Re: Earthlink and Swen
Kevin Mark wrote: more viruses, more cpu time, more MONEY. Its always money in the end. Well, not always money. Money is the final factor, to be sure, but I can say with a resonable level of assurance that there are other factors. Factors such as space and power. Granted one can get more space and power by forking out more money but no matter how much money one throws at those problems it doesn't drop the amount of time it would take to bring up an accepteble space for computers with a reliable source of power and cooling. -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your PGP Key: 8B6E99C5 | main connection to the switchboard of souls. ---+- pgp0.pgp Description: PGP signature
Re: Earthlink and Swen
On Sun, Dec 14, 2003 at 12:53:20PM -0500, Paul Morgan wrote: > > Then that is my mistake; I offer my apology to you and to Ross. I > found out about it several days ago during a normal routine check of > services offered on earthlink's web site, and immediately turned it on, I did the same. > which has resulted in the removal of about 1.4MB per day of Swens. All > were cleaned by removal of infected attachments and I received the > remainder of the disinfected items. Since my recent trial of Mutt, I noticed an added X-ETLK-AV header every since. Ok for putting things in /dev/null. > > Incidentally, there has been expressed a dislike of earthlink's spam > filtering. It's working well for me personally; however maybe it's worth > noting that no-one is forcing earthlink subscribers to use earthlink's > filtering. If one doesn't like it and wishes to do it oneself, one can > turn it off. I have it on Medium and 99% of results are ok, so I just have to check it once a month for obvious mistakes. But it doesnt seem to remember my corrections 100%. > > I carry no torch for earthlink. I was just trying to correct an > inaccurate characterization of their services. > > The best ISP I used was a local one: magicnet.net of Orlando. > Unfortunately, they were bought out by a national enterprise: Verio, was > it? Yup, started with pipeline which became mindspring which became earthink . Same result, less responsive. can't remember the name now, I've blotted it from my memory, like the > survivor of a traffic accident. Anyway, they completely destroyed a first > class service in a stunningly short period of time. > > Like the nun who prayed daily for Jesus' return "tomorrow", I continue to > pray for the return of local ISPs who endeavor to excel because they > actually give a crap for their customers and not just for the content of > their wallets. I once belived in the Great Pumkin, Too! Oh, Well. -Kev signature.asc Description: Digital signature
Re: Earthlink and Swen
On Sat, 13 Dec 2003 23:58:34 -0500, Kevin Mark wrote:
> On Sat, Dec 13, 2003 at 06:31:55PM -0500, Paul Morgan wrote:
>
>> - if you don't read communications from earthlink, then no wonder you
>> don't know what's going on
>>
> I did check my backed up folder and found the last 8 months of earthlink
> emails and NO mentions.
>
>
> -Happy Gnu to you,
> Kev
Then that is my mistake; I offer my apology to you and to Ross. I
found out about it several days ago during a normal routine check of
services offered on earthlink's web site, and immediately turned it on,
which has resulted in the removal of about 1.4MB per day of Swens. All
were cleaned by removal of infected attachments and I received the
remainder of the disinfected items.
Incidentally, there has been expressed a dislike of earthlink's spam
filtering. It's working well for me personally; however maybe it's worth
noting that no-one is forcing earthlink subscribers to use earthlink's
filtering. If one doesn't like it and wishes to do it oneself, one can
turn it off.
I carry no torch for earthlink. I was just trying to correct an
inaccurate characterization of their services.
The best ISP I used was a local one: magicnet.net of Orlando.
Unfortunately, they were bought out by a national enterprise: Verio, was
it? can't remember the name now, I've blotted it from my memory, like the
survivor of a traffic accident. Anyway, they completely destroyed a first
class service in a stunningly short period of time.
Like the nun who prayed daily for Jesus' return "tomorrow", I continue to
pray for the return of local ISPs who endeavor to excel because they
actually give a crap for their customers and not just for the content of
their wallets.
