Skip Maine state header navigation
A Publication Featuring The Information
Services Technology of Maine State Government
| Volume VII, Issue 4 | April 2004 |
|
|
By Bob Witham
In last month’s article “Spoof Goes the Weasel”, I wrote on some of the very basic ways that address spoofing is accomplished, and a little on its effect on you as an individual. When someone spoofs your address as the from address of an e-mail, the recipient will assume that you actually sent the message. What if a spammer sends e-mails offering some service and uses your address as the from address? Remember, spammers are not really interested in you replying to them, only in you reading their message. What if that spammer is advertising a porn site, or other activity that you would not like to be associated with? At the very least, this could lead to personal embarrassment, and possible problems with associates who may not know that you really did not send such a message. Imagine the problem of explaining to your pastor, priest, or rabbi why you sent the porn e-mail. Just make sure you keep a copy of this article handy.
Another offshoot of spoofing that we are seeing has to do with anti-spam products. One of the ways that we fight spam is to subscribe to a service that blacklists known spammers. These services accept input from a variety of sources, relying on them to determine who is sending spam. If I subscribe to this service, I can send spam messages I have received to the service, and they will add the sender’s name to a list. Once that sender’s name shows up enough times from enough different sources, the domain (the portion of the address after the @) will be tagged by the service as a known spammer. For mail coming into the State of Maine e-mail system, such mail is tagged with a [sls_ADV?] tag. Domain names are also sometimes added to these lists because they are known to send viruses. By configuring your rules wizard under Microsoft Outlook tools, you can have such mail automatically deleted, or sent to a folder.
Now let’s suppose someone that knows you is infected with a virus. That person’s computer begins sending thousands of virus infected messages, or even messages that look like spam, across the Internet. Subscribers to these spam listing services (the sls in the sls_ADV tag), begin reporting your address as either sending viruses or spam. After enough people report your address, your domain is blocked. And believe me, it is not easy to get off these lists once you are on one. You generally need to do some really heavy duty proving to the list administrator that the offender has been removed from your domain or that you have taken steps to remover the spam. I would hope that these spam list administrators have wised up that viruses do spoof addresses. This same technique could be used by a determined individual intent on blocking all e-mail from a domain by spoofing spam that appears to originate from that domain.
A week or so ago, several people in Maine Revenue Services (MRS) noticed that mail messages from the IRS were being tagged with [sls_ADV?] tags and being deleted from their inbox. Whether this was the result of tagging due to a virus outbreak, spoofing, or some other reason, I do not know, and it is not really important. It did point out one of the problems we face due to spoofing of e-mail addresses - that of wrongly accusing someone of an activity they had nothing to do with.
There is good news on the horizon however. Microsoft and others are working on a redefinition of the standards under which e-mail is sent in an effort to remove the effect of spoofing the from address. They are looking at ways of ensuring that any e-mail message will be able to be tracked back to the actual machine that sent it. They are trying to ensure that no message will be sent by any server that does not have the appropriate originating address on it. This new standard is still a long way off however. Until then, beware the spoofers.
