1997-12-02 - Re: Pasting in From:

Header Data

From: Andy Dustman <andy@neptune.chem.uga.edu>
To: stewarts@ix.netcom.com
Message Hash: 0b121e3b2c813c1657c495e13ddced70caa6b1308c11b44707f6e438b9d7e323
Message ID: <Pine.LNX.3.94.971202114234.6085Y-100000@neptune.chem.uga.edu>
Reply To: <3.0.3.32.19971201125046.006d2f34@popd.ix.netcom.com>
UTC Datetime: 1997-12-02 17:04:01 UTC
Raw Date: Wed, 3 Dec 1997 01:04:01 +0800

Raw message

From: Andy Dustman <andy@neptune.chem.uga.edu>
Date: Wed, 3 Dec 1997 01:04:01 +0800
To: stewarts@ix.netcom.com
Subject: Re: Pasting in From:
In-Reply-To: <3.0.3.32.19971201125046.006d2f34@popd.ix.netcom.com>
Message-ID: <Pine.LNX.3.94.971202114234.6085Y-100000@neptune.chem.uga.edu>
MIME-Version: 1.0
Content-Type: text/plain



On Mon, 1 Dec 1997 stewarts@ix.netcom.com wrote:

> These are easy enough; the address-munging gets rid of these and
> also things like forgings to alt.test and other bots,
> though eventually the spammers may catch on to "User <AT> Foo <DOT> com" etc.

It's probably too much effort for them to bother with. If you were a
spammer, and wanted loads of addresses, how would you get them? Headers
are the most address-rich part of the message, so you just get headers
from the server. Then you look for addresses with a regex. Looking for
mangled addresses means that now you have to have two regexes, which
increases your search time for not much benefit. No, the only ones which
will bother will be the spiteful ones...

> I shut down my remailer a few years ago because of this one;
> the forger posted hate mail to the gay newsgroups with the victim's name
> at the bottom (didn't even use From: pasting, just message body.)
> Supporting From: pasting just encourages this.
> 
> It's possible to cancel the one forged usenet message,
> but that didn't stop the flames many people emailed to her,
> and fewer systems are accepting cancels these days,
> especially when forged by remailers...

With the address munging on USENET posts, you have to do a bit of work in
order to even find the actual forged address (look at the headers, dig out
Author-Address:, unmangle it), and by then you ought to be wondering, Did
this person really send this?

> By the way, one technical risk with From:-pasting is that you need to
> parse or substitute special characters including parens and anglebrackets.
> Otherwise it's easy for people to paste in syntactically incorrect headers,
> which really annoy some gateways and mail clients - nested parens are
> a particular problem.

Ah. When munging, I just use: sendmail -bv -- $ADDR and then a bit of sed
magic. If anything can parse it correctly, it's sendmail. 

> >(I would like to see Cc: and Bcc: being allowed to be pasted in also).
> At minimum, addresses in Cc: and Bcc: need to be checked against
> blocking lists, and it's probably worth checking the number of
> names in the list against some threshold - especialy Bcc:s,
> which tend to be popularly used by spamware.

On cracker, you can paste To:, CC:, and Bcc:. All are checked against the
destination block file. At present, if a blocked address is on a list of
addresses, the entire list is blocked. Maximum number of recipients is 20,
at which point the whole thing is dropped.

> >I would also like to see From: pasted in.  In fact I can see no
> >purpose to restrict what can be pasted in, other than to reduce
> >complaints to the remailer operator possibly.
> Too easy to be abused by forgers, as are Reply-To: and Sender:.

Sender: we don't allow, or X-Sender: or Received: or Comments:
authenticated sender is. Reply-To: is allowed, and checked against the
destination block list. In practice, this stuff doesn't seem to be a
problem.

Andy Dustman / Computational Center for Molecular Structure and Design
For a great anti-spam procmail recipe, send me mail with subject "spam".
Append "+spamsucks" to my username to ensure delivery.  KeyID=0xC72F3F1D
Encryption is too important to leave to the government. -- Bruce Schneier
http://www.athens.net/~dustman mailto:andy@neptune.chem.uga.edu   <}+++<






Thread