--
paul
"Do the little things" ("Gwnewch y pethau bychain")
St. David (Dewi Sant) of Wales, last sermon, Sunday 27th February 589
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Earthlink and Swen
On Sat, Dec 13, 2003 at 06:31:55PM -0500, Paul Morgan wrote: > On Thu, 11 Dec 2003 20:56:48 -0800, Ross Boylan wrote: > > > > > Although filtering should "obviously" be done by service providers, it > > seems they have a lot of trouble getting it right. Mail to me goes > > through two service providers (one of them is just a forwarder, and I > > only recently found out they were attempting to remove spam). In both > > cases, I see non-trivial numbers of legitimate messages classified as > > spam and never delivered to me. As you point out, they never even > > report anything about what's going on. (The irascible gentleman > > whose post started this thread apparently believes individual viruses > > are being sanitized by earthlink and delivered to him, but no one else > > has suggested they are doing that.) > > > > Did earthlink send a notice of this change, or did they just do it? I > > didn't know about it. But then, I usually don't read their > > newsletters, where I suppose they might have mentioned it. I used > > their webmail interface quite recently, and didn't see anything > > suggesting their filtering options had changed. > > A couple of points of information: > > of the message, including the sender (in case someone you know is > unknowingly transmitting the virus. You can easily find all this out for > yourself by reading the virus blocker help in the webmail interface. > > - if you had checked, you would have found out that one gets virus > filtering from earthlink if one turns it on for one's account (in the > webmail preferences) As a long time earthlink(mindspring,pipeline) customer, the virus option is very recent and the spam option is somewhat recent. I recall reading the spam options about a year ago and noticed nothing about virus checking. KMS said the virus was very recent also. I am not 100% sure, but if I called Earthlink, I would think it was added within a few months of the swen storm (+/-). I emailed tech support during the storm and they made NO mention of any 'simple' 'flip this switch' option. Thus, it didn't exist before swen. I emailed them and stated I was leaving after more then 9 years, so it would be expected that if this option existed, they would be EAGER to tell me about it. They had no reply. > > - if you don't read communications from earthlink, then no wonder you > don't know what's going on > I did check my backed up folder and found the last 8 months of earthlink emails and NO mentions. -Happy Gnu to you, Kev signature.asc Description: Digital signature
Re: Earthlink and Swen
On Thu, 11 Dec 2003 20:56:48 -0800, Ross Boylan wrote:
>
> Although filtering should "obviously" be done by service providers, it
> seems they have a lot of trouble getting it right. Mail to me goes
> through two service providers (one of them is just a forwarder, and I
> only recently found out they were attempting to remove spam). In both
> cases, I see non-trivial numbers of legitimate messages classified as
> spam and never delivered to me. As you point out, they never even
> report anything about what's going on. (The irascible gentleman
> whose post started this thread apparently believes individual viruses
> are being sanitized by earthlink and delivered to him, but no one else
> has suggested they are doing that.)
>
> Did earthlink send a notice of this change, or did they just do it? I
> didn't know about it. But then, I usually don't read their
> newsletters, where I suppose they might have mentioned it. I used
> their webmail interface quite recently, and didn't see anything
> suggesting their filtering options had changed.
A couple of points of information:
- I didn't start the thread
- Irascible only when dealing with someone who doesn't check the facts
first
- Yet again you question my veracity: earthlink generally filters the
virus from an infected email and passes the remainder on; however, in the
case of a legitimate-appearing message which can't be cleaned, it's placed
in a quarantine folder and the recipient is emailed. Also, in the case of
a fake message, earthlink will delete it and email the recipient details
of the message, including the sender (in case someone you know is
unknowingly transmitting the virus. You can easily find all this out for
yourself by reading the virus blocker help in the webmail interface.
- if you had checked, you would have found out that one gets virus
filtering from earthlink if one turns it on for one's account (in the
webmail preferences)
- if you don't read communications from earthlink, then no wonder you
don't know what's going on
- a gentleman only in the loosest definition of the word :)
--
paul
"Do the little things" ("Gwnewch y pethau bychain")
St. David (Dewi Sant) of Wales, last sermon, Sunday 27th February 589
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Earthlink and Swen
