Reviews:
 ·Insight Communic..
| reply to mattrixx
Re: E-Mail "Contact List" Hack Actually some things that ISPs can do is require SSL auth on both send and receive.
Only permit sending from their own IP ranges, for mobile or HotSpot access have a different outbound server that also requires SSL auth, and logs IP address for abuse. Could also require the user to receive a text message to verify they have signed in from a remote not ISP IP location. |
|
 NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9
 ·SONIC.NET
·Pacific Bell - SBC
| Many ISPs used to refuse to talk to a client if the connection was not their IP address. This led to a problem for me when using a Pacific Bell dial-up connection: PacBell contracted with Level 3 for some of there dial-up POPs, but those IP addresses were not in the PacBell SMTP server client list, so I was treated as if I was not using my ISP connection!
Anyway it isn't clear if the OP's account was actually hacked, or if some spammer merely got their grimy mitts on an errant CC: list.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
|
|
Reviews:
·Insight Communic..
| Frankly I feel we need to go back to those days, with the add on of text verification. The server will hold the message, sending a message to the account asking the user to log in and verify they are trying to access their email from a non-ISP IP. Yea it may frustrate or break stuff for the non-techie, but maybe we will finally get a handle on account hijacking for spambots. That and we also need to make it harder to get hosting/rack space to send out spam too. As host winds seems to be a frequent offender. |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| said by OSUGoose:Frankly I feel we need to go back to those days, with the add on of text verification. The server will hold the message, sending a message to the account asking the user to log in and verify they are trying to access their email from a non-ISP IP. Yea it may frustrate or break stuff for the non-techie, but maybe we will finally get a handle on account hijacking for spambots. That and we also need to make it harder to get hosting/rack space to send out spam too. As host winds seems to be a frequent offender.
So 'a@msn.com' attempts to send an email from some East Indian IP address. The server sends some kind of verification to 'a@msn.com'? And just who is going to get it? I am thinking the spammer who stole that account will get it, and verify it.
While we are discussing this, 'a@msn.com' gets Internet connectivity through "at&t Yahoo! HSI. But their email would go out through MSN servers: Now what?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
| My overall point is the more hassle you make it for the scammer/spammer the less likely they will try, they will just move on to their next easy mark. |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| said by OSUGoose:My overall point is the more hassle you make it for the scammer/spammer the less likely they will try, they will just move on to their next easy mark.
You are looking for FUSSP?
»www.dmuth.org/fussp.html
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
 RARPSL
join:1999-12-08
Suffern, NY | reply to OSUGoose
said by OSUGoose:Actually some things that ISPs can do is require SSL auth on both send and receive.
Only permit sending from their own IP ranges, for mobile or HotSpot access have a different outbound server that also requires SSL auth, and logs IP address for abuse. Could also require the user to receive a text message to verify they have signed in from a remote not ISP IP location.
How do you handle someone with email accounts from a number of ISPs? So long as the user uses SSL on the sending connection, there should be NO refusal to accept the connection due to not coming from the ISP's network. This applies not only to a roaming based connection (ie: One from a laptop or via WiFi while on the road) but also a home based hard wired connection.
The use of SSL or a SMTP AUTH handshake using CRAM-MD5 (But NOT LOGIN or PLAIN which use a static easily exposed password) should be enough to allow the connection. |
|
