I'd like to setup something like Hamster to filter NG's since Windows Live
Mail filtering is pretty inept. Hamster may be fine, but I only saw the
German site when I went looking to download it. Can someone recommend an
app that is well supported in English (site and/or download link
appreciated)?
In article
victek@invalid.invalid says...
> I'd like to setup something like Hamster to filter NG's since Windows Live
> Mail filtering is pretty inept. Hamster may be fine, but I only saw the
> German site when I went looking to download it. Can someone recommend an
> app that is well supported in English (site and/or download link
> appreciated)?
Why not use a real, actual, Usenet client instead of the broken email
clients that MS provides?
If you provided a little more information - what are you wanting to
filter?
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
On Mon, 24 Dec 2007 20:57:12 GMT, Victek wrote:
> I'd like to setup something like Hamster to filter NG's since Windows Live
> Mail filtering is pretty inept. Hamster may be fine, but I only saw the
> German site when I went looking to download it. Can someone recommend an
> app that is well supported in English (site and/or download link
> appreciated)?
You may wish to go to: news.software.readers
>> I'd like to setup something like Hamster to filter NG's since Windows
>> Live
>> Mail filtering is pretty inept. Hamster may be fine, but I only saw the
>> German site when I went looking to download it. Can someone recommend an
>> app that is well supported in English (site and/or download link
>> appreciated)?
>
> Why not use a real, actual, Usenet client instead of the broken email
> clients that MS provides?
>
> If you provided a little more information - what are you wanting to
> filter?
>
A number of public NG's that I frequent are being spammed so bad they are
unusable. alt.comp.freeware is a good example. Users and domains can be
blocked in Windows Live Mail (WLM), but then the message store has to be
reset to actually remove the blocked messages. I'd like to be able to
filter all this crap so that it doesn't reach the newsreader at all, but if
I can't do that I'd like to use a reader that immediately removes messages
after the senders are marked as blocked. Outlook Express worked this way,
but WLM doesn't. I thought that a local server like Hamster might be a good
way to exert more control, but perhaps a better reader would be enough?
In article
victek@invalid.invalid says...
> >> I'd like to setup something like Hamster to filter NG's since Windows
> >> Live
> >> Mail filtering is pretty inept. Hamster may be fine, but I only saw the
> >> German site when I went looking to download it. Can someone recommend an
> >> app that is well supported in English (site and/or download link
> >> appreciated)?
> >
> > Why not use a real, actual, Usenet client instead of the broken email
> > clients that MS provides?
> >
> > If you provided a little more information - what are you wanting to
> > filter?
> >
>
> A number of public NG's that I frequent are being spammed so bad they are
> unusable. alt.comp.freeware is a good example. Users and domains can be
> blocked in Windows Live Mail (WLM), but then the message store has to be
> reset to actually remove the blocked messages. I'd like to be able to
> filter all this crap so that it doesn't reach the newsreader at all, but if
> I can't do that I'd like to use a reader that immediately removes messages
> after the senders are marked as blocked. Outlook Express worked this way,
> but WLM doesn't. I thought that a local server like Hamster might be a good
> way to exert more control, but perhaps a better reader would be enough?
>
>
Try Gravity newsreader v2.7.
http://sourceforge.net/project/showfiles.php?group_id=95245
It has an excellent "Kill File" that can be set to block
the objectional posts.
Casey
On Mon, 24 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in
article
Holiday Season Greetings.
>> I'd like to setup something like Hamster to filter NG's since Windows
>> Live Mail filtering is pretty inept. Hamster may be fine, but I only
>> saw the German site when I went looking to download it.
Seeing as how Hamster was created by a German author - that's sort of
expected, isn't it?
>> Can someone recommend an app that is well supported in English (site
>> and/or download link appreciated)?
http://www.dmoz.org/Computers/Software/Internet/Servers/Usen et/
However, if you insist on using windoze, you will be somewhat limited in
your choices.
>> Why not use a real, actual, Usenet client instead of the broken email
>> clients that MS provides?
That's certainly good advice - there are dozens of real news readers
with more adequate filtering capabilities, although most of them do
expect you to have some idea of how filtering works - that is, what
headers you can most easily filter on (those in an NNTP XOVER list,
which is "From:", "Subject:", "References:", "Date:", "Bytes:",
"Lines:", "Message-ID:" and "Xref:") and how to make the mail reader
display these headers.
>> If you provided a little more information - what are you wanting to
>> filter?
>
>A number of public NG's that I frequent are being spammed so bad they
>are unusable. alt.comp.freeware is a good example.
I don't look at that newsgroup, and a quick glance suggests it is of
little possible interest to me, but even looking at the last 100
articles posted suggests several types of posts that might be
objectionable. Advertisements: subject keywords, posting name or
domain, message-ID components. Religious postings: same as
advertisements (which in a way, they are). Trolls and troll feeders:
posting name or domain, message-ID components - subject keywords may
also be useful. Sporge, also called Hip-crime attacks: best dealt
with by screaming at the news provider to have them reject the spew,
(many do this automatically) and if necessary, de-peer with the idiot
news provider that is being used as an injection port.
>Users and domains can be blocked in Windows Live Mail (WLM), but then
>the message store has to be reset to actually remove the blocked
>messages.
Sounds like a pretty useless application.
>I'd like to be able to filter all this crap so that it doesn't reach
>the newsreader at all, but if I can't do that I'd like to use a reader
>that immediately removes messages after the senders are marked as
>blocked. Outlook Express worked this way, but WLM doesn't.
A problem about blocking "by sender" is the fact that frequently the
sender name is false and may change several times a minute. Most
users are not aware of other possibilities. Reading the RFCs that
define how USENET works (RFC0977, RFC1036, RFC2980, and RFC3977) may
be helpful in this understanding.
>I thought that a local server like Hamster might be a good way to exert
>more control, but perhaps a better reader would be enough?