On Thu, Dec 11, 2003 at 08:56:48PM -0800, Ross Boylan wrote: > On Sat, Dec 06, 2003 at 04:15:45PM -0800, Karsten M. Self wrote: > ... > > > > Earthlink have implemented virus and spam filtering within the past > > month or so, early November, if time serves. > Yea! > headers. They may have resisted doing anything because of a shortage > of CPU power (yes, I know, viruses consume CPU, bandwidth, disk space > even if ignored...). They also claimed that they weren't getting that > many swens over their subscriber base. This is perhaps true if it was > harvesting off usenet postings. > more viruses, more cpu time, more MONEY. Its always money in the end. > Did earthlink send a notice of this change, or did they just do it? I > didn't know about it. But then, I usually don't read their > newsletters, where I suppose they might have mentioned it. I used > their webmail interface quite recently, and didn't see anything > suggesting their filtering options had changed. I went to the 'email options' page and turned on the VIRUS options as soon as KMS mentioned it. Ever since my email has included a new header:X-ELNK-AV (0 or 1). Where 1 means virus, and the message is cleaned and edited to display the reason it was edited. -Kev > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Earthlink and Swen
on Thu, Dec 11, 2003 at 08:56:48PM -0800, Ross Boylan ([EMAIL PROTECTED]) wrote: > On Sat, Dec 06, 2003 at 04:15:45PM -0800, Karsten M. Self wrote: > ... > > > > Earthlink have implemented virus and spam filtering within the past > > month or so, early November, if time serves. > > That explains some of the confusion. It's good they are trying to be > responsive. Too bad they aren't doing it better. > > As an aside to the comment that earthlink said they couldn't scan for > viruses because that would be an invasion of privacy: one support > person I spoke to hinted that the real issue was that scanning the > entire body of email messages takes more resources than scanning the > headers. They may have resisted doing anything because of a shortage > of CPU power (yes, I know, viruses consume CPU, bandwidth, disk space > even if ignored...). They also claimed that they weren't getting that > many swens over their subscriber base. This is perhaps true if it was > harvesting off usenet postings. > > > > > It's more than slightly flawed in several regards: > > > > - There's no SMTP-time blocking -- the only way to reliably inform a > > sender that their message wasn't delivered, without joe-job risks. > joe-job = ? STFW http://www.google.com/search?q=%22joe-job%22 > > > > - Viruses are filtered to a "quarantine" folder, which you still have > > to check and clear periodically. Whether and how this counts to you > > 10 MiB mail buffer quota isn't clear. Filter is based on Brightmail > > IIRC. This is *not* enabled by default, but must be selected by the > > subscriber. > > Their junk mail folder, according to their webmail interface, does not > count against your quota, but may get periodically cleared out. I'll > have to check what the relation of this is to the new stuff, but > probably it will work on the same principle. There are several layers of ambiguity about this. It appears poorly considered in balance. > Although filtering should "obviously" be done by service providers, it > seems they have a lot of trouble getting it right. Mail to me goes > through two service providers (one of them is just a forwarder, and I > only recently found out they were attempting to remove spam). In both > cases, I see non-trivial numbers of legitimate messages classified as > spam and never delivered to me. As you point out, they never even > report anything about what's going on. I'm simply boggled that they can do this and think by any stretch of logic or ethics that it's in some manner OK. That said, most ISPs get a whole lot of crud wrong. AOL was blocking mail from me to my mother for some nine months, without notifying her of the fact in advance, admitting it on inquiry, or offering any alternatives. That said, users can be a PITA, and _any_ introduced variance in the system is another opportunity for things to go wrong. Lord knows I generally fsck myself up with even apparently minor changes to procmail rules. Mail is high-volume, affects lots of people, barely adheres to even nominal standards by minimal margins, and is seen as a birthright on the Internet > (The irascible gentleman whose post started this thread apparently > believes individual viruses are being sanitized by earthlink and > delivered to him, but no one else has suggested they are doing that.) There are various nodes through which mail is delivered. Some are taking to stripping viral payloads. I've taken to reporting such mail as spam, traning SA on the material, and spamlisting any originating reporting addresses. > Did earthlink send a notice of this change, or did they just do it? I > didn't know about it. But then, I usually don't read their > newsletters, where I suppose they might have mentioned it. I used > their webmail interface quite recently, and didn't see anything > suggesting their filtering options had changed. The announcement was scattershot at best. Some press, website notice, IIRC. Though I rarely hit their own site. Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? The Earth *is* flat. But Mars is sharp and Venus is in tune, which makes up for it. pgp0.pgp Description: PGP signature
Re: Earthlink and Swen
