Archive for the 'Security' Category

I’m Not Spamming You, I Swear!

Published
by
Chris Meller
on March 31, 2008
in Announcements, Hosting, Internet and Security
. Comment

In the last couple of hours, I’ve gotten over 4,000 bounced emails where someone is apparently spamming the shit out of the internet with an @doesnthaveone.com email address that doesn’t exist.

Since doesnthaveone.com redirects here, I thought I would post a message for anyone who may angrily type in the URL… It’s not me, I swear. I get lots of emails sent to random @doesnthaveone.com addresses, it’s a random address people make up. I’m not the one sending you this apparently random spam, I swear.

It appears all this spam has originated from a single IP belonging to a Puerto Rican ISP / Hosting provider. I have notified them through their registered abuse address and hope to see the flood stop soon.

Missing an Email? It may be Media Temple’s Fault

Published
by
Chris Meller
on November 11, 2007
in Announcements, Commentary, Hosting, Internet, Media Temple, Networking, Security, Techno-Babble and Wordpress
. Comments

It started last week when I was trying to sign up for Ron Paul Christmas. For some peculiar reason, I didn’t receive the welcome email. After talking with the site owner, it turned out (mt) was rejecting the email because the email address wordpress@ronpaulchristmas.com didn’t exist on the sending server.

Now, this isn’t particularly unusual. There is no requirement1 that an email address actually exist for a server to send email as if it were from that address. This is especially true from Wordpress blogs, which often send email from wordpress@domain.com accounts on behalf of their owners. Now, since this is only used for outgoing email, in most cases users would never bother setting the email account up. Why would you? You’re never going to be receiving email there2, so what’s the point?

Well, (mt) apparently knows better than you do… For “security reasons”3, their grid service does a “callback” check on every incoming email address. If the server handling mail for domain.com doesn’t recognize that account (such as our wordpress@domain.com example), (mt)’s server will reject the message.

I’ve tried to point out that this kind of behavior can be detrimental, particularly in the age of blogging and web services we now exist in, but the best answer I’ve been able to get out of (mt) is that I should add the sending address to their Mail Protect whitelist. Well great, unless I can add *@* to the whitelist, or at the very least wordpress@*, that’s hardly a viable solution - how do I know the address that’s sending to me if I never get the email?

If you use Media Temple’s grid service4, please contact (mt) immediately and tell them this is an unacceptable situation. I love a lot of aspects of their grid service, but this is clearly not one of them…

  1. In most cases, anyway. [back]
  2. Except for bounces, should someone put in an invalid email address [back]
  3. According to the support representative that responded to my ticket. [back]
  4. Or you want people who do use it to actually receive emails you send to them. [back]

OpenDNS and Google a Phisher’s Delight?

Published
by
Chris Meller
on January 29, 2007
in Commentary, Daily Grind, Gripes, Internet, Links, Public Opinion, Search, Security and Techno-Babble
. Comments

RandyWalker linked me to the entry Google is the new http:// in #wordpress earlier, and I shortly thereafter commented over on Alex King’s blog about OpenDNS’s typo-search feature. You know the one - if you type in a domain that doesn’t exist, rather than giving you the default “Couldn’t find that server” message, you get redirected to a Google-powered search results page instead (containing ads).

In short, the conversation was about people utilizing a browser’s auto-correct feature for a domain, rather than typing in the full address themselves. This can vary from simply typing “google” instead of “google.com” to typo’ing it “goggle.com”. If you’re presented with a clear “the server was not found” message, it’s pretty obvious that you did something wrong.

Instead, the OpenDNS method of redirecting you to search results for that term (or the laziness equivalent of people simply relying on Google’s results to get them to their destination more quickly) leaves open what I consider a security vulnerability.

You see, banks frequently encourage you to go to your browser and type in their address directly, rather than clicking through any links you find in an email. This is to help avoid people getting caught into phishing traps that disguise links in false emails as legitimate links.

Imagine, if you will, a world in which everyone utilized OpenDNS, or simply lets Google direct them where to go by omitting the “.com”1, and relies upon the search results they’re presented with to get to their destination. What if some clever phisher is able to successfully game the system and get a top result (or even the top result) for something like… “Bank of America”?

Now we’ve got legitimate sources (OpenDNS and Google) handing out links people assume are totally trustworthy to a site ranking highly for “Bank of America” that is not in fact a legitimate bank website. Can you imagine the millions of idiots that would blindly type their login credentials into this website, simply because they got to it from Google and it looked like the Bank of America website?

I say we start encouraging users to deliberately take the time to type the full address into the address bar. Stop allowing them to be lazy and utilize search engine results to get to their destination because they don’t want to add the additional 4 characters at the end of the URL.

  1. or other TLD - .net, .org, .whatever [back]