Another possibility is to use a News Provider that doesn't have their
head up and locked and actually has a real live person (or more) who
monitors what's going on and filters the obvious crap before your
news reader (or news downloading tool) even has a chance to see it.
None the less, you are correct that a local server can exert a lot more
control over what your reader sees.
[compton ~]$ grep -vE '^([%\[ ]|Score|$)' /var/spool/slrnpull/score |
cut -d' ' -f1 | sort | uniq -c | column
923 From: 12 References: 2 ~Subject:
2 Lines: 305 Subject:
15 Message-ID: 78 Xref:
[compton ~]$
No, I don't expect you to understand UNIX command line, but this shows
that my news spooler (slrnpull) has been told to ignore "From:" lines
(you call this "Sender") with 923 different rules. It filters on the
"Message-ID:" headers to (FOR EXAMPLE) ignore spam posted from google
in several newsgroups. Several trolls in the groups I read have unique
"Message-ID:" headers, and the "References:" rules are used to filter
replies to the trolls. As noted, you need to look at those headers,
and then you can make simple filtering rules.
Old guy
> Another possibility is to use a News Provider that doesn't have their
> head up and locked and actually has a real live person (or more) who
> monitors what's going on and filters the obvious crap before your
> news reader (or news downloading tool) even has a chance to see it.
> None the less, you are correct that a local server can exert a lot more
> control over what your reader sees.
You're correct that Windows Live Mail has poor filtering capability, but
it's good for Hotmail which is my main reason for using it. I some other NG
readers though, such as Gravity.
Regarding NG servers, I currently use news-byoa.prodigy.net because my ISP
account gives me access, but I would happily switch to a different server.
Do you have a recommendation?
Thanks for all the information about filtering.
> Try Gravity newsreader v2.7.
> http://sourceforge.net/project/showfiles.php?group_id=95245
> It has an excellent "Kill File" that can be set to block
> the objectional posts.
I will, thanks!
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
* Chilly8
> Windows is a MUST for computing existence. You cannot get along
> without Windows, for many applications. For example, to run my
> online radio station through Live 365, I HAVE to use Windows.
>
> If you are not using Windows, you are missing out on a lot of stuff.
That is without a doubt the funniest and stupidest thing I've ever seen
you spew. And you've spewed some very funny and stupid things.
Jason
> News.Individual.NET (NIN)
> best for text, very reliable, charge a small annual fee, and do a good
> job with spam and sporge.
>
> Otherwise try Motzarella
> better free news services, although NIN do a better job with sporge
> (last time I compared two of the ongoing sporged groups).
>
Motzarella works great - thanks!
On Wed, 26 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in
article
>> Another possibility is to use a News Provider that doesn't have their
>> head up and locked and actually has a real live person (or more) who
>> monitors what's going on and filters the obvious crap before your
>> news reader (or news downloading tool) even has a chance to see it.
>You're correct that Windows Live Mail has poor filtering capability,
>but it's good for Hotmail which is my main reason for using it. I some
>other NG readers though, such as Gravity.
Never saw a reason/need for Hotmail. Any mail from a hotmail account is
assumed to be spam as no one would be using it for business, and at work
we simply block access to the IP ranges used by Hotmail (and yahoo, and
gmail, and others). Family/friends know I drop all mail from these kind
of accounts - but then, a lot of them do the same.
>Regarding NG servers, I currently use news-byoa.prodigy.net because my
>ISP account gives me access, but I would happily switch to a different
>server. Do you have a recommendation?
I intentionally don't recommend one provider or another. Partly, this
is because it's a personal choice issue akin to "which is best" (to
which I may respond "I dunno - is Ford better than Chevy?" to get the
idea across). Alternative servers may be free (choose with caution if
you want your posts to be seen, as they may be filtered/ignored by
others if they fail to control of newsgroup abuse from their users -
http://www.dmoz.org/Computers/Usenet/Public_News_Servers/ is a
relatively up to date list), or minimal costs - a lot of people mention
news.individual.net for about US$15 a year, but they are far from the
only one. There are also commercial servers - but these tend to be
more expensive.
You should also consider what you are trying to see in newsgroups. A
number of the free/cheap news servers are text only (no binaries) to
control their costs of bandwidth and data storage. Retentivity (how
long they keep articles) may also be an issue.
Old guy
"Moe Trin"
news:slrnfn5c9l.2p6.ibuprofin@compton.phx.az.us...
> On Wed, 26 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in
> article
>
>>> Another possibility is to use a News Provider that doesn't have their
>>> head up and locked and actually has a real live person (or more) who
>>> monitors what's going on and filters the obvious crap before your
>>> news reader (or news downloading tool) even has a chance to see it.
>
>>You're correct that Windows Live Mail has poor filtering capability,
>>but it's good for Hotmail which is my main reason for using it. I some
>>other NG readers though, such as Gravity.
>
> Never saw a reason/need for Hotmail. Any mail from a hotmail account is
> assumed to be spam as no one would be using it for business, and at work
If they are on the road they might. Someone would almost certainly use
a Hotmail account, if they are away on a business trip to get thier Email.
One would just simply set the forwarding on their work Email account to
forward everything to their hotmail account, then they can pick up their
Email while they are on the road.
I travel a lot running my online radio station, and I use hotmail, when I am
on the road, to get my Email. When you are travelling, it is the most
convenient way to keep in touch.
Chilly8 wrote, On 26/12/07 22:55:
> "Moe Trin"
> news:slrnfn5c9l.2p6.ibuprofin@compton.phx.az.us...
>> On Wed, 26 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in
>> article
>>
>>>> Another possibility is to use a News Provider that doesn't have their
>>>> head up and locked and actually has a real live person (or more) who
>>>> monitors what's going on and filters the obvious crap before your
>>>> news reader (or news downloading tool) even has a chance to see it.
>>> You're correct that Windows Live Mail has poor filtering capability,
>>> but it's good for Hotmail which is my main reason for using it. I some
>>> other NG readers though, such as Gravity.
