Spoofed emails

Let'sgoflying!

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,864
Location
west Texas
Display Name
Display name:
Dave Taylor
There are a group of us (800+) on an email (yahoo) chat and we are plagued with spoofed emails.
It only seems to happen with the yahoo members; no one is reporting spoofed emails from other email addressees - I don't recall any from family or friends, etc.

The emails appear to come from various individuals' emails but they contain ads or other garbage. They are sent to the Yahoo server and distributed to all members.

Ideas welcome.
Thank you.
 
You have list members with viruses and malware on their computers then.
 
denverpilot said:
You have list members with viruses and malware on their computers then.
Click to expand...

That, or they have an easily guessable/easily brute-forced yahoo mail password.

I have also heard Yahoo mail was vulnerable to some kind of cross-site scripting hack that could collect passwords, but I'm not sure if that's been plugged or not.

Either way, tell the "offenders" to change their email passwords. Here's a list NOT to use ;)

http://mashable.com/2011/11/17/worst-internet-passwords/
 
rpadula said:
That, or they have an easily guessable/easily brute-forced yahoo mail password.

I have also heard Yahoo mail was vulnerable to some kind of cross-site scripting hack that could collect passwords, but I'm not sure if that's been plugged or not.
...
Click to expand...

Easier. They get a phish email from Yahoo telling them login with this link, and they do. Then Mr. Mugato in Nigeria slurps up their address book and sends the email telling everybody that I'm stuck in London and need you to wire $500 so I can get home.

I got an email from Google this morning that an attempt was made to log in to my account from Sunnyvale CA. I set up two factor authentication and only a few hours ago thought to check that the email wasn't phish. It wasn't.

I think it came from an app. Not no more.
 
rpadula said:
That, or they have an easily guessable/easily brute-forced yahoo mail password.

I have also heard Yahoo mail was vulnerable to some kind of cross-site scripting hack that could collect passwords, but I'm not sure if that's been plugged or not.

Either way, tell the "offenders" to change their email passwords. Here's a list NOT to use ;)

http://mashable.com/2011/11/17/worst-internet-passwords/
Click to expand...

SEE: Sarah Palin
 
I heard that there was a way for spammers to make it look like their email came from your account without hacking into anything.
 
Palmpilot said:
I heard that there was a way for spammers to make it look like their email came from your account without hacking into anything.
Click to expand...

It's not limited to spammers.

Anyone can set the FROM: header in an e-mail to anything they want. It is up to some other mechanism to choose to believe it or not.
 
I heard that there was a way for spammers to make it look like their email came from your account without hacking into anything.
Click to expand...

That is exactly how these emails appear.
 
darrell said:
It's not limited to spammers.

Anyone can set the FROM: header in an e-mail to anything they want. It is up to some other mechanism to choose to believe it or not.
Click to expand...

Is there a way to detect this by viewing the full header of a received message?
 
Palmpilot said:
Is there a way to detect this by viewing the full header of a received message?
Click to expand...

Yes. But there are assumptions you have to make.

The permanent fix for this is required SSL/TLS between mail servers with 3rd Party signed keys.

Server doesn't identify itself properly, drop. Don't accept any mail not delivered via TLS.

Problem is, it won't ever gain popularity for various technical and political reasons.
 
The permanent fix for this is required SSL/TLS between mail servers with 3rd Party signed keys.
Click to expand...

I have SSL ver 3 and TLS enabled on my email browser and it happened to me. My password was not that easy - 6 characters which did not spell a dictionary or slang word.
I feel like there is more to this than is known.
 
Let'sgoflying! said:
I have SSL ver 3 and TLS enabled on my email browser and it happened to me. My password was not that easy - 6 characters which did not spell a dictionary or slang word.
I feel like there is more to this than is known.
Click to expand...

If the spammer (or whoever) only has to type your email address into the From field as described in post #11, it sounds like your password is not even an issue.
 
Let'sgoflying! said:
I have SSL ver 3 and TLS enabled on my email browser and it happened to me. My password was not that easy - 6 characters which did not spell a dictionary or slang word.
I feel like there is more to this than is known.
Click to expand...

That's between you and the mail server. I was speaking of server to server communication.

Stronger authentication at that step would be useful.
 
Let'sgoflying! said:
I have SSL ver 3 and TLS enabled on my email browser and it happened to me. My password was not that easy - 6 characters which did not spell a dictionary or slang word.
I feel like there is more to this than is known.
Click to expand...

Even though it doesn't spell a dictionary word, 6 characters is too short. For every character you add, time to crack goes up.

More than you want to know here: http://en.wikipedia.org/wiki/Password_strength
 
rpadula said:
Even though it doesn't spell a dictionary word, 6 characters is too short. For every character you add, time to crack goes up.

More than you want to know here: http://en.wikipedia.org/wiki/Password_strength
Click to expand...

Also:
password_strength.png
 
Even though it doesn't spell a dictionary word, 6 characters is too short.
Click to expand...

Understood.

