Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday April 24 2016, @11:38PM   Printer-friendly
from the spammers-should-be-{insert-punishment-here} dept.

Peter N. M. Hansteen asks the question, "Does Your Email Provider Know What A "Joejob" Is?" in his blog and provides some data and discussion. He provides anecdotal evidence which seems to indicate that Google and possibly other mail service providers are either quite ignorant of history when it comes to email and spam, or are applying unsavory tactics to capture market dominance.

[Ed Note: I had to look up "joe job" to find out what it is. According to wikipedia:

A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.

]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday April 25 2016, @01:34AM

    by Anonymous Coward on Monday April 25 2016, @01:34AM (#336787)

    You know GPG is effective because nobody looks at the signature just like you know SPF and DKIM and DMARC are totally effective because nobody gives a shit and everyone just sees your name as the sender and fucking shitcans you forever.

    Hint: none of your eggheadery technical "solutions" do jack-shit on the receiving end.

  • (Score: 1, Insightful) by Anonymous Coward on Monday April 25 2016, @01:50AM

    by Anonymous Coward on Monday April 25 2016, @01:50AM (#336789)
    If your recipients actually use an email client that understands GPG, then the email client software LOOKS AT THE SIGNATURE AND DECIDES FROM THERE. And if your recipient's SMTP server understands all about SPF, DKIM, and DMARC, that makes it effective. The "eggheadery technical 'solutions'" do jack shit if the software on the receiving end understands them. For email servers at least, this is becoming more and more true.
    • (Score: -1, Troll) by Anonymous Coward on Monday April 25 2016, @02:06AM

      by Anonymous Coward on Monday April 25 2016, @02:06AM (#336795)

      If your recipients actually use an email client that understands GPG,

      ... and you fail.

      If you can expect your recipients to use special tools to read your email, then you can negotiate to use something other than email instead. Email is the absolute worst form of communication and you should not be using it for anything ever unless you literally have no other option.

      Stop trying to fix email, you moron. Email is broken. Stop using email.

      • (Score: 1, Informative) by Anonymous Coward on Monday April 25 2016, @02:13AM

        by Anonymous Coward on Monday April 25 2016, @02:13AM (#336798)

        Except that every client on the planet, short of webmail, does S/MIME, which is GPG for grownups (the DOD uses it). Your smartphone can do S/MIME. kMail and Thunderbird did S/MIME since forever. Outlook, Apple Mail, hell even Alpine and Mutt do S/MIME. Nothing special about it, nothing needed beyond what you have, unless you're reading your mail on a webmail client, in which case your privacy was fucked from the start. Except for webmail, i.e. the power of Google's Gmail, there's absolutely no excuse for all mail not already being end-to-end clientside encrypted: the tech is already in place. Google is what's standing in the way.

        • (Score: 3, Interesting) by TheRaven on Monday April 25 2016, @08:35AM

          by TheRaven (270) on Monday April 25 2016, @08:35AM (#336882) Journal

          The problem with S/MIME is similar to that of GPG. If you're using it for signing, it's trivial to strip the signature and then modify the message. How many users will notice that the signature is not there? Most mail clients have a UI that prominently displays when a signature is present (though I notice Apple Mail has made that less visible in recent versions), but when it's not present they display nothing. Unless you train users to actively look for the signature, it doesn't help. Ideally, mail clients should recognise senders and warn when you get messages from someone who normally signs mail but hasn't this time.

          If you're using it for encryption, then you are back to the key distribution problem. You need to get the recipient's public key to be able to encrypt the message and that then ensures that no one other than the recipient can read it (so no mailing lists, for example - though it would be nice if the list software could have its own key pair for the list, decrypt and then encrypt with each list member's public key).

          --
          sudo mod me up
          • (Score: 0) by Anonymous Coward on Monday April 25 2016, @06:41PM

            by Anonymous Coward on Monday April 25 2016, @06:41PM (#337039)

            S/MIME already works with mailing lists. See https://www.sympa.org/manual/x509 [sympa.org].

      • (Score: 1, Insightful) by Anonymous Coward on Monday April 25 2016, @02:32AM

        by Anonymous Coward on Monday April 25 2016, @02:32AM (#336806)

        Email is the absolute worst form of communication and you should not be using it for anything ever unless you literally have no other option.

        Indeed. Just wanted to second this. Just like HTML / CSS / JS, it all needs to be refactored. Everycoder knows refactoring is a necessity to stave off codebase entropy after a while, and yet many morons throw their arms up in hopeless stupor and proclaim it's impossible to do with email, or other web technologies. Yes, yes, "migration resistant", blah blah blah. Telegraphs were migration resistant too...

    • (Score: 2) by butthurt on Monday April 25 2016, @02:12AM

      by butthurt (6141) on Monday April 25 2016, @02:12AM (#336797) Journal

      A joe-jobber is free to send messages to anyone, not only the highly computer-literate correspondents you've cultivated.

      • (Score: -1, Troll) by Anonymous Coward on Monday April 25 2016, @02:22AM

        by Anonymous Coward on Monday April 25 2016, @02:22AM (#336804)

        Elitist fools still think they can fix email. Everyone else uses Facebook instead.