>> Never saw a reason/need for Hotmail. Any mail from a hotmail account is
>> assumed to be spam as no one would be using it for business, and at work
>
> If they are on the road they might. Someone would almost certainly use
> a Hotmail account, if they are away on a business trip to get thier Email.
> One would just simply set the forwarding on their work Email account to
> forward everything to their hotmail account, then they can pick up their
> Email while they are on the road.
No, in a sensible company they will be provided with some method of
accessing their company email account if they are expected to read it.
For example by being provided with company WebMail access or a
Blackberry. There are many other solutions that do not rely on relaying
email to an external email account.
> I travel a lot running my online radio station, and I use hotmail, when I am
> on the road, to get my Email. When you are travelling, it is the most
> convenient way to keep in touch.
Personally I would find it the *least* convenient method. However my
company provides webmail for when I can't use my company notebook and
other methods for when I can. The same with my personal email.
--
Flash Gordon
Post removed (X-No-Archive: yes)
Flash Gordon wrote:
> Chilly8 wrote, On 26/12/07 22:55:
>> "Moe Trin"
>> news:slrnfn5c9l.2p6.ibuprofin@compton.phx.az.us...
>>> On Wed, 26 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in
>>> article
>>>
>>>>> Another possibility is to use a News Provider that doesn't have their
>>>>> head up and locked and actually has a real live person (or more) who
>>>>> monitors what's going on and filters the obvious crap before your
>>>>> news reader (or news downloading tool) even has a chance to see it.
>>>> You're correct that Windows Live Mail has poor filtering capability,
>>>> but it's good for Hotmail which is my main reason for using it. I some
>>>> other NG readers though, such as Gravity.
>>> Never saw a reason/need for Hotmail. Any mail from a hotmail account is
>>> assumed to be spam as no one would be using it for business, and at work
>> If they are on the road they might. Someone would almost certainly use
>> a Hotmail account, if they are away on a business trip to get thier Email.
>> One would just simply set the forwarding on their work Email account to
>> forward everything to their hotmail account, then they can pick up their
>> Email while they are on the road.
>
> No, in a sensible company they will be provided with some method of
> accessing their company email account if they are expected to read it.
> For example by being provided with company WebMail access or a
> Blackberry. There are many other solutions that do not rely on relaying
> email to an external email account.
>
>> I travel a lot running my online radio station, and I use hotmail, when I am
>> on the road, to get my Email. When you are travelling, it is the most
>> convenient way to keep in touch.
>
> Personally I would find it the *least* convenient method. However my
> company provides webmail for when I can't use my company notebook and
> other methods for when I can. The same with my personal email.
It sounds to me as if we're mixing up outgoing and incoming mail. I get
most of my incoming e-mail via Yahoo (using YPOPs!, which emulates POP3
on a localhost port), or through a free Fastmail account (using IMAP),
but all my outgoing mail (and news posting, I believe) goes through the
SMTP service provided by my ISP.
I haven't thought about what other SMTP servers I might use away from
home, but fortunately, my ISP has plenty of access numbers all over the
place. I believe YPOPs! is capable of emulating SMTP through Yahoo!'s
webmail interface, but I haven't tried it.
--
Marshall Price of Miami
Known to Yahoo as d021317c
> Never saw a reason/need for Hotmail. Any mail from a hotmail account is
> assumed to be spam as no one would be using it for business, and at work
> we simply block access to the IP ranges used by Hotmail (and yahoo, and
> gmail, and others). Family/friends know I drop all mail from these kind
> of accounts - but then, a lot of them do the same.
>
Why? Hotmail offers free and "for pay" accounts with extra services. It
can be reached anywhere through a browser and also through Windows Live Mail
on the XP/Vista desktop. Hotmail is one component of the larger "Windows
Live Services" which can certainly meet the needs of small business. If you
have a corporate job then fine you have corporate mail, but how about people
who are self-employed? Just blocking hotmail is a very heavy handed way to
reduce spam.
Victek wrote:
> Why? Hotmail offers free and "for pay" accounts with extra services. It
> can be reached anywhere through a browser and also through Windows Live Mail
> on the XP/Vista desktop.
But you have to pay to get something as simple as a POP3 access. No, thanks,
GMX gives that for free.
> Hotmail is one component of the larger "Windows
> Live Services" which can certainly meet the needs of small business.
The day when Microsoft decided to add a malus on the spam filtering for
every mail that doesn't use their proprietary SPF, Hotmail became a
spammer-only mail service. Using it for serious business has become impossible.
> Just blocking hotmail is a very heavy handed way to reduce spam.
Since no serious business would use Hotmail, there are no false positives -
by definition.
On Thu, 27 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
<13n7agcfrf3ru0a@corp.supernews.com>, Marshall Price wrote:
>Flash Gordon wrote:
>> Chilly8 wrote, On 26/12/07 22:55:
>>> "Moe Trin"
>>>> Victek wrote:
>>>>> You're correct that Windows Live Mail has poor filtering capability,
>>>>> but it's good for Hotmail which is my main reason for using it. I
>>>>> some other NG readers though, such as Gravity.
>>>> Never saw a reason/need for Hotmail. Any mail from a hotmail account
>>>> is assumed to be spam as no one would be using it for business
>>> If they are on the road they might. Someone would almost certainly
>>> use a Hotmail account, if they are away on a business trip to get
>>> thier Email. One would just simply set the forwarding on their work
>>> Email account to forward everything to their hotmail account, then
>>> they can pick up their Email while they are on the road.
Ignore the troll - it imagines that every business operates as it does
in a single user account at home. Maybe if the troll read the rest of
the sentence that got clipped by someone, where I wrote:
]]]] at work we simply block access to the IP ranges used by Hotmail
]]]] (and yahoo, and gmail, and others).
it might understand hotmail, et.al. just isn't an option. As for
"forwarding everything", that's even against US Federal law in some
cases - but in the trolls imaginary world, that's irrelevant.
>> No, in a sensible company they will be provided with some method of
>> accessing their company email account if they are expected to read it.