Does anyone want to try? 6 lower case ordinary english letters, which do not spell a word in the oxford dictionary.
You can use any computing source you want. I promise to say when you have found it. I will give you a month!
 
Let'sgoflying! said:
Understood.

Does anyone want to try? 6 lower case ordinary english letters, which do not spell a word in the oxford dictionary.
You can use any computing source you want. I promise to say when you have found it. I will give you a month!
Click to expand...

Would it be that hard to write a program to generate every possible combination of six letters? How many incorrect guesses does your email server allow?
 
Palmpilot said:
Would it be that hard to write a program to generate every possible combination of six letters? How many incorrect guesses does your email server allow?
Click to expand...

Aha, so passwords are easily cracked and are essentially a façade of security?
 
denverpilot said:
Yes. But there are assumptions you have to make.

The permanent fix for this is required SSL/TLS between mail servers with 3rd Party signed keys.

Server doesn't identify itself properly, drop. Don't accept any mail not delivered via TLS.

Problem is, it won't ever gain popularity for various technical and political reasons.
Click to expand...

I don't see how that would stop people from forging from addresses. There are plenty of reasons as to why one would want to set a from address to something other then the hostname of the mail server. So you'll always have to accept mail like that.

This is where Sender Policy Framework comes in and a lot of mail servers honor it -- the main thing is that most people aren't implementing it on their domains.

http://www.openspf.org/Introduction
 
> Would 8 characters instead of 6 make much of a difference to high-powered
> pw-cracking software?

Yes. But - both are dangerously short. Please consider something longer,
much longer. Even if you are simply padding your password ten commas, or
ten periods.

When it comes to passwords; length has primacy. Also VERY helpful to use
digits, punctuation and mixed case.

It doesn't take much of a computer to guess passwords at lightning speed. A Sony
Playstation 3 can guess ~2.5 million passwords/sec. Visit this calculator to get a
measure of how poorly you have chosen:

https://www.grc.com/haystack.htm

>> use phrases

Bad advice. Truly, bad advice.

Vaguely related:

NSA has a gift shop. They sell a t-shirt emblazoned with

I am a kriptoanalist ...
I am a criptanlist ...
I am a crypnologist ...
I am a cryptocologist ...
I like math!
 
Last edited:
how do they test so many passwords? Anytime I mess my own up 3-5 times, depending on the site, it gets locked down.
 
Let'sgoflying! said:
how do they test so many passwords? Anytime I mess my own up 3-5 times, depending on the site, it gets locked down.
Click to expand...

That's one technique for slowing them down. Problem is, it only takes one. And sometimes the cracking machines are in far-away lands with no law enforcement that's cooperative and are using things like Tor to spoof hundreds of IP addresses. They have the luxury of lots of time on their side.
 
jesse said:
I don't see how that would stop people from forging from addresses. There are plenty of reasons as to why one would want to set a from address to something other then the hostname of the mail server. So you'll always have to accept mail like that.

This is where Sender Policy Framework comes in and a lot of mail servers honor it -- the main thing is that most people aren't implementing it on their domains.

http://www.openspf.org/Introduction
Click to expand...

Right but now I know without a doubt which mail server it came from and I can definitively block that mail server forever, including by key. Even if it changes addresses. And SSL keys cost real money so if the bad guys want to play, it raises their costs.

The trick to stopping any bad behavior on public networks is to make it heinously more expensive.

SPF is fine. I've also seen it used as a reverse DoS against someone's DNS resolver. In practice it only stopped about 3% of my spam. Spammers are rarely relaying through open relays these days. It's too cheap to just buy access to a virtual machine at a host that someone else paid for with a stone credit card number.

Toss 100,000 e-mails at a server with SPF lookups turned on and teergrube the DNS responses. Run the DNS server out of sockets. Heh. Naughty.
 
denverpilot said:
That's one technique for slowing them down. Problem is, it only takes one. And sometimes the cracking machines are in far-away lands with no law enforcement that's cooperative and are using things like Tor to spoof hundreds of IP addresses. They have the luxury of lots of time on their side.
Click to expand...

What good does it do them to spoof IP addresses or have lots of time on their hands if the account is locked down after a few incorrect tries?
 
Palmpilot said:
What good does it do them to spoof IP addresses or have lots of time on their hands if the account is locked down after a few incorrect tries?
Click to expand...

They typically don't stay locked. The three strikes and you're out until you authenticate via e-mail is a relatively new thing for the free public websites. Try a few. Wait an hour. Try some more.

Usually other sites that don't monitor login attempts are easier targets and they go there. Kinda like a good neighborhood and a bad one.

But if the money is good from one of those ads they're pushing, setting up a machine to try "forever" is just "good business" somewhere where $100 goes a long way.

My airplane co-owner hosted a high-school exchange student from the former Soviet bloc. (Romania I think. May not be remembering correctly.)

She was a very nice young lady and had a great time, but one of the dinner discussions brought out that she was seriously considering going to work for a "company" in her hometown that specialized in "phishing".

