eForensics spam on FreeNAS email

[Marcel]

Why am I receiving spam mailings from eForensics Magazine:
'You received this email because you subscribed to eForensics Magazine newsletter. '

No, I did not subscribe to a eForensics Magazine newsletter, no I don't want to subscribe to any eForensics Magazine newsletter, no I did not submit this email to any other than FreeNAS.
If FreeNAS did not sell my address, than there must be something wrong with the security down here.

I am not amused!

 

[pirateghost]

Freenas did not sell your email...

Sent from my Nexus 5

 

[Marcel]

Since I did not use my email address on any other site that FreeNAS, the last option remains: my email has been harvested from this site and bought by eForensics for spam purposes. I have never heard of eForensics, visited any site of then or subscribed to any newsletter. It is highly unlikely (if not impossible, if you lookup my email you know what I mean) that anybody else did this under my email address.
I would suggest you traced your logs (if not done by SQL-injection) to research how this is possible.

I see also today spam from:
'You received this email because you subscribed to Hakin9 Magazine newsletter. '

There could be a link with BSD Magazine, subscribed to this list though FreeNAS.

 

[pirateghost]

don't you think if the email here was compromised, we would all be getting spam?

 

[cyberjock]

Especially mine! I have a good anti-cyberjock fanclub going!

 

[Marcel]

Then bsdmag,org / software@software20.org must have a problem, any subscribers here? Joined that from FreeNAS site link with same email.

 

[cyberjock]

Never been there. So not me.

 

[KMR]

Out of curiosity, do you run Windows boxes on your network? How meticulous are you with network security?

 

[gpsguy]

I get the spam from eForesics, Hackin9, and a few others. I believe it started after I gave FreeBSD magazine my email address, so that I could download the April 2013 issue on FreeNAS. It's one of my junk accounts, so I just delete those messages.

 

[ZFS Noob]

It is from bsdmag. I decided to download an issue, used a pseudo-e-mail address spammers like to use on one of my sites, and discovered someone had already used it before me. There was spam from those entities, though it's possible it's a different publication from the same outfit.

 

[rcarterii]

So other words, before accusing people, make sure you track down what you have done.


Sent from my iPad using Tapatalk HD

 

[jgreco]

I've been using crypto-signed tagged addresses for quite a few years and it has been enlightening.

In the old days, many people used to hand out "tagged" addresses using Sendmail's tag feature, such as "jgreco+freenasforums@jgreco.net" to indicate use of the address at FreeNAS Forums. Problem is, bad guys could identify this and alter the tag.

Also, it was very difficult to shut off such an address; Sendmail invariably had to ingest the message in order to be able to identify an address to reject.

So I decided to make use of the massive potential of the namespace. I put a human-readable tag on the LHS, and a crypto hash of it on the RHS. So an address looks like "freenasforums@01234567.jgreco.net" where the numbers are a one way hash of "freenasforums" plus a secret.

This has great advantages:

1) Human readable tag makes it obvious to anyone reading it that it was uses for the given purpose,

2) Exposing the hash on the DNS side means that a simple A record in DNS can disable an address,

3) Needing a script to generate such addresses provides a framework to record additional details such as assignment date snd purpose,

4) Tagged addresses can be configured to bypass ALL spam filtering, guaranteeing receipt of messages that spam filtering might otherwise be false positive'd. When an address inevitably leaks, you know which a-hole handed out (or was careless with) your address so you can avoid doing business with them in the future. Shutting it off in DNS takes care of the spam.

But it requires some work and a certain amount of discipline...

 

[KMR]

Damn. That is really interesting.

 

[jgreco]

Well, if you think about it, spam is predicated on two key bits:

1) You never know how the spammer got your e-mail address

2) It's a pain in the arse for you to change e-mail addresses, so you are therefore stuck with no option

This technique invalidates both assumptions. Further, you've heard all this stuff about the Mat Honan "hack" or the Target breach or any of these other bull**** e-mail/password break-ins. Well, you shouldn't be using the same password everywhere but the real truth is that you shouldn't be using the same e-mail address everywhere either. Allowing random companies to trivially tie your online identity to a common identifier is a mistake, and one they desperately want you to make.

Those with permissions to review user registration information here would notice that this certainly extends to my registration here, or at other random Internet sites. Whereas I used to simply avoid handing out e-mail addresses unnecessarily, I now hand them out fairly gleefully ... noting which bastards claim "I subscribed" to their crap advertising lists or which ones I've unsubscribed to.

Sometimes you just have to look at the underlying assumptions behind a problem. In the case of e-mail addresses and spam, fixing the assumptions yields a highly useful technique.

 

[KMR]

Can you provide some links for further reading and implementation? One of my future projects will be to purchase a domain name and set up a home email server so this is pretty interesting for me.

 

[jgreco]

It's all basically home grown stuff. Setting up a mail server to accept mail for a wildcard subdomain isn't hard (but varies based on MTA and architecture). The generation of addresses is a shell script, because I live most of my life at the CLI. It'd probably be better done as a web app for "normal" users. And most interestingly of all, in years of doing this I've never had to set up a procmail based validator. It hasn't actually been needed, and wouldn't be hard to code if suddenly it was.

I can show you the basics of the address creation script or discuss other implementation issues if you wish.

 

[KMR]

Should we start a thread in off-topic?

 

[cyberjock]

I just moved this thread to off-topic too as its not about FreeNAS support.

 

[jgreco]

Dangers of tapatalk...

 

[KMR]

So would you only generate these email addresses for forums and other sites that you want access to or would you send them to people as well? I'm just wondering what someones reaction would be if I gave them a strange looking address like that. Also, in terms of your personal setup, do you run your own mail server at home? If so, do you just have one email account on that server or multiple ones that you manage with this sort of setup?

I'm also curious about what you use as an email server. When my ESXi build is up and running (still trying to figure out an acceptable cooling solution for this case) one of the VMs I would like to build would be an email server. I was considering Zimbra so I can use it with my blackberry and have access to the email account through https. I have also been trying to figure out the best way to get around my jerk ISP's refusal to give me a static IP address. Any thoughts on these matters would be great. Let me know if you want me to start my own thread but I've been wanting to pick your brain for a while and now seems as good a chance as any.