| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jul 2006 15:05:02 -0300 From: Cardoso <cardosolistas@...traditorium.com> To: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Please help to spam abryson@...efocus.com. I have a sugestion. Actually 2. 1 - Alice creates a bait mail like "drop_spam_here(a)bytefocus.com", we send a secret number, she replies and THEN we send our precious spam collection to her. Worst-case scenario, It proves that some hacker has control of Alice's mail server. And in this case, spam is the smaller of her problems. OR 2 - Alice takes a picture of herself doing something silly like carving a commodore 64 in wood or wearing a hat made of meat.. I vote for the second one. Worked with 419 scammers. http://www.boingboing.net/2006/06/28/nigerian_letter_scam.html On Mon, 24 Jul 2006 13:54:34 -0400 Valdis.Kletnieks@...edu wrote: V> On Mon, 24 Jul 2006 11:59:34 CDT, Paul Schmehl said: V> V> > What does that prove? V> > V> > telnet mail.40networks.com 25 V> > Trying 64.114.199.200... V> > Connected to mail.40networks.com. V> > Escape character is '^]'. V> > 220 40networks.com ESMTP Sendmail 8.13.1/8.13.1; Mon, 24 Jul 2006 V> > 09:45:17 -0700 V> > EHLO utdallas.edu V> V> Paul, Paul, Paul... You *really* need to pay attention. V> V> Yes, you can do the whole telnet thing. That wasn't what she said. V> V> What she *said* was that *if* I were to mail her a large random number, V> like this: V> V> % dd if=/dev/urandom bs=16 count=16 2> /dev/null | md5sum V> 63cbd14c2612b7cbc7b7ce6d0e0b7fcb - V> V> that she would be able to repeat that number back to me - proving that V> she's at least sufficiently Alice that she can read Alice's mail and V> respond to it. V> V> Strictly speaking, it doesn't prove she's Alice - but it proves she's V> in control of that e-mail address. Usually that's considered "close V> enough", as demonstrated by all the mailing list software that considers V> "reply to this random cookie/link/whatever to confirm your subscription" V> (which is exactly this same "proof of pseudo-identity"...) V> V> Yes, she could have hijacked the real Alice's e-mail account - but at that V> point, Alice has bigger problems already.... year(now) + 1 serĂ¡ o ano do linux! Cardoso <cardoso@...ox.com> - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists