[LINK] a question about the spam act due to be enacted next
stil at stilgherrian.com
Thu Mar 25 11:21:43 EST 2004
At 9:17 +1030 25/3/04, Brenda Aynsley wrote:
>I am currently and yet again, fending off the bounces to emails
>purportedly sent by someone in my company, and since there are only
>2 of us using email addresses in my domain, I am 100% confident that
>this is a case of spoofing.
>I guess the headers to the original messages would tell the story of
>the forgery, but am I going to spend countless hours having to
>explain this to would be law suiters after april 11?
Perhaps, yes. I've found that it's very difficult to convince people
how easy it is to spoof an email address -- except by actual
If I explain that no, I'm not sending them a virus, someone else is,
the most common reaction (to judge by tone of voice and body
language) is that they think I'm lying or in denial. And perhaps
that's fair enough, because in many cases people who *are* infected
don't know about it.
This situation may change once the majority of people understand the
issues, but since it's hardly going to be their highest-priority
learning task, there'll always be plenty of folks who just won't "get
>Is there a way to authenticate outgoing emails to stop this
>practice? Are there other solutions which could be put in place?
In the longer term there is an answer, and it's all about having
everyone signing their emails with a digital signature, and there
being a suitable public infrastructure to support it. The technology
exists, but very few people use it -- in a large part because most
implementations are pretty clunky, and it's a bit too obscure.
There's also the argument that none of this will actually work in the
real world, because most people run Windows, most people configure
their Windows machines so that they're always running with full
administrator privileges, and most people fail to protect their
computers against viruses and other basic attacks. In these
circumstances, it's only one step from a virus taking over their
computer to send spam or serve out pr0n, to the virus taking over
their computer and using it to send spam having first added the
digital signature it found on that very same computer.
So the shorter term, no, there's no answer.
In all of this, I've said "virus" when your question was about spam,
but really it's all the same issue. It's about someone doing
something online with your computer and in your name without you
wanting that to happen. The fine-grained details may differ, but in
essence it's all really the same thing.
I hope this pessimistic assessment helps...
Stilgherrian <stil at stilgherrian.com> http://www.stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia. ABN 25 231 641 421
mobile 0407 623 600 (international +61 407 623 600)
fax 02 9516 5630 (international +61 2 9516 5630)
More information about the Link