Getting older folks to give their personal info and bank info illegitimately and stealing their money in various schemes. In her country there is either no law against it or no enforcement. And her attitude was "well, if they have that much money and they're that dumb...". Not a shred of conscience about it. Computers were a tool and the behavior wasn't even considered bad. It was just one of the "better jobs" in her hometown.

They discussed how bad it was and that it was stealing from our elderly, etc. She was surprised. Maybe a little education on what it was really all about, but I'm sure she's probably been hired on by now if she applied.

It's a crime of convenience. If you're broke but can find someone else's Internet connection to use, crack some logins, then selling personal info for a few bucks is pretty tempting. Facebook does the exact same thing "legitimately" on an enormous scale and we cheer their IPO. It's all about money.
 
> how do they test so many passwords?

Typically? The bad guys have acquired/stolen the hashed (sort'a like encryption)
edition of the password table ... and they process it off-line, without being hindered
by lock-outs or retry inhibitors.

Many sysadmins mistakenly assume that the hashed edition of the password table is
safe/secure, and do not adequately protect it. As a user, you've got no way to know.

Where do they get all the compute power? They buy it. Many computers that are
compromised by virus/trojans, are part of botnets that are "for rent." The typical
rate is ~$35 per 1,000 machine days. Of course; if you are the botnet owner, those
machine hours are free. Or; they use stolen CC's. How big are botnets? It is not
unusual to find botnets with 500,000+ systems.

Important Tip #1:

If any site you use, is able to return your real password, in clear-text, do
NOT use that site. Such [cough] features make such sites bigger targets
as it is easier to reverse engineer the hash & salt.

This includes avoiding the use of master-login features of Facebook,
Google, MS Live that offer to log-you-in to other sites automagically. It
sure is convenient - but it is a HUGE target.

Important Tip #2:

Use a different password for each site you log-in to. Otherwise; your
password is only as secure as the weakest site.

How do I remember all my different, long, random passwords? I don't. I
use a trustworthy password manager/vault. There are a few good ones.
There are a LOT of lousy ones. Me? Based on this recent whitepaper, I
use LastPass:

CUT-PASTE this link into your browser (because the PoA software is
mangling the redirect.

http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

Everyone gets to make their own decision in this regard. Since this paper
was published, the 1password author claims to have corrected his
deficiencies.
 
Last edited:
My thoughts; based on the Elcomsoft review of
password managers for iOS. This *assumes* that
each vendor uses/shares similar technology across
different platforms. i.e. I am *assuming* that the
good-stuff on iOS is also good-stuff on Windows,
OSX, whatever. Likewise; I am *assuming* that if
they made a poor choice on iOS, they made a similarly
poor choice for everything else.

Best practice:

Never use the same password for two or more
accounts. i.e. Every login account should have
a unique, strong password.

Why?

If one site is compromised and your password is
recovered ... the bad guys can access all your logins.

Problem:

Nobody cannot memorize all the unique, strong passwords.

Alternative:

A good password manager will manage the login process
for you. You log-in to the password manager once. It
handles all subsequent logins. Of course you should
choose a very strong password for a password manager.

The Good:

LastPass

Strip Lite Password Manager

Safe Wallet Password Manager

mSecure Password Manager

1Password:

The *latest* edition has been changed to address the
problems of the earlier editions. Avoid the earlier
editions because .... they pad the master password
rather than hashing it, before encrypting it.

DataVault Password Manager:

Hashes the password using SHA-256 (good). Stores only
the hashed password (good). Stores it in the iOS keyring
(good).

The Bad - Not Quite Good Enough:

My Eyes Only Secure Password Manager:

Maybe "good" - but only if you encrypt your backups.

Uses unsalted 512-bit RSA - not good-enough given that
rainbow tables exist for 512-bit and 768-bit primes

Password Safe:
aka: iPassSafe

Can be cracked too easily because they pad the
master password rather than hashing it (before
encrypting it).

Keeper Password & Data Vault:

Does not "salt" the password; therefore vulnerable
to rainbow table attacks (instant and/or offline cracking).

SplashID Safe:

The master password is hard-coded in the application.
Not user changeable. Perhaps this belongs in the next
group ...

The Ugly:

Safe
aka: Safe Password
aka: Awesome Password Lite
aka: Password Lock Lite

All user account & password data is stored as plain-text.
No encryption whatsoever.

iSecure Lite:

All user account & password data is stored as plain-text.
No encryption whatsoever.

Ultimate Password Manager:

All user account & password data is stored as plain-text.
No encryption whatsoever.

Secret Folder Lite:

All user account & password data is stored as plain-text.
No encryption whatsoever.
 
Last edited:
> I couldn't get the link to work, can someone else check it?

The PoA board software is mangling the link(s). Please CUT-PASTE
this URL into your browser:

http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

For the truly paranoid; LastPass' cloud synchronization feature may be
objectionable. For me, it is an acceptable risk. Everyone gets to make
their own decision.
 
Last edited:
You must log in or register to reply here.
Back
Top