On Sat, Dec 06, 2003 at 04:15:45PM -0800, Karsten M. Self wrote: ... > > Earthlink have implemented virus and spam filtering within the past > month or so, early November, if time serves. That explains some of the confusion. It's good they are trying to be responsive. Too bad they aren't doing it better. As an aside to the comment that earthlink said they couldn't scan for viruses because that would be an invasion of privacy: one support person I spoke to hinted that the real issue was that scanning the entire body of email messages takes more resources than scanning the headers. They may have resisted doing anything because of a shortage of CPU power (yes, I know, viruses consume CPU, bandwidth, disk space even if ignored...). They also claimed that they weren't getting that many swens over their subscriber base. This is perhaps true if it was harvesting off usenet postings. > > It's more than slightly flawed in several regards: > > - There's no SMTP-time blocking -- the only way to reliably inform a > sender that their message wasn't delivered, without joe-job risks. joe-job = ? > > - Viruses are filtered to a "quarantine" folder, which you still have > to check and clear periodically. Whether and how this counts to you > 10 MiB mail buffer quota isn't clear. Filter is based on Brightmail > IIRC. This is *not* enabled by default, but must be selected by the > subscriber. > Their junk mail folder, according to their webmail interface, does not count against your quota, but may get periodically cleared out. I'll have to check what the relation of this is to the new stuff, but probably it will work on the same principle. > - In "virus storms", virus filtering is enabled automatically. There > is no way for the subscriber to control this behavior. If the filters worked that would be fine. But they don't. > > - Spam filtering is largely limited to "known spam" checks, analagous > to Vipul's Razor. This is the same useless crap that was previously > marketed as "SpamBlocker". Which didn't > > - There is a "known senders" mail filtering system, based on > challenge-response (itself an evil concept) which again quarantines > mail not delivered, again, counting against your mail buffer. > > http://kmself.home.netcom.com/Rants/challenge-response.html > > - There is no reporting to the user of what mail was blocked, sender, > subject, or reason for blocking. There is no option for user > training of filters. > > Upshot: I've not enabled any of the filtering. I want to know what is > blocked. I want blocking at SMTP level. And I want context-sensitive > spam filters (e.g.: Bayesian filters). I can apply this through my own > rules after downloading mail. Current mail loads are sufficiently small > that I can do this effectively. I've also found that reporting received > Swen tends to keep counts down (~60-65 per day, vs. 250+ if not > reported). I've created a few scripts for this (some assembly required): > Thanks for doing the reports. It's a public service, as well as helping you. > http://kmself.home.netcom.com/Download/reportSwen > http://kmself.home.netcom.com/Download/fqdn2domain > > > Peace. > Although filtering should "obviously" be done by service providers, it seems they have a lot of trouble getting it right. Mail to me goes through two service providers (one of them is just a forwarder, and I only recently found out they were attempting to remove spam). In both cases, I see non-trivial numbers of legitimate messages classified as spam and never delivered to me. As you point out, they never even report anything about what's going on. (The irascible gentleman whose post started this thread apparently believes individual viruses are being sanitized by earthlink and delivered to him, but no one else has suggested they are doing that.) Did earthlink send a notice of this change, or did they just do it? I didn't know about it. But then, I usually don't read their newsletters, where I suppose they might have mentioned it. I used their webmail interface quite recently, and didn't see anything suggesting their filtering options had changed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Spam, email, encrypted transit, harvesting (was Re: Earthlink and Swen)
on Tue, Dec 09, 2003 at 03:05:04AM -0500, Kevin Mark ([EMAIL PROTECTED]) wrote: > On Mon, Dec 08, 2003 at 04:44:18AM -0800, Karsten M. Self wrote: > > on Mon, Dec 08, 2003 at 05:40:16AM -0500, Kevin Mark ([EMAIL PROTECTED]) wrote: > > > On Sun, Dec 07, 2003 at 11:55:57PM -0800, Karsten M. Self wrote: > > > > on Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan ([EMAIL PROTECTED]) > > > > wrote: > > > > Perhaps their recently introduced virus filtering service: > > > > > > > > http://www.earthlink.net/myaccount/help/virusblocker/ > > > > > > > Hi KMS, > > > Funny, I am a subscriber to this ISP and I didn't notice any email > > > announcements (but then I ususally just delete the isp mail site unseen). > > > I'm sure > > > this recent additions was because I (and i'm sure others) were really > > > pissed at them during the swen 'flash flood' and sent quite a few > > > emails. I guess this is as 'responsive' as they get. Now if they only > > > get of their duff and get encrypted pop or the like!!! This would > > > decrease my spam further! > > > > Protocol APOP is supported. Not that this is mentioned anywhere that > > I'm aware. I just learned of this a few weeks ago. > > > > I'm not sure how encrypted POP would help you with regard to spam > > though > > > HI, > IIRC, APOP only encrypts the login and the email message is sent in > the clear. with ssl or the like, my mail would not be sent in the > clear and thus could not be read and or harvested for email addresses > or other info. Your email transiting between you and your ISP _frequently_ (but not always) crosses only their internal network. Odds of it being harvested are low. The mail has _already_ transited between the remote sender (if not you or another user on your ISP) and your ISP's mailserver. Almost always in the clear. Still, odds of your address being harvested in this manner are low, though it's technically possible. For someone with physical or technical access to the direct link itself. Pretty much anyone with sufficient access to do this can get your address by other means, though. Far more likely, though, that your friend's been compromised by a virus which is harvesting your address from his/her addressbook. Encrypting your authentication tokens in APOP is useful. Encrypting the mail in transit would be nice for a number of reasons, but I don't see it having a significant impact on spam. I'd recommend you focus your attention on realistic and controllable risks. Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? In his dream he was walking late at night along the East Side, beside the river which had become so extravagantly polluted that new lifeforms were now emerging from it spontaneously, demanding welfare and voting rights. -- HHGTG pgp0.pgp Description: PGP signature
