[Pw_forum] Re: About espresso on Mac with x86

Axel Kohlmeyer akohlmey at cmm.chem.upenn.edu
Sun Feb 11 19:40:32 CET 2007 

On Sun, 11 Feb 2007, Malgorzata Wierzbowska wrote:


dear gosia,

[...]

MW>   I suspect that I have a hucker on this account and that
MW>   this hucker writes as amit76.india at gmail.com and/or that
MW>   this person (Amit Kumar) makes "jokes" writing AT LEAST AS:
MW>   amit76.india at gmail.com and  jiaanyan at gmail.com

sorry, i don't think that this was a hacker targetting you
directly but a 'smart' trojan software trying to infect your
machines. many programs that send out spam and viruses/trojan
are trying hard to bypass all kinds of spam filters and 
security measures and try hard to make you 'look' at something
or click on something to achieve their purposes.

a simple measure to bypass (elementary) spam filters is to
use addresses that are known to a user. e.g. a spammer 'harvests'
addresses from a mailing list archive and then sends mails
to subscribers looking as if they were sent from another
subscriber of that mailing list. 'known people' are usually
on a so-called whitelist and mails from them are not subjected
to spam filtering. -> spammer 1, user 0
solution: use a smarter spam filter that combines multiple
analysis methods and don't rely on simple heuristics or
whitelists in you mail program. the downside, you need quite
a long time and have to 'train' your spam filter well (i.e.
you need to receive a lot of spam and non-spam mails). 
to give you a number: i receive usually between 
50 and 100 (valid) mails each day and about twice as much spam.
after about half a year of training spamassassin, only 10%
of the incoming spam is presorted into the 'maybe spam'
folder (based on its spam score) the rest scores so high
that it is filed to /dev/null directly. ...and in the 
'maybe spam' i have so far found 3 false positives (non-spam
flagged as spam) which corresponds to roughly 0.1%.
-> spammer 1, user 1000. ;-)

onward to the mail not delivered message. this is another
trick, usually used by virusses/trojans to infect your machine.
they create an e-mail to an address that does not exist,
use your email address as sender and go via a mailserver 
that employs a 'store-and-forward' strategy (i.e. most incoming
mail servers at larger institutions or companies). now the 
mail protocol (SMTP) stipulates that a sender has to be
notified of non-deliverable mail. if you can send e-mail
directly to a machine, this will happen during the sending,
however with an incoming mail relay server, the mail is
first accepted assuming it is valid and then later the
mail server finds it to be not deliverable and then the
protocol demands that the mail is returned to the sender.
since your address was given as sending address the returned
mail goes to you and not the original sender. since it contains
no direct information about the contents (i.e. you cannot tell
if it is due to you mistyping an address) you open it
click on the contents and - bingo - your machine is infected
and most likely integrated into a 'botnet' to send spam
or do other nasty stuff. you can also receive 'bounce'
mails that are completely fake (i.e. send out like regular
spam).

sadly, there is little what you can do about this, since you 
may have to use the very same method to send out your own 
mails (and 'fake' your sending address, since your ip-number
may be temporary, or you want to send mail from a generic
address that does not correspond to an account on a machine.).

text mode or webmail clients are usually a lower risk since
they usually do not download separate or inline attachments 
without asking, and of course turning on display of the full
mail headers (and understand what they mean) can help to 
identify this kind of junk. most of these mails are 'html enhanced',
since html formatting makes it easier to hide the 'bad'
parts of the mail. the only way to securely identify who
sends you an e-mail is to use PGP signatures or something
else (but that is too inconvenient for most and impossible
from some).

hope that clears up some matters.

ciao,
  axel

p.s.: sending mails with non-ascii characters and html-only
formatting raises spam scoring immensely. so if you wonder
why people do not respond to your mails, it may be that your
mails get flagged (and discarded) as spam on a not so well
trained spam filter...


MW>   Now, I understand, and strongly support, the request of
MW>   Prof. Nicola Marzari that everybody writing on pw-forum should give
MW>   the REAL NAME and the REAL ADDRESS.
MW> 
MW>   Best regards to all serious people,
MW> 
MW>   Malgorzata Wierzbowska
MW>   postdoc at Trieste University, Italy
MW>   (on pw-forum Gosia/wierzbom at ts.infn.it)

-- 
=======================================================================
Axel Kohlmeyer   akohlmey at cmm.chem.upenn.edu   http://www.cmm.upenn.edu
   Center for Molecular Modeling   --   University of Pennsylvania
Department of Chemistry, 231 S.34th Street, Philadelphia, PA 19104-6323
tel: 1-215-898-1582,  fax: 1-215-573-6233,  office-tel: 1-215-898-5425
=======================================================================
If you make something idiot-proof, the universe creates a better idiot.

More information about the users mailing list