Depends on how the company has set up remote access.
>> For example by being provided with company WebMail access or a
>> Blackberry. There are many other solutions that do not rely on
>> relaying email to an external email account.
"company WebMail access"???
>>> I travel a lot running my online radio station, and I use hotmail,
>>> when I am on the road, to get my Email. When you are travelling, it
>>> is the most convenient way to keep in touch.
You really should talk to your "company engineers" and if this is all
they can offer, fire them and get someone who can _spell_ IP.
>> Personally I would find it the *least* convenient method. However my
>> company provides webmail for when I can't use my company notebook and
>> other methods for when I can. The same with my personal email.
Personal email isn't the company's problem. As far as accessing the
company services, if it's important that you be able to do so ACCORDING
TO THE COMPANY, then there are alternatives. If the company IT staff
are not aware/capable, there are numerous IT consultant companies who
would be glad to offer advice. If the company doesn't feel like spending
the coin to get that secure capability, they probably shouldn't be using
the Internet for business activities. Allowing Joe User (or more likely,
Joe User's son/daughter because Joe has trouble just using a web browser)
to set up remote access on his work desktop is the height of folly.
>It sounds to me as if we're mixing up outgoing and incoming mail. I get
>most of my incoming e-mail via Yahoo (using YPOPs!, which emulates POP3
>on a localhost port), or through a free Fastmail account (using IMAP),
What you do with your personal mail is your personal decision. Company
mail should not be accessible from non-company servers. If you need
access from "outside", you should be using an SSL service requiring both
dedicated hard/software and a "password" (that isn't "remembered" by
some application).
>but all my outgoing mail (and news posting, I believe) goes through
>the SMTP service provided by my ISP.
Sounds like you are describing personal services. If you are doing
company business, the ISP should be nothing except a common carrier
transporting encrypted packets. It's really not rocket science.
>I haven't thought about what other SMTP servers I might use away from
>home, but fortunately, my ISP has plenty of access numbers all over
>the place. I believe YPOPs! is capable of emulating SMTP through
>Yahoo!'s webmail interface, but I haven't tried it.
Personal stuff I access through an encrypted tunneling function that
gives access to my home network. Workplace access is controlled much
more closely.
Old guy
Moe Trin wrote, On 27/12/07 20:00:
> On Thu, 27 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
> <13n7agcfrf3ru0a@corp.supernews.com>, Marshall Price wrote:
>
>> Flash Gordon wrote:
>
>>> Chilly8 wrote, On 26/12/07 22:55:
>
>>>> "Moe Trin"
>
>>>>> Victek wrote:
>
>>>>>> You're correct that Windows Live Mail has poor filtering capability,
>>>>>> but it's good for Hotmail which is my main reason for using it. I
>>>>>> some other NG readers though, such as Gravity.
>
>>>>> Never saw a reason/need for Hotmail. Any mail from a hotmail account
>>>>> is assumed to be spam as no one would be using it for business
>
>>>> If they are on the road they might. Someone would almost certainly
>>>> use a Hotmail account, if they are away on a business trip to get
>>>> thier Email. One would just simply set the forwarding on their work
>>>> Email account to forward everything to their hotmail account, then
>>>> they can pick up their Email while they are on the road.
>
> Ignore the troll - it imagines that every business operates as it does
> in a single user account at home. Maybe if the troll read the rest of
> the sentence that got clipped by someone, where I wrote:
>
> ]]]] at work we simply block access to the IP ranges used by Hotmail
> ]]]] (and yahoo, and gmail, and others).
>
> it might understand hotmail, et.al. just isn't an option. As for
> "forwarding everything", that's even against US Federal law in some
> cases - but in the trolls imaginary world, that's irrelevant.
In my case I can be behind another companies firewall and that other
company may well block access to hotmail et.al. but *might* be prepared
to poke a hole to let me access my companies system.
>>> No, in a sensible company they will be provided with some method of
>>> accessing their company email account if they are expected to read it.
>
> Depends on how the company has set up remote access.
There are many ways to do it and I did not specify which should be used.
>>> For example by being provided with company WebMail access or a
>>> Blackberry. There are many other solutions that do not rely on
>>> relaying email to an external email account.
>
> "company WebMail access"???
Yes, my employer provides me with a web portal to the company email
system, i.e. company webmail. I know that both the Domino Server from
IBM and Exchange from MS can provide this. Of course, it should be done
over SSL and there should (IMHO) be a reverse proxy in front of the server.
>>>> I travel a lot running my online radio station, and I use hotmail,
>>>> when I am on the road, to get my Email. When you are travelling, it
>>>> is the most convenient way to keep in touch.
>
> You really should talk to your "company engineers" and if this is all
> they can offer, fire them and get someone who can _spell_ IP.
He probably wants ones who can spell IT as well ;-)
>>> Personally I would find it the *least* convenient method. However my
>>> company provides webmail for when I can't use my company notebook and
>>> other methods for when I can. The same with my personal email.
>
> Personal email isn't the company's problem.
Agreed. I should have pointed out that I run my own email server and set
up my own webmail access to my email just as I suggest can be done by a
company.
> As far as accessing the
> company services, if it's important that you be able to do so ACCORDING
> TO THE COMPANY, then there are alternatives.
Agreed, and the point of my post.
> If the company IT staff
> are not aware/capable, there are numerous IT consultant companies who
> would be glad to offer advice. If the company doesn't feel like spending
> the coin to get that secure capability, they probably shouldn't be using
> the Internet for business activities. Allowing Joe User (or more likely,
> Joe User's son/daughter because Joe has trouble just using a web browser)
> to set up remote access on his work desktop is the height of folly.
Fortunately I am not "Joe User" but someone who helps out our
undermanned IT department and probably know more about making *my*
machines secure than our IT department. I agree with your points though.
>> It sounds to me as if we're mixing up outgoing and incoming mail. I get
>> most of my incoming e-mail via Yahoo (using YPOPs!, which emulates POP3
>> on a localhost port), or through a free Fastmail account (using IMAP),
My comments can be applied equally well to both incomming and outgoing
email.
> What you do with your personal mail is your personal decision. Company
> mail should not be accessible from non-company servers. If you need
Agreed. I accept that in transit the email is not secure, but once it
arrive at a company I am doing business I expect it to stay on their
servers (well, maybe get pushed over a mobile phone network to someone's
Blackberry).
> access from "outside", you should be using an SSL service requiring both
> dedicated hard/software and a "password" (that isn't "remembered" by
> some application).
I would not always go that far. That is our *main* method of external
access to email, but I can use webmail when there is no other method.
--
Flash Gordon
Post removed (X-No-Archive: yes)
Chilly8 wrote:
> But if the company sets
> up an SSL mail server on a odd port, the authorities in thouse countries
> will not be able to figure out what you are up to when you try and
> access an SSL-encrypted mail server back at company headquarters.
> The government censors would see a bunch of encrypted packets
> going out on a strange port, but they would not be able to figure out
> what you were up to.
Please take a short lookup on the term "man-in-the-middle attack".
> Windows does not have a function for providing
> mail forwarding
For someone advocating windows sos trongly, you have a remarkable lack
of knowledge about windows.
Post removed (X-No-Archive: yes)
Chilly8 wrote:
>> Please take a short lookup on the term "man-in-the-middle attack".
>
>
> You could double-encrypt it.
That won't help, since it's a proxied connection.
On Thu, 27 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
>> Never saw a reason/need for Hotmail. Any mail from a hotmail account
>> is assumed to be spam as no one would be using it for business, and
>> at work we simply block access to the IP ranges used by Hotmail (and
>> yahoo, and gmail, and others). Family/friends know I drop all mail
>> from these kind of accounts - but then, a lot of them do the same.
>
>Why? Hotmail offers free and "for pay" accounts with extra services.
I'll just say that (until I started dropping all 'hotmail', 'yahoo',
'gmail' and similar) ALL mail I've ever received from those domains
was spam. Almost no exceptions. At work, such domain names are an
indication that the sender doesn't care about appearances or data
security.
>It can be reached anywhere through a browser and also through Windows
>Live Mail on the XP/Vista desktop.
If the company is able to get business where you are required to travel,
they have the incentive to set up a local server where users can SSH in
to read their mail.
>Hotmail is one component of the larger "Windows Live Services" which
>can certainly meet the needs of small business. If you have a
>corporate job then fine you have corporate mail, but how about people
>who are self-employed?
Does the business have an Internet presence? Does it NEED to be sending
and receiving email? Then it probably has an Internet connection, and
the Internet provider will be happy to provide mail service. In the
neighborhood where I live, there is a mini-shopping center, with (going
from memory) an Italian restaurant, tax service*, pool supplies, real
estate*, insurance, wireless store*, grocery*, hair dresser, package
service*, eye glasses, fingernail care, and sandwich shop* (the ones
marked with a * are either a chain or franchise). EVERY ONE has an
email address, though several are Business_name@Cable_ISP. No hotmail
accounts or similar.
>Just blocking hotmail is a very heavy handed way to reduce spam.
You may think so, but it's common. These types of email providers do
not give the appearance of a serious business, never mind the amount
of spam that comes from there. Also, unless your mail is encrypted
by the sender, I certainly wouldn't be sending sensitive mail anywhere
near those services. Google (gmail) _is_ a data mining company, and
the reputation of Microsoft (hotmail) isn't exactly first rate.
Old guy
On Thu, 27 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
>Moe Trin wrote, On 27/12/07 20:00:
>> where I wrote:
>>
>>]]]] at work we simply block access to the IP ranges used by Hotmail
>>]]]] (and yahoo, and gmail, and others).
>>
>> it might understand hotmail, et.al. just isn't an option.
>In my case I can be behind another companies firewall and that other
>company may well block access to hotmail et.al. but *might* be prepared
>to poke a hole to let me access my companies system.
Depends - we're an R&D facility, so we're rather tightly controlled. We
basically don't allow "visiting computers", though we do have several
computers scattered about that are isolated from our network that can
be used by visitors (and employees for non-business activities).
>> "company WebMail access"???
>
>Yes, my employer provides me with a web portal to the company email
>system, i.e. company webmail. I know that both the Domino Server from
>IBM and Exchange from MS can provide this.
We tend to frown on web access - especially for mail.
>> Allowing Joe User (or more likely, Joe User's son/daughter because
>> Joe has trouble just using a web browser) to set up remote access on
>> his work desktop is the height of folly.
>
>Fortunately I am not "Joe User" but someone who helps out our
>undermanned IT department and probably know more about making *my*
>machines secure than our IT department. I agree with your points though.
My wife works at a large, but privately held company, and the owner had
been cutting corners and underfunding things like computer security.
One of the users got owned, and through lack of security setups, the
company's network because an open spam relay and mail-drop. That was
bad enough, but then the law got involved because some idealist had
filed a criminal complaint (I dunno - maybe the pills didn't work).
Fun, frolic, and a new IT department.
>> If you need access from "outside", you should be using an SSL service
>> requiring both dedicated hard/software and a "password" (that isn't
>> "remembered" by some application).
>I would not always go that far. That is our *main* method of external
>access to email, but I can use webmail when there is no other method.
Our auditors (internal, and those from customers) won't allow that.
Old guy
Post removed (X-No-Archive: yes)
Chilly8 wrote:
>>>> Please take a short lookup on the term "man-in-the-middle attack".
>>>
>>> You could double-encrypt it.
>>
>> That won't help, since it's a proxied connection.
>
> Well, in China,
We were talking about Syria and Saudi-Arabia, whose implementations are less
lousy than the great joke of China.
> and her employer in Canada had no CLUE as
> to what she was up to.
I'm sorry to tell you that he most likely was. Due to man-in-the-middle,
going undetected due to an installed certificate (by administration).