Re: Earthlink and Swen
On Mon, Dec 08, 2003 at 04:44:18AM -0800, Karsten M. Self wrote: > on Mon, Dec 08, 2003 at 05:40:16AM -0500, Kevin Mark ([EMAIL PROTECTED]) wrote: > > On Sun, Dec 07, 2003 at 11:55:57PM -0800, Karsten M. Self wrote: > > > on Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan ([EMAIL PROTECTED]) wrote: > > > Perhaps their recently introduced virus filtering service: > > > > > > http://www.earthlink.net/myaccount/help/virusblocker/ > > > > Hi KMS, > > Funny, I am a subscriber to this ISP and I didn't notice any email > > announcements (but then I ususally just delete the isp mail site unseen). > > I'm sure > > this recent additions was because I (and i'm sure others) were really > > pissed at them during the swen 'flash flood' and sent quite a few > > emails. I guess this is as 'responsive' as they get. Now if they only > > get of their duff and get encrypted pop or the like!!! This would > > decrease my spam further! > > Protocol APOP is supported. Not that this is mentioned anywhere that > I'm aware. I just learned of this a few weeks ago. > > I'm not sure how encrypted POP would help you with regard to spam > though > HI, IIRC, APOP only encrypts the login and the email message is sent in the clear. with ssl or the like, my mail would not be sent in the clear and thus could not be read and or harvested for email addresses or other info. -Kev signature.asc Description: Digital signature
Re: Earthlink and Swen
* Kevin Mark ([EMAIL PROTECTED]) [031208 03:17]: > I guess this is as 'responsive' as they get. Now if they only > get of their duff and get encrypted pop or the like!!! This would > decrease my spam further! By "encrypted pop" do you mean pop3/ssl? If so, how do you expect would this decrease the amount of spam you receive? good times, Vineet -- http://www.doorstop.net/ -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin signature.asc Description: Digital signature
Re: Earthlink and Swen
on Mon, Dec 08, 2003 at 05:40:16AM -0500, Kevin Mark ([EMAIL PROTECTED]) wrote: > On Sun, Dec 07, 2003 at 11:55:57PM -0800, Karsten M. Self wrote: > > on Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan ([EMAIL PROTECTED]) wrote: > > Perhaps their recently introduced virus filtering service: > > > > http://www.earthlink.net/myaccount/help/virusblocker/ > Hi KMS, > Funny, I am a subscriber to this ISP and I didn't notice any email > announcements (but then I ususally just delete the isp mail site unseen). > I'm sure > this recent additions was because I (and i'm sure others) were really > pissed at them during the swen 'flash flood' and sent quite a few > emails. I guess this is as 'responsive' as they get. Now if they only > get of their duff and get encrypted pop or the like!!! This would > decrease my spam further! Protocol APOP is supported. Not that this is mentioned anywhere that I'm aware. I just learned of this a few weeks ago. I'm not sure how encrypted POP would help you with regard to spam though Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Reject EU Software Patents! http://swpat.ffii.org/ pgp0.pgp Description: PGP signature
Re: Earthlink and Swen
On Sun, Dec 07, 2003 at 11:55:57PM -0800, Karsten M. Self wrote: > on Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan ([EMAIL PROTECTED]) wrote: > Perhaps their recently introduced virus filtering service: > > http://www.earthlink.net/myaccount/help/virusblocker/ > -- > Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ > What Part of "Gestalt" don't you understand? > Reject EU Software Patents! http://swpat.ffii.org/ Hi KMS, Funny, I am a subscriber to this ISP and I didn't notice any email announcements (but then I ususally just delete the isp mail site unseen). I'm sure this recent additions was because I (and i'm sure others) were really pissed at them during the swen 'flash flood' and sent quite a few emails. I guess this is as 'responsive' as they get. Now if they only get of their duff and get encrypted pop or the like!!! This would decrease my spam further! -Kev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Earthlink and Swen
on Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan ([EMAIL PROTECTED]) wrote: > On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote: > ... > > I have all services locked down to localhost; my only connections to > > the outside world are mail, news via nntpcached, web via squid... I run > > Apache but it too is locked down to localhost. My mail is run through my > > ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd > > be getting like 10 Svens per day). I do see, from time to time, Apache > > refusing connections attempts which are generally attacks by Windoze worms. > > I had a long talk with earthlink a month or two ago in which they told > me they were not filtering out swen (and they certainly weren't; I got > a ton). Soon after that, I did see some swen-like stuff in their spam > filter for my account (but I also saw plenty still coming at me). > > What's your basis for saying they are filtering out swen, rather than > that you're just getting less swen? Perhaps their recently introduced virus filtering service: http://www.earthlink.net/myaccount/help/virusblocker/ Synopsis: If activated: - Infected legitimate mail is cleaned and delivered. - Infected virally distributed mail is blocked and deleted. - Legitimate mail which cannot be cleaned is quarantined. In emergency mode (mail storm), the system is activated automatically but only for the specific mail associated with the storm. My beefs: - The system is unaccountable. There's no reporting built in to indicate how much mail is being blocked. - The system appears to work after SMTP transaction. This means that viral mail cannot be denied on delivery. This is an issue because: - Such delivery errors tip off other sites that they've got a virus problem. - Any attempted notification after receipt cannot be made without a high likelihood of false notification to spoofed addresses (a "Joe-job" attack). - Mail which cannot be cleaned is quarantined. I don't need crap mail sitting on my account. - There's no discussion of how "messages that others send you" are distinguished from viral "breed"ing mail. Magick? Nice try, but ultimately deficient. However, it does exist. Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Reject EU Software Patents! http://swpat.ffii.org/ pgp0.pgp Description: PGP signature
Re: Earthlink and Swen
on Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan ([EMAIL PROTECTED]) wrote: > On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote: > ... > > I have all services locked down to localhost; my only connections to > > the outside world are mail, news via nntpcached, web via squid... I run > > Apache but it too is locked down to localhost. My mail is run through my > > ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd > > be getting like 10 Svens per day). I do see, from time to time, Apache > > refusing connections attempts which are generally attacks by Windoze worms. > > I had a long talk with earthlink a month or two ago in which they told > me they were not filtering out swen (and they certainly weren't; I got > a ton). Soon after that, I did see some swen-like stuff in their spam > filter for my account (but I also saw plenty still coming at me). > > What's your basis for saying they are filtering out swen, rather than > that you're just getting less swen? Earthlink have implemented virus and spam filtering within the past month or so, early November, if time serves. It's more than slightly flawed in several regards: - There's no SMTP-time blocking -- the only way to reliably inform a sender that their message wasn't delivered, without joe-job risks. - Viruses are filtered to a "quarantine" folder, which you still have to check and clear periodically. Whether and how this counts to you 10 MiB mail buffer quota isn't clear. Filter is based on Brightmail IIRC. This is *not* enabled by default, but must be selected by the subscriber. - In "virus storms", virus filtering is enabled automatically. There is no way for the subscriber to control this behavior. - Spam filtering is largely limited to "known spam" checks, analagous to Vipul's Razor. This is the same useless crap that was previously marketed as "SpamBlocker". Which didn't - There is a "known senders" mail filtering system, based on challenge-response (itself an evil concept) which again quarantines mail not delivered, again, counting against your mail buffer. http://kmself.home.netcom.com/Rants/challenge-response.html - There is no reporting to the user of what mail was blocked, sender, subject, or reason for blocking. There is no option for user training of filters. Upshot: I've not enabled any of the filtering. I want to know what is blocked. I want blocking at SMTP level. And I want context-sensitive spam filters (e.g.: Bayesian filters). I can apply this through my own rules after downloading mail. Current mail loads are sufficiently small that I can do this effectively. I've also found that reporting received Swen tends to keep counts down (~60-65 per day, vs. 250+ if not reported). I've created a few scripts for this (some assembly required): http://kmself.home.netcom.com/Download/reportSwen http://kmself.home.netcom.com/Download/fqdn2domain Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Reject EU Software Patents! http://swpat.ffii.org/ pgp0.pgp Description: PGP signature
Re: Earthlink and Swen
On Sat, 06 Dec 2003 00:11:49 -0800, Ross Boylan wrote: > On Fri, Dec 05, 2003 at 04:52:27PM -0500, Paul Morgan wrote: >> >> I have no idea why you are attacking my veracity. My statement is fact. > > Well, try reading a little harder. And generally, if someone asks you > "why is something true?" responding "because it's a fact" doesn't add > much. > > First, I'm not attacking your veracity, I'm asking what the basis is > for your statements. Yes, I do find them a little hard to believe. > > Second, the reason I'm surprised is based on my own experience with > earthlink, including their explicit statements that they weren't > blocking Swen. > > What the mail you attached below is supposed to demonstrate, I don't > know. You don't provide any context with which to understand it. > This is mail you sent? received? both? > Perhaps the statements about Earthlink Virus blocking are meant as > proof of something, but considering how much forged stuff is floating > around I don't think it's