Ping: Jeff Richards "Firewall vs Spam"

Jeff wrote:

"Stick with it. I think there's something interesting to discover, but I'm
not sure what."
--
Jeff Richards
MS MVP (Windows - Shell/User)

Jeff;

I think I have reconciled the paradox between what I was seeing and what was
actually happening.

The spam artists and phishermen I am blocking with the Kerio "Custom
Address" prohibits are "e-mail spoofers". This probably made perfect sense
to you and anyone else who understands firewalls. It took me a while to get
comfy with SMTP lingo before I finally got the picture.

The "loopback" rule in Kerio's program simply weeds out these spoofer
because they are injecting themselves at unsanctioned ports. As I understand
it, this app takes a second look at the appropriate packet and if the right
port number, i.e. 25, isn't indicated, it bounces the whole shebang.

Because I was getting so many attempted spoofs from Ripe and APNEC compared
to other spam, it gave the appearance that I was selectively blocking the
spammers and phishers trying to stuff my OE Inbox.

I have no way of knowing if spoofing is a signifigant problem for other W98
users. If it is, then hopefully this thread might be of some help in dealing
with it.

Happy New Year, and thanks,

rooster

Note: I am still unable to respond in the original thread, but I would
appreciate any further comments you might have.

That makes sense, except that I suspect it is actually e-mail spoofing
probes - they are looking for security holes that would allow them to take
over the machine and implement spoofing.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"rooster" wrote in message
...
Jeff wrote:

"Stick with it. I think there's something interesting to discover, but
I'm
not sure what."
--
Jeff Richards
MS MVP (Windows - Shell/User)

Jeff;

I think I have reconciled the paradox between what I was seeing and what
was
actually happening.

The spam artists and phishermen I am blocking with the Kerio "Custom
Address" prohibits are "e-mail spoofers". This probably made perfect
sense
to you and anyone else who understands firewalls. It took me a while to
get
comfy with SMTP lingo before I finally got the picture.

The "loopback" rule in Kerio's program simply weeds out these spoofer
because they are injecting themselves at unsanctioned ports. As I
understand
it, this app takes a second look at the appropriate packet and if the
right
port number, i.e. 25, isn't indicated, it bounces the whole shebang.

Because I was getting so many attempted spoofs from Ripe and APNEC
compared
to other spam, it gave the appearance that I was selectively blocking the
spammers and phishers trying to stuff my OE Inbox.

I have no way of knowing if spoofing is a signifigant problem for other
W98
users. If it is, then hopefully this thread might be of some help in
dealing
with it.

Happy New Year, and thanks,

rooster

Note: I am still unable to respond in the original thread, but I would
appreciate any further comments you might have.

Jeff;

That makes sense to me, now. Thanks for the 'hand holding' while I sorted
this out. It make me wonder, though, what was happening before I started
"denying" them and they were, presumedly, making it as far as my Inbox
notices? Would that constitute a successful probe?

rooster

The only thing I can think of is coincidence - they were spamming you at
about the same time as they were probing for a security hole. Typical
spoofing is kept secret from the operator of the machine being spoofed -
they don't want to alert you to the fact that they have found a hole. OTOH,
it might not be spoofing - they might have used the hole to deposit messages
into your inbox. This is a much less serious security issue, as it affects
your machine only. In that case, blocking the probes would have stopped the
messages. AFAIK, the same security hole cannot be used for both purposes.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"rooster" wrote in message
...
Jeff;

That makes sense to me, now. Thanks for the 'hand holding' while I sorted
this out. It make me wonder, though, what was happening before I started
"denying" them and they were, presumedly, making it as far as my Inbox
notices? Would that constitute a successful probe?

rooster

Jeff;

Since the spam from those sources stopped when I defined the appropriate
"Deny" rule, I deduce that they were using spoofing to get stuff into my
inbox. Fortunately, none of it was ever opened.

You've been a great help.

rooster