Post removed (X-No-Archive: yes)
Moe Trin wrote, On 28/12/07 19:58:
> On Thu, 27 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
>
>
>> Moe Trin wrote, On 27/12/07 20:00:
>
>>> where I wrote:
>>>
>>> ]]]] at work we simply block access to the IP ranges used by Hotmail
>>> ]]]] (and yahoo, and gmail, and others).
>>>
>>> it might understand hotmail, et.al. just isn't an option.
>
>> In my case I can be behind another companies firewall and that other
>> company may well block access to hotmail et.al. but *might* be prepared
>> to poke a hole to let me access my companies system.
>
> Depends
Yes. Where I used to work there was no option of *any* access from the
outside. If you were not in the office you had no access to email.
> - we're an R&D facility, so we're rather tightly controlled. We
> basically don't allow "visiting computers", though we do have several
> computers scattered about that are isolated from our network that can
> be used by visitors (and employees for non-business activities).
Some of our customers are like that as well. This is where Blackberries
and 3G cards come in useful. Then although you cannot plug in to the
customers network you can still get at your email.
>>> "company WebMail access"???
>> Yes, my employer provides me with a web portal to the company email
>> system, i.e. company webmail. I know that both the Domino Server from
>> IBM and Exchange from MS can provide this.
>
> We tend to frown on web access - especially for mail.
My attitude is that the email has already passed unencrypted through the
internet before it hit my inbox. So if a customer allows me to plug in
to their network and allows web access but not the other email protocols
we use or VPN it is useful for me to have web access to email.
>>> Allowing Joe User (or more likely, Joe User's son/daughter because
>>> Joe has trouble just using a web browser) to set up remote access on
>>> his work desktop is the height of folly.
>> Fortunately I am not "Joe User" but someone who helps out our
>> undermanned IT department and probably know more about making *my*
>> machines secure than our IT department. I agree with your points though.
>
> My wife works at a large, but privately held company, and the owner had
> been cutting corners and underfunding things like computer security.
My company is not large, but all IT in it is underfunded.
> One of the users got owned, and through lack of security setups, the
> company's network because an open spam relay and mail-drop. That was
Painful. We (when I was not involved in our IT infrastructure) have had
machines "owned" and spewing out spam before. Now outbound port 25 is
blocked except for our outbound mail server.
> bad enough, but then the law got involved because some idealist had
> filed a criminal complaint (I dunno - maybe the pills didn't work).
> Fun, frolic, and a new IT department.
Oh what fun.
>>> If you need access from "outside", you should be using an SSL service
>>> requiring both dedicated hard/software and a "password" (that isn't
>>> "remembered" by some application).
>
>> I would not always go that far. That is our *main* method of external
>> access to email, but I can use webmail when there is no other method.
>
> Our auditors (internal, and those from customers) won't allow that.
Yes, some companies have more stringent requirements than others.
Personally I am trying to push my company slowly in to making things
more secure, but as I am the only one who seems to have any real concept
of security or risk (and I am *not* an expert) it is slow going.
Fortunately it is not actually my responsibility so if I fail to get
things tightened up and we hit major problems it is not my neck on the line.
--
Flash Gordon
Chilly8 wrote:
> X-No-Archive: Yes
>
> "Sebastian G."
> news:5tlbksF1e7fi0U1@mid.dfncis.de...
>> Chilly8 wrote:
>
>
>>> and her employer in Canada had no CLUE as
>>> to what she was up to.
>>
>> I'm sorry to tell you that he most likely was. Due to man-in-the-middle,
>> going undetected due to an installed certificate (by administration).
>
> Not with the proprietary non-standard encryption that proxy uses
> (which is why it is so expensive to licence for large numbers of
> users).
If it's not HTTPS, then it's terminated at the proxy and no communication
takes places.
> This is a proprietary encrypted proxy that is made in
> Eastern Europe. It uses a non-standard algorithm that no
> man-in-the-middle attack could POSSIBLY intercept.
Nonsense.
> Employers, countries, and the like, can try all the MOTM attacks
> I want, but the proxy solution that *I* use is IMPERVIOUS to
> such attacks,
Even more nonsense. It's trivial to terminate all non-proxied connections at
the proxy. Or, and it's trivially to launch a MITM attack directly at the
client.
> so that was no POSSIBLY way for this woman's employer to
> detect what she was up to.
And even more nonsense. Since it's the companies computer, they're free to
monitor the client to any extend.
> This is a proprietary encryption algorith
> that cannot be intercepted by any MOTM attack.
Repeating your nonsense doesn't make it any less wrong.
On Fri, 28 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
<7kdg45xs1v.ln2@news.flash-gordon.me.uk>, Flash Gordon wrote:
>Moe Trin wrote, On 28/12/07 19:58:
[hole poke through firewall]
>> Depends
>
>Yes. Where I used to work there was no option of *any* access from the
>outside. If you were not in the office you had no access to email.
Here, it's not so much lack of access as
>> - we're an R&D facility, so we're rather tightly controlled. We
>> basically don't allow "visiting computers"
BIG signs at all of the entrances warning about that - and the visitor
access agreement that has to be signed (and witnessed) before entry is
granted specifically prohibits visiting computers. People _should_ be
aware, though we manage to have 2 or 3 visitors a year that think it
doesn't apply to them.
>> though we do have several computers scattered about that are
>> isolated from our network that can be used by visitors (and
>> employees for non-business activities).
>
>Some of our customers are like that as well.
We had a problem back in the 1980s - minor lawsuit over viewable
pr0n, and another division in California got dragged through the
barbed wire for it. In ~1990, corporate came down with the no
visiting computers edict, and wouldn't you know the first person
we nailed was the CEO who was visiting our facility a week after
signing the policy, and the bulletins announcing it.
>This is where Blackberries and 3G cards come in useful. Then although
>you cannot plug in to the customers network you can still get at your
>email.
Doesn't do much good in our buildings - heck, even cell-phones don't
work inside (joy of joys).
>> We tend to frown on web access - especially for mail.
