[LINK] a question about the spam act due to be enacted next month

Thu Mar 25 11:21:43 EST 2004

At 9:17 +1030 25/3/04, Brenda Aynsley wrote:
>I am currently and yet again, fending off the bounces to emails 
>purportedly sent by someone in my company, and since there are only 
>2 of us using email addresses in my domain, I am 100% confident that 
>this is a case of spoofing.
>
>I guess the headers to the original messages would tell the story of 
>the forgery, but am I going to spend countless hours having to 
>explain this to would be law suiters after april 11?

Perhaps, yes. I've found that it's very difficult to convince people 
how easy it is to spoof an email address -- except by actual 
demonstration.

If I explain that no, I'm not sending them a virus, someone else is, 
the most common reaction (to judge by tone of voice and body 
language) is that they think I'm lying or in denial. And perhaps 
that's fair enough, because in many cases people who *are* infected 
don't know about it.

This situation may change once the majority of people understand the 
issues, but since it's hardly going to be their highest-priority 
learning task, there'll always be plenty of folks who just won't "get 
it".

>Is there a way to authenticate outgoing emails to stop this 
>practice?  Are there other solutions which could be put in place?

In the longer term there is an answer, and it's all about having 
everyone signing their emails with a digital signature, and there 
being a suitable public infrastructure to support it. The technology 
exists, but very few people use it -- in a large part because most 
implementations are pretty clunky, and it's a bit too obscure.

There's also the argument that none of this will actually work in the 
real world, because most people run Windows, most people configure 
their Windows machines so that they're always running with full 
administrator privileges, and most people fail to protect their 
computers against viruses and other basic attacks. In these 
circumstances, it's only one step from a virus taking over their 
computer to send spam or serve out pr0n, to the virus taking over 
their computer and using it to send spam having first added the 
digital signature it found on that very same computer.

So the shorter term, no, there's no answer.

In all of this, I've said "virus" when your question was about spam, 
but really it's all the same issue. It's about someone doing 
something online with your computer and in your name without you 
wanting that to happen. The fine-grained details may differ, but in 
essence it's all really the same thing.

I hope this pessimistic assessment helps...

Stil

-- 
Stilgherrian <stil at stilgherrian.com> http://www.stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia. ABN 25 231 641 421
mobile 0407 623 600 (international +61 407 623 600)
fax 02 9516 5630 (international +61 2 9516 5630)