[LINK] a question about the spam act due to be enacted next m onth

Chirgwin, Richard Richard.Chirgwin at informa.com.au
Thu Mar 25 14:07:33 EST 2004 

Brenda, 

The short answer is "no". You can't do anything about messages originating
outside your domain. I could also grab a piece of paper and sign it "Brenda
Aynsley". 

The long answer; perhaps, but. The "buts" are many; here are some ideas I've
had floated to the press.

Authenticate the User
Downside: Non-anonymous, and most people don't want "strong" identification
merely to use e-mail. If Brenda is weakly authentic, you can have false
Brendas (I've seen an individual harrassed on another mailing list by
someone who kept creating false IDs on Webmail under her name, then posting
messages to make her look foolish).

A worse vulnerability: if Brenda is assumed to be Brenda, and someone (for
eg) intrudes a poorly-defended mail server, the harrassment is worse -
"don't tell me it wasn't you, that can't be done!"


Authenticate the Message
Clunky, as Stil says. It also makes e-mail dependent on a third-party
infrastructure the users don't/can't control - definitely creating the
opportunity, if not the fact, for monopoly and so on. Do you want your
message signature to depend, for example, on a company which also offers
"lawful intercept outsourcing" services?


Server-to-server authentication
At least this can be operated by a system admin; which means the
authentication is managed by someone familiar with the concepts. It's being
promoted by Sendmail, who pointed out the downside: it can be a pain for
genuinely offsite. If, for eg, your "authoritative" server is iss.net.au,
but you're telecommuting and only 'apparently' at iss.net.au, the model is
bent or broken.


And yes, with April 11 approaching, this is going to be a live issue...

Richard C

> -----Original Message-----
> From: Stilgherrian [mailto:stil at stilgherrian.com] 
> Sent: Thursday, March 25, 2004 9:22 AM
> To: Brenda Aynsley; The Link Institute
> Subject: Re: [LINK] a question about the spam act due to be 
> enacted next month
> 
> 
> At 9:17 +1030 25/3/04, Brenda Aynsley wrote:
> >I am currently and yet again, fending off the bounces to emails 
> >purportedly sent by someone in my company, and since there are only 
> >2 of us using email addresses in my domain, I am 100% confident that 
> >this is a case of spoofing.
> >
> >I guess the headers to the original messages would tell the story of 
> >the forgery, but am I going to spend countless hours having to 
> >explain this to would be law suiters after april 11?
> 
> Perhaps, yes. I've found that it's very difficult to convince people 
> how easy it is to spoof an email address -- except by actual 
> demonstration.
> 
> If I explain that no, I'm not sending them a virus, someone else is, 
> the most common reaction (to judge by tone of voice and body 
> language) is that they think I'm lying or in denial. And perhaps 
> that's fair enough, because in many cases people who *are* infected 
> don't know about it.
> 
> This situation may change once the majority of people understand the 
> issues, but since it's hardly going to be their highest-priority 
> learning task, there'll always be plenty of folks who just won't "get 
> it".
> 
> 
> >Is there a way to authenticate outgoing emails to stop this 
> >practice?  Are there other solutions which could be put in place?
> 
> In the longer term there is an answer, and it's all about having 
> everyone signing their emails with a digital signature, and there 
> being a suitable public infrastructure to support it. The technology 
> exists, but very few people use it -- in a large part because most 
> implementations are pretty clunky, and it's a bit too obscure.
> 
> There's also the argument that none of this will actually work in the 
> real world, because most people run Windows, most people configure 
> their Windows machines so that they're always running with full 
> administrator privileges, and most people fail to protect their 
> computers against viruses and other basic attacks. In these 
> circumstances, it's only one step from a virus taking over their 
> computer to send spam or serve out pr0n, to the virus taking over 
> their computer and using it to send spam having first added the 
> digital signature it found on that very same computer.
> 
> So the shorter term, no, there's no answer.
> 
> In all of this, I've said "virus" when your question was about spam, 
> but really it's all the same issue. It's about someone doing 
> something online with your computer and in your name without you 
> wanting that to happen. The fine-grained details may differ, but in 
> essence it's all really the same thing.
> 
> I hope this pessimistic assessment helps...
> 
> Stil
> 
> 
> -- 
> Stilgherrian <stil at stilgherrian.com> http://www.stilgherrian.com/
> Internet, IT and Media Consulting, Sydney, Australia. ABN 25 
> 231 641 421
> mobile 0407 623 600 (international +61 407 623 600)
> fax 02 9516 5630 (international +61 2 9516 5630)
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>

More information about the Link mailing list