>
>My attitude is that the email has already passed unencrypted through
>the internet before it hit my inbox.
Don't see all that much external mail, but the internal mail outnumbers
it by many orders of magnitude. But the main objection is that nearly
all of the main is plain text (we don't run windoze anywhere in this
division, and my understanding is that it's limited to a few boxes in
corporate accounting and marketing - neither function located on this
side of the country). Hypertext offers us nothing in mails. (The other
advantage - no-one is mailing PowerPoint presentations back and forth.)
>So if a customer allows me to plug in to their network and allows web
>access but not the other email protocols we use or VPN it is useful for
>me to have web access to email.
That sounds reasonable - we're restricted here due to _the possibility_
that the mail may be deemed sensitive, so everything gets encrypted.
>My company is not large, but all IT in it is underfunded.
I have NEVER known an IT department that was overfunded, and most of
them today have to fight to get the budgets they really need.
>> One of the users got owned, and through lack of security setups, the
>> company's network because an open spam relay and mail-drop. That was
>
>Painful.
to put it mildly.
>We (when I was not involved in our IT infrastructure) have had
>machines "owned" and spewing out spam before.
We're a lot better off because we're a *nix shop (mal-ware is much less
common) and because our users rarely have (let alone use) elevated
(root, like administrator) privilege. Don't have permission to install
anything on the system. Most of my wife's facility has been changed
over as well. There was some resistance, mainly due to "it's different".
>Now outbound port 25 is blocked except for our outbound mail server.
There are a slew of other ports used by proprietary mail services and
most of them don't see the light of the Internet day, but you may also
want to be blocking 587/tcp (RFC4409).
>> Our auditors (internal, and those from customers) won't allow that.
>
>Yes, some companies have more stringent requirements than others.
The combination of a R&D facility and occasional government contracts
can take all of the joy out of things.
>Personally I am trying to push my company slowly in to making things
>more secure, but as I am the only one who seems to have any real concept
>of security or risk (and I am *not* an expert) it is slow going.
Practical UNIX and Internet Security Practical UNIX and Internet
Security , Third Edition
By Simson Garfinkel, Gene Spafford, Alan Schwartz
February 2003 ISBN 0-596-00323-4 984 pages $54.95 USD
This edition of Practical Unix & Internet Security provides detailed
coverage of today's increasingly important security and networking
issues. Focusing on the four most popular Unix variants today--Solaris,
Mac OS...
I'm NOT suggesting that you _buy_ this (as it's mainly *nix,) but the
network and basic security concepts still apply. See if you can find a
copy in a library (here, there is a thing called an "inter-library loan",
where "your" library has arrangements with others in the area, allowing
them to obtain books for you from those libraries - VERY handy). You
may want to look around http://www.oreilly.com, as they also have a
number of books on the windoze end of things as well.
Old guy
Moe Trin wrote, On 29/12/07 17:37:
> On Fri, 28 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
> <7kdg45xs1v.ln2@news.flash-gordon.me.uk>, Flash Gordon wrote:
>
>> Moe Trin wrote, On 28/12/07 19:58:
>>> - we're an R&D facility, so we're rather tightly controlled. We
>>> basically don't allow "visiting computers"
>
> BIG signs at all of the entrances warning about that - and the visitor
> access agreement that has to be signed (and witnessed) before entry is
> granted specifically prohibits visiting computers. People _should_ be
> aware, though we manage to have 2 or 3 visitors a year that think it
> doesn't apply to them.
Personally I always ask *before* connecting my notebook (personal or
company) in to another companies network. Not only does it save me
getting a bollocking but it is only the polite thing to do. In my office
though I am one of the people to be asked, so I give myself permission ;-)
Actually, I was given permission to hook my personal notebook in to the
company network before I had anything to do with our IT department.
>> This is where Blackberries and 3G cards come in useful. Then although
>> you cannot plug in to the customers network you can still get at your
>> email.
>
> Doesn't do much good in our buildings - heck, even cell-phones don't
> work inside (joy of joys).
Where I used to work the rule was that you were not allowed to have a
mobile switched on in the office (security) so I don't know if they
would have worked. One place I visited you were not allowed to take a
mobile on-site, not even if it was switched off!
>>> We tend to frown on web access - especially for mail.
>> My attitude is that the email has already passed unencrypted through
>> the internet before it hit my inbox.
>
> Don't see all that much external mail, but the internal mail outnumbers
> it by many orders of magnitude.
For some in our company external email outnumbers internal. For almost
everyone in our company external email is more likely to be sensitive.
> But the main objection is that nearly
> all of the main is plain text
Plain text email works extremely well in a webmail portal :-)
> (we don't run windoze anywhere in this
> division, and my understanding is that it's limited to a few boxes in
> corporate accounting and marketing - neither function located on this
> side of the country). Hypertext offers us nothing in mails. (The other
> advantage - no-one is mailing PowerPoint presentations back and forth.)
I agree that hypertext in email is bad, and so are large attachments.
>> So if a customer allows me to plug in to their network and allows web
>> access but not the other email protocols we use or VPN it is useful for
>> me to have web access to email.
>
> That sounds reasonable - we're restricted here due to _the possibility_
> that the mail may be deemed sensitive, so everything gets encrypted.
Well, if something could be deemed sufficiently sensitive I would agree
that only company machines should be able to access it, after all any
other machine could log it even if it was encrypted in transit.
>> My company is not large, but all IT in it is underfunded.
>
> I have NEVER known an IT department that was overfunded, and most of
> them today have to fight to get the budgets they really need.
Agreed.
>> We (when I was not involved in our IT infrastructure) have had
>> machines "owned" and spewing out spam before.
>
> We're a lot better off because we're a *nix shop (mal-ware is much less
> common)
I'm in the *nix part of our shop (says the only person in the company
with a company MSDN subscription). Some development (I've slowly been
getting one of our applications to use some sensible security where I
have been rewriting them), some consultancy (for which I believe I
should understand enough about security not to make a fool of myself),
some work on our internal systems (the *nix boxes) and various other things.
