actually enforcing those policies with proper verification.
Verisign, for example, was fooled a few years ago by someone who
claimed to be Microsoft -- but they had sufficient back-end
verification that the spoof was detected. Is this good enough? What's
your threat model...?
Matt Blaze said it well: "A commercial CA will protect you from anyone
from whom they won't take money."
With current SSL implementations, you have to rely on all of the
commercial CAs not taking the money. Any match wins.
verification that the spoof was detected. Is this good enough? What's
your threat model...?
My threat model was simple I wanted to reduce the messages in my logs
about certificate verification failures. I could load a few widely used
CA's or I could just turn certificate verification off (the default) and
the messages would stop.
Ok so I send an email to a friend at SBC. Here's the result.
The original message was received at Wed, 28 Apr 2004 23:23:51 -0400
from pc2.rocknyou.com [192.168.1.28]
----- The following addresses had permanent fatal errors -----
<myfriend223@ameritech.net>
(reason: 553 5.3.0 DNSBL:To request removal of,[xx.xx.xxx.111],send an
E-mail to removeme@sbc.sbcglobal.net)
----- Transcript of session follows -----
... while talking to mx1-klmzmi.klmzmi.ameritech.net.:
MAIL From:<joej@rocknyou.com>
<<< 553 5.3.0 DNSBL:To request removal of,[xxx.xxx.xx.177],send an E-mail to
removeme@sbc.sbcglobal.net
501 5.6.0 Data format error
Ok, I send an email to to removeme@sbc.sbcglobal.net
result:
The original message was received at Wed, 28 Apr 2004 23:24:09 -0400
from pc2.rocknyou.com [192.168.1.28]
----- The following addresses had permanent fatal errors -----
<removeme@sbc.sbcglobal.net>
(reason: 550 5.0.0 Access denied)
----- Transcript of session follows -----
... while talking to mx.dia.sbcglobal.net.:
MAIL From:<joej@rocknyou.com>
<<< 550 5.0.0 Access denied
554 5.0.0 Service unavailable
Nice, why bother advertising such a removal via email?
Nice, why bother advertising such a removal via email?
Because everyone is really meant to also own a Hotmail, AOL, Yahoo, gmail, or some such "reputable" email service that you use for instances like this.
OR... set your outbound SMTP server to your upstream's so that at least this message goes out correctly. In your case (for 24.61.68.177) you would use Comcast's SMTP name, whatever that is.
The reason being is that the spammer is spoofing a removal address, as do most
of them.
The best advice I can give anyone is to never respond to an unsolicited email.
If you do not wish to go to the trouble to report it to, say, spamcop, then
just delete it.
Responses to unsolicited email only confirms your email address is good, and
will subject you to an even heavier spew of the junk mail.
Ok so I send an email to a friend at SBC. Here's the result.
<Blowin' in the wind type snip>
Nice, why bother advertising such a removal via email?
Surely you must be joking?
A guide to how to be spammed.
1) Click on most spam emails to let them know your address is to be spammed.
2) Failing that in 1, click on a "remove me" so they know you are still
around.
....you were just lucky it said it is a dead address if it actually IS dead
but my bet is that it isn't and that you have received a "dead letter
office" reply from an active account. I can do that here and I am not a
spammer so why cant a spammer?
> A guide to how to be spammed.
>
> 1) Click on most spam emails to let them know your address is to be
spammed.
>
> 2) Failing that in 1, click on a "remove me" so they know you are still
> around.
Folks, you are missing something here. He was trying to write to SBC at
an address they asked him to write to, and that address bounced when he
emailed it.
He's not doing what you think he's doing.
With all respect, he has replied to a remove me. Then he is saying the
address doesn't exist. I send messages back, routinely, from this address as
if my ISP's own mailer daemon had sent them. The address he emailed may WELL
exist but it is set up to respond with a standard "User not known" style
reply.
I wasn't missing anything. What he was missing is as I said before and the
above paragraph. The remove me address may exist and all email to it may be
kept and read by a spam engine and the FROM address added to the spammer's
database BUT the spam engine is set up to send "User Unknown" replies back
to everyone. Easy to do with a simple program most people could write. Even
Macafee have worked out how to do this.
Because everyone is really meant to also own a Hotmail, AOL, Yahoo, gmail,
or some such "reputable" email service that you use for instances like this.
Lol. ok so
Yes an entry like
aol.com smtp:[smtp.comcast.net]
cs.com smtp:[smtp.comcast.net]
in mailertable is fine, but why advertise such a bogus means of a fix?
As well, I'm not hotmail nor AOL so little guys are mucked up than.
OR... set your outbound SMTP server to your upstream's so that at least
this message goes out correctly. In your case (for 24.61.68.177) you would
use Comcast's SMTP name, whatever that is.
And perhaps you mean ip-66-xx.xxx.xx.dsl.bos.megapath.net (66.xx.xx.xx) as
well..
None the less, this doesn't support the response of "email xxx@xx.com to
request removal"
being 550 access denied. Perhaps this is some sort of spam deterant?
Cheers Martin, Used to be out there in PacBell land too, 5 IPs via DSL.
Ahh, Luck guy.
Greg, please re-read your email/this thread. There is/was/isn't anything
about
replying to a SPAM message. At what point do you see any sort of items
regarding
a reply to a Spam email?
sorry for the static, just wanted this to be clear....
Martin hit it on the head, just use a/your larger providers SMTP as a
forwarder.
no fix, but a way around fer now.
Cheers
-Joe
Self signed certificate protects you against any _short term_ attack -
insuregent must
maintain his own certificate, interceipt your connections, redirect my
packets _BEFORE_ I connect very first time (after it, I got certificate and
am protected).
So, it is reasonable (to use commercial certificates) for public financial
services (banks, e-commerce); all other kinds of
services do not require it - all insurgent can do is to fraud you once in a
life... unrealistic scenario.
Certificate Authorities are a very good example of _blown up_ business.
(Yes, they verify identity... what the difference, if you maintain 1 or 100
domains under the same company name and same basic level domains...
Certificate should cost 20% for 1 year, not 400$).
Do not overestimate importance of it... it is more for the public
relations, not for the real security.
(but I never propose any bank, any point of sale, any e-commerce to use
self-signed certificate for _public_ service...
even if risk is 0.000001%)..
I wanted to reduce the messages in my logs