very strong proof. Why would some foreign > system be informing you about earthlink's filtering arrangements? The > mail is obviously filled with forged headers since the FROM doesn't > match the return path and the TO doesn't match you (assuming the mail > was to you). > > My idea of a convincing demonstration that earthlink is doing > something useful would be that you look at what's caught in > earthlink's filters, and see x swen's/day. > The email I attached is an example of how I receive infected emails from earthlink: I receive the email with the infected executable removed and a message to that effect inserted. The rest of the email remains untouched. I am surprised that you were unable to "get" that. So, what I had posted seems to fit your idea of a convincing demonstration. And in my original post, I gave you a rough average of swens caught daily. I had replied that you were attacking my veracity because you were. You chose, for whatever reason, not to believe my statement and demanded proof. Strangely, when I provided proof, you continued to disbelieve me. I really don't give a toss whether you believe me or not, but I have persevered with this thread so that others do not have a mistaken impression of earthlink's virus filtering. You are like *this* close to going into my Pan bozos filter. -- paul "The number of UNIX installations has grown to 10, with more expected." (The UNIX Programmer's Manual, 2nd Edition, June 1972) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Earthlink and Swen
On Fri, Dec 05, 2003 at 04:52:27PM -0500, Paul Morgan wrote: > On Thu, 04 Dec 2003 22:56:59 -0800, Ross Boylan wrote: > > > On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote: > > ... > >> I have all services locked down to localhost; my only connections to > >> the outside world are mail, news via nntpcached, web via squid... I run > >> Apache but it too is locked down to localhost. My mail is run through my > >> ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd > >> be getting like 10 Svens per day). I do see, from time to time, Apache > >> refusing connections attempts which are generally attacks by Windoze worms. > > > > I had a long talk with earthlink a month or two ago in which they told > > me they were not filtering out swen (and they certainly weren't; I got > > a ton). Soon after that, I did see some swen-like stuff in their spam > > filter for my account (but I also saw plenty still coming at me). > > > > What's your basis for saying they are filtering out swen, rather than > > that you're just getting less swen? > > I have no idea why you are attacking my veracity. My statement is fact. Well, try reading a little harder. And generally, if someone asks you "why is something true?" responding "because it's a fact" doesn't add much. First, I'm not attacking your veracity, I'm asking what the basis is for your statements. Yes, I do find them a little hard to believe. Second, the reason I'm surprised is based on my own experience with earthlink, including their explicit statements that they weren't blocking Swen. What the mail you attached below is supposed to demonstrate, I don't know. You don't provide any context with which to understand it. This is mail you sent? received? both? Perhaps the statements about Earthlink Virus blocking are meant as proof of something, but considering how much forged stuff is floating around I don't think it's very strong proof. Why would some foreign system be informing you about earthlink's filtering arrangements? The mail is obviously filled with forged headers since the FROM doesn't match the return path and the TO doesn't match you (assuming the mail was to you). My idea of a convincing demonstration that earthlink is doing something useful would be that you look at what's caught in earthlink's filters, and see x swen's/day. My aggravation level with earthlink just went up a notch, as I attempted to file a problem report with them and again encountered their usual "go away" level of technical support (I filed something via their inadequate web form, since they've stopped listening to [EMAIL PROTECTED] They sent me back a reply that didn't address my problem, saying to write back if the problem wasn't solved. I wrote back. They sent me a reply saying they had lost the original problem report, so couldn't handle my response!). I wish I knew of a decent ISP. > > >From - Fri Dec 5 15:57:48 2003 > X-UIDL: 1asa4W2Al3NZFop0 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 0800 > Status: U > Return-Path: <[EMAIL PROTECTED]> > Received: from mail.telebit.ru ([217.107.81.59]) > by coot (EarthLink SMTP Server) with ESMTP id 1asa4W2Al3NZFop0 > Thu, 4 Dec 2003 23:08:41 -0800 (PST) > Received: from [81.25.172.123] (HELO qivz) > by mail.telebit.ru (CommuniGate Pro SMTP 4.1.6) > with SMTP id 3349026; Fri, 05 Dec 2003 10:07:59 +0300 > FROM: "Email System" <[EMAIL PROTECTED]> > TO: "Mail Receiver" <[EMAIL PROTECTED]> > SUBJECT: Failure Letter > Mime-Version: 1.0 > Content-Type: multipart/alternative; > boundary="tkvyqd" > Date: Fri, 05 Dec 2003 10:08:00 +0300 > Message-ID: <[EMAIL PROTECTED]> > X-ELNK-AV: 1 > > Content-Type: text/html > Content-Transfer-Encoding: quoted-printable > > You currently have EarthLink Virus Blocker powered by Symantec enabled.The > following attachments were infected and have been repaired:No attachments > are in this category. > The following infected attachments were deleted:1. fdbq.exe: [EMAIL > PROTECTED] > Original message text follows > > > > cid:bbhhysgma"; height=3D0 width=3D0> > Hi. > This is the qmail program > Undeliverable to [EMAIL PROTECTED] > > > Content-Type: text/plain; > name="DELETED0.TXT" > Content-Transfer-Encoding: base64 > Content-Id: > > ZmlsZSBhdHRhY2htZW50OiBmZGJxLmV4ZQ0KDQpUaGUgZmlsZSBhdHRhY2hlZCB0byB0aGlz > IGVtYWlsIHdhcyByZW1vdmVkIGJlY2F1c2UgaXQgaXMgaW5mZWN0ZWQgd2l0aCB0aGUgVzMy > LlN3ZW4uQUBtbSB2aXJ1cy4NCg== > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Earthlink and Swen