So my personal notebook runs Linux (which helps make it safe) and my
company notebook runs Vista (so I hit problems *before* customers), but
none of my Windows machines over the years have ever had a virus as far
as I know, and the AV SW is only triggered when I *deliberately* trigger
it (in known safe ways).
> and because our users rarely have (let alone use) elevated
> (root, like administrator) privilege. Don't have permission to install
> anything on the system. Most of my wife's facility has been changed
> over as well. There was some resistance, mainly due to "it's different".
Well, late last year I suggested we lock down the machines (currently
everyone has Admin access on their Windows machines). We shall see what
happens. However, since then we have already had a couple of incidents
which we would not have had with locked down machines.
>> Now outbound port 25 is blocked except for our outbound mail server.
>
> There are a slew of other ports used by proprietary mail services and
> most of them don't see the light of the Internet day, but you may also
> want to be blocking 587/tcp (RFC4409).
Thanks, I will get that done.
>>> Our auditors (internal, and those from customers) won't allow that.
>> Yes, some companies have more stringent requirements than others.
>
> The combination of a R&D facility and occasional government contracts
> can take all of the joy out of things.
I used to work in the defence industry so I know all about *that* sort
of security.
>> Personally I am trying to push my company slowly in to making things
>> more secure, but as I am the only one who seems to have any real concept
>> of security or risk (and I am *not* an expert) it is slow going.
>
> Practical UNIX and Internet Security Practical UNIX and Internet
> Security , Third Edition
> By Simson Garfinkel, Gene Spafford, Alan Schwartz
> February 2003 ISBN 0-596-00323-4 984 pages $54.95 USD
>
> This edition of Practical Unix & Internet Security provides detailed
> coverage of today's increasingly important security and networking
> issues. Focusing on the four most popular Unix variants today--Solaris,
> Mac OS...
Thanks.
> I'm NOT suggesting that you _buy_ this (as it's mainly *nix,) but the
> network and basic security concepts still apply.
I may well try and get my company to buy a copy. We *do* use Linux a lot
including for hosted services that we provide.
> See if you can find a
> copy in a library (here, there is a thing called an "inter-library loan",
> where "your" library has arrangements with others in the area, allowing
> them to obtain books for you from those libraries - VERY handy).
We have something similar here in the UK.
> You
> may want to look around http://www.oreilly.com, as they also have a
> number of books on the windoze end of things as well.
I'm sure there are. However, currently I'm taking the attitude that
Windows is Somebody Else's Problem. Apart from stirring up trouble on
the Windows side by pointing out problems, that is.
--
Flash Gordon
On Sat, 29 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
>Personally I always ask *before* connecting my notebook (personal or
>company) in to another companies network. Not only does it save me
>getting a bollocking but it is only the polite thing to do. In my
>office though I am one of the people to be asked, so I give myself
>permission ;-)
I think some of the people we have problems with simply don't want to
read policy, and don't understand why there might be a reason for it.
>Actually, I was given permission to hook my personal notebook in to the
>company network before I had anything to do with our IT department.
It's _quite_ the reverse here. I have a "company" system at home, and
it's on it's own leased connection to the company, and must not be
connected to my home LAN. Well, my wife has the same type of setup,
so we have our own lan with a half-dozen systems, and two more
isolated from everyone else. At least the companies are providing the
hardware and paying for the extra links.
>One place I visited you were not allowed to take a mobile on-site, not
>even if it was switched off!
I rarely visit customer sites any more, but have run into this before.
One site I visited freaked out over a portable CD player. I had to
take it out and leave it in the rental car.
>I'm in the *nix part of our shop (says the only person in the company
>with a company MSDN subscription). Some development (I've slowly been
>getting one of our applications to use some sensible security where I
>have been rewriting them), some consultancy (for which I believe I
>should understand enough about security not to make a fool of myself),
>some work on our internal systems (the *nix boxes) and various other
>things.
>
>So my personal notebook runs Linux
Ah, OK - have you looked through the HOWTOs? Some are quite dated,
but still useful.
>Well, late last year I suggested we lock down the machines (currently
>everyone has Admin access on their Windows machines).
>We shall see what happens. However, since then we have already had a
>couple of incidents which we would not have had with locked down
>machines.
That was a major issue at my wife's company, and was the reason someone
got 0wn3d there. They did try to lock things down, but everyone was
moaning that it made their systems unusable. Yeah, right. The "single
user" tradition of windoze is hard to overcome. You can set a windoze
box up such that admin isn't needed, but it takes some effort and most
users (*nix as well as windoze) don't want to learn anything because it
must be nerdy, hard, or fattening.
>I used to work in the defence industry so I know all about *that* sort
>of security.
Yeah, isn't it fun? Actually, Defense is only a small part of The
Problem - we run into landmines from the Securities and Exchange
Commission (stock market), as well as the Departments of Education,
and Health And Human Services.
>> I'm NOT suggesting that you _buy_ this (as it's mainly *nix,) but
>> the network and basic security concepts still apply.
>
>I may well try and get my company to buy a copy. We *do* use Linux a
>lot including for hosted services that we provide.
-rw-rw-r-- 1 gferg ldp 22582 Feb 6 2004 Reading-List-HOWTO
Eric dropped his listing of the 'Practical UNIX and Internet Security'
book some time ago (considered it "dated"), but lists two other books he
found useful. The LDP guides are also useful, but less so due to their
age. The newest one on security is five years old.
>> You may want to look around http://www.oreilly.com, as they also have
>> a number of books on the windoze end of things as well.
>
>I'm sure there are. However, currently I'm taking the attitude that
>Windows is Somebody Else's Problem.
My problem (both at work and at home) is budgetary - plus I like to
read. I've got quite a number of their books, and have to sneak new
ones into the house.
>Apart from stirring up trouble on the Windows side by pointing out
>problems, that is.
Of course - nothing wrong with that ;-)
Old guy