Re: [Asrg] who gets the report, was We really don't need

Ian Eiloart <iane@sussex.ac.uk> Tue, 09 February 2010 11:56 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A098C28C161 for <asrg@core3.amsl.com>; Tue, 9 Feb 2010 03:56:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[AWL=-0.152, BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cFkicVweMBVc for <asrg@core3.amsl.com>; Tue, 9 Feb 2010 03:56:58 -0800 (PST)
Received: from sivits.uscs.susx.ac.uk (sivits.uscs.susx.ac.uk [139.184.14.88]) by core3.amsl.com (Postfix) with ESMTP id 1F1483A74E4 for <asrg@irtf.org>; Tue, 9 Feb 2010 03:56:57 -0800 (PST)
Received: from lewes.staff.uscs.susx.ac.uk ([139.184.135.133]:49716) by sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KXKP9R-000GD5-4Y for asrg@irtf.org; Tue, 09 Feb 2010 11:58:39 +0000
Date: Tue, 09 Feb 2010 11:58:03 +0000
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <5D363F0FD526C9C252C97804@lewes.staff.uscs.susx.ac.uk>
In-Reply-To: <AD1E8227-B7A3-4C37-A2D8-2967DA234647@blighty.com>
References: <20100208153359.56374.qmail@simone.iecc.com> <100208094411.ZM10768@torch.brasslantern.com> <AD1E8227-B7A3-4C37-A2D8-2967DA234647@blighty.com>
Originator-Info: login-token=Mulberry:01bRaR4dZ3/0aug+VD2TzgiwRU046yO9A84oE=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] who gets the report, was We really don't need
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2010 11:56:59 -0000

--On 8 February 2010 09:46:38 -0800 Steve Atkins <steve@blighty.com> wrote:

>
> On Feb 8, 2010, at 9:44 AM, Bart Schaefer wrote:
>
>> On Feb 8,  3:33pm, John Levine wrote:
>> }
>> } If a spammer wants to confirm receipt, which very few of them do,
>> } he uses web bugs.  I suppose info about the MUA might be marginally
>> } useful, but if I were a spammer and knew that a recipient was
>> } sufficiently annoyed to press the spam button, I'd take them off the
>> } list.  I still have millions of other people to mail to, after all.
>>
>> And what if you were not a spammer, but a phisher?
>
>
> Much the same, as someone who knows that
> the mail I'm sending is bogus is not an interesting phish target (heck,
> someone who has a TiS button and isn't afraid to use it isn't
> an interesting phish target).

I've seen one case where a phishing target responded to the message saying 
"but you keep telling me not to share my password". The phisher responded 
saying "yes, usually we do that, but in this case we really need it". The 
target gave up her password after a couple more exchanges. The phisher 
worked really hard to get that account, which was then used to send more 
phish.

I see a similar scenario like this: target hits TiS button; report goes to 
phisher; phisher replies saying, "no honestly we really need this 
information" in a message that's even more convincing because it's pulled 
additional information from the report (like the user's real name from the 
"From" header, and job title from a sig); target yields password.


> Cheers,
>   Steve
>
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/