On Thu, 04 Dec 2003 22:56:59 -0800, Ross Boylan wrote: > On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote: > ... >> I have all services locked down to localhost; my only connections to >> the outside world are mail, news via nntpcached, web via squid... I run >> Apache but it too is locked down to localhost. My mail is run through my >> ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd >> be getting like 10 Svens per day). I do see, from time to time, Apache >> refusing connections attempts which are generally attacks by Windoze worms. > > I had a long talk with earthlink a month or two ago in which they told > me they were not filtering out swen (and they certainly weren't; I got > a ton). Soon after that, I did see some swen-like stuff in their spam > filter for my account (but I also saw plenty still coming at me). > > What's your basis for saying they are filtering out swen, rather than > that you're just getting less swen? I have no idea why you are attacking my veracity. My statement is fact. >From - Fri Dec 5 15:57:48 2003 X-UIDL: 1asa4W2Al3NZFop0 X-Mozilla-Status: 0001 X-Mozilla-Status2: 0800 Status: U Return-Path: <[EMAIL PROTECTED]> Received: from mail.telebit.ru ([217.107.81.59]) by coot (EarthLink SMTP Server) with ESMTP id 1asa4W2Al3NZFop0 Thu, 4 Dec 2003 23:08:41 -0800 (PST) Received: from [81.25.172.123] (HELO qivz) by mail.telebit.ru (CommuniGate Pro SMTP 4.1.6) with SMTP id 3349026; Fri, 05 Dec 2003 10:07:59 +0300 FROM: "Email System" <[EMAIL PROTECTED]> TO: "Mail Receiver" <[EMAIL PROTECTED]> SUBJECT: Failure Letter Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="tkvyqd" Date: Fri, 05 Dec 2003 10:08:00 +0300 Message-ID: <[EMAIL PROTECTED]> X-ELNK-AV: 1 --tkvyqd Content-Type: text/html Content-Transfer-Encoding: quoted-printable You currently have EarthLink Virus Blocker powered by Symantec enabled.The following attachments were infected and have been repaired:No attachments are in this category. The following infected attachments were deleted:1. fdbq.exe: [EMAIL PROTECTED] Original message text follows cid:bbhhysgma"; height=3D0 width=3D0> Hi. This is the qmail program Undeliverable to [EMAIL PROTECTED] --tkvyqd Content-Type: text/plain; name="DELETED0.TXT" Content-Transfer-Encoding: base64 Content-Id: ZmlsZSBhdHRhY2htZW50OiBmZGJxLmV4ZQ0KDQpUaGUgZmlsZSBhdHRhY2hlZCB0byB0aGlz IGVtYWlsIHdhcyByZW1vdmVkIGJlY2F1c2UgaXQgaXMgaW5mZWN0ZWQgd2l0aCB0aGUgVzMy LlN3ZW4uQUBtbSB2aXJ1cy4NCg== --tkvyqd-- -- paul "The number of UNIX installations has grown to 10, with more expected." (The UNIX Programmer's Manual, 2nd Edition, June 1972) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Earthlink and Swen
On Thu, Dec 04, 2003 at 10:56:59PM -0800, Ross Boylan wrote: > On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote: > ... > > I have all services locked down to localhost; my only connections to > > the outside world are mail, news via nntpcached, web via squid... I run > > Apache but it too is locked down to localhost. My mail is run through my > > ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd > > be getting like 10 Svens per day). I do see, from time to time, Apache > > refusing connections attempts which are generally attacks by Windoze worms. > > I had a long talk with earthlink a month or two ago in which they told > me they were not filtering out swen (and they certainly weren't; I got > a ton). Soon after that, I did see some swen-like stuff in their spam > filter for my account (but I also saw plenty still coming at me). > > What's your basis for saying they are filtering out swen, rather than > that you're just getting less swen? Hi, I had a few choice words for earthlink after they responsed to my emails. They said spam they could filter but viruses 'somehow' require them to scan the entire email and this would 'invade' my privacy. I told them that was bs. so having my 10mb email account fill up and start bouncing and losing emails was what I was suppose to get for my bucks?! They offer a 'blocking' black list web page but you have to enter a single email address, no regex. Like spamers use a single address! all in all earthlink sucks. and of course they dont offer encrtpted mail like secure pop or imap. -Kev signature.asc Description: Digital signature
Earthlink and Swen
On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote: ... > I have all services locked down to localhost; my only connections to > the outside world are mail, news via nntpcached, web via squid... I run > Apache but it too is locked down to localhost. My mail is run through my > ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd > be getting like 10 Svens per day). I do see, from time to time, Apache > refusing connections attempts which are generally attacks by Windoze worms. I had a long talk with earthlink a month or two ago in which they told me they were not filtering out swen (and they certainly weren't; I got a ton). Soon after that, I did see some swen-like stuff in their spam filter for my account (but I also saw plenty still coming at me). What's your basis for saying they are filtering out swen, rather than that you're just getting less swen? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