        • (Score: 0) by Anonymous Coward on Monday April 25 2016, @03:55AM

          by Anonymous Coward on Monday April 25 2016, @03:55AM (#336827)
          Last I checked you still need a working email address to even get a Facebook account.
        • (Score: 0) by Anonymous Coward on Monday April 25 2016, @04:00AM

          by Anonymous Coward on Monday April 25 2016, @04:00AM (#336829)
          And you get spam straight to your eyeballs every time you log in. No thanks.
      • (Score: 0) by Anonymous Coward on Monday April 25 2016, @02:54AM

        by Anonymous Coward on Monday April 25 2016, @02:54AM (#336811)

        Wow.
        I never expected to hear hotmail [office.com], gmail, [threatpost.com] yahoo mail [yahoo.com] and aol [aol.com] users referred to as "highly computer-literate," least of all here on soylent.

        This place is really slipping. Eternal september!

        • (Score: 2) by butthurt on Monday April 25 2016, @04:13AM

          by butthurt (6141) on Monday April 25 2016, @04:13AM (#336833) Journal

          While I'm certain that some users of all those services are also users of PGP/GPG, I'm not aware of anything those services do to facilitate or encourage the use of PGP or GPG. None of the pages you've linked contain the terms "PGP" nor "GPG." I don't think I'm mistaken in assuming that the users of that software are, globally, a small minority of the people who use e-mail.

          The grandparent post asserted:

          If your recipients actually use an email client that understands GPG, then the email client software LOOKS AT THE SIGNATURE AND DECIDES FROM THERE.

          I thought it obvious that my response alluded to that bit. Sorry for the misunderstanding.

          • (Score: 0) by Anonymous Coward on Monday April 25 2016, @05:25AM

            by Anonymous Coward on Monday April 25 2016, @05:25AM (#336844)

            Even if you were not being disingenuous about PGP, the fact remains that a joe-jobber is NOT free to send messages to any of those email services because his messages will be tagged as spam or even routed straight to /dev/null before any PGP signatures are even parsed.

            • (Score: 2) by butthurt on Monday April 25 2016, @08:02AM

              by butthurt (6141) on Monday April 25 2016, @08:02AM (#336875) Journal

              LOL, in what way might I be "disingenuous about PGP," pray tell?

              a joe-jobber is NOT free to send messages to any of those email services because his messages will be tagged as spam or even routed straight to /dev/null before any PGP signatures are even parsed.

              "Attempt to send," then, if you prefer. A spammer can attempt to send messages to any e-mail address in the world, as well as nonexistent ones. Spammers exchange lists comprising millions of addresses. There are plenty of mail servers in the world that, when they identify a message as spam or malware, or as having an invalid recipient, will send a DSN (often including the original message) to the address on its "To:" line. Get joe-jobbed, and your mailbox will be deluged with crap. You got all your correspondents to use Google Mail, Yahoo Mail, Hotmail and AOL? Great, and do those services keep you from seeing DSNs from other e-mail providers?

              • (Score: 0) by Anonymous Coward on Monday April 25 2016, @11:45AM

                by Anonymous Coward on Monday April 25 2016, @11:45AM (#336910)

                > LOL, in what way might I be "disingenuous about PGP," pray tell?
                >
                > "Attempt to send," then, if you prefer. A spammer can attempt to send messages to any e-mail address in the world,

                Same way you are being disingenuous now. What an utterly meaningless, goal-post moving restatement.

                But whatever it takes to make you feel like you weren't just being a snarky idiot, right?

                Did you know how apropos your username was when you picked it?

                • (Score: 2) by butthurt on Monday April 25 2016, @03:43PM

                  by butthurt (6141) on Monday April 25 2016, @03:43PM (#336980) Journal

                  Not at all. I was simply offering a clarification. You prefer to misunderstand, fine.

      • (Score: -1, Redundant) by Anonymous Coward on Monday April 25 2016, @03:58AM

        by Anonymous Coward on Monday April 25 2016, @03:58AM (#336828)
        Yahoo Mail, Hotmail, and Gmail all understand SPF, DKIM, and DMARC and use them as part of their anti-spam strategy. So now all the people who use these services for email are considered "highly computer-literate"?
  • (Score: 0) by Anonymous Coward on Monday April 25 2016, @01:57AM

    by Anonymous Coward on Monday April 25 2016, @01:57AM (#336791)

    Hey jack-off!

    All the major email services now verify spf/dkim/dmarc. They don't necessarily process that information identically, but they all use it as part of their anti-spam process. So climb under whatever rock you live under and keep your trap shut in front of your betters.

    • (Score: 0) by Anonymous Coward on Monday April 25 2016, @02:18AM

      by Anonymous Coward on Monday April 25 2016, @02:18AM (#336803)

      You must love spam since you feel the need to process the hell out of your messages to keep that Spam Message Transport Protocol alive.

      • (Score: 2) by maxwell demon on Monday April 25 2016, @10:13AM

        by maxwell demon (1608) on Monday April 25 2016, @10:13AM (#336901) Journal

        So what do you propose a replacement should look like?

        --
        The Tao of math: The numbers you can count are not the real numbers.