Tuesday, February 01, 2005

E-mail Spoofing

E-Mail is a very untrustworthy medium for communications. There is no real security on it -- anyone can send a message and have it say it is from anyone else, like "gwbush@whitehouse.gov", for example. This is called "E-Mail Address Spoofing."

In your email program, you can say what your name is, what your e-mail address is, and the e-mail address that the reply to the e-mail goes to ("Reply-to" address). You can put there whatever you want.

I used one of my email accounts to show you how it works. I set up the e-mail account to say that I am "Sam Spade," and my e-mail address is "spade@privateeye.com", and the organization I represented is "Sam Spade, Private Eye." Then, I sent an e-mail to the "AskUncleMark" e-mail address at gmail.com. Here is what I got:


From: Sam Spade
To: AskUncleMark@gmail.com
Date: Tue, 01 Feb 2005 22:26:11 -0800
Subject: Test of spoofed email address

Hey, will you look at that! Sam Spade sent me an e-mail! Easy as that. Anyone can do it.

Each e-mail has "e-mail headers" that contain information about the e-mail. There is nothing in the e-mail headers that indicate my real e-mail address. Who I say I am is totally disconnected with my real e-mail address. Everything says I am Sam Spade from "Sam Spade, Private Eye." The only clue there is that all is not as it seems is that the message was received from "earthlink.net" instead of "privateeye.com" and you can see my internet address. You have to look hard to see it.

In real-world terms, it is like putting the wrong return address on a letter. You have no idea who really sent it.

Scammers and virus-writers take advantage of this weakness.

Scammers say that they are e-mailing you from your bank, and ask you to "fix a problem with your accounts," and redirect you to an official looking, but fake, web site that captures your login ID and password. They then have access to your real account. This is call "phishing" and is rampant.

Virus writers use email to spread their virus via email, by sending the virus to people in your address book, with spoofed from-lines taken from other people in your address book. So, if you have "Joe" and "Mary" in your address book, the virus will send the virus, using your account, to "Mary" with "Joe" in the from line, and vice-versa. This makes it virtually impossible to trace where the virus really came from, and jeopardizes the relationship between Mary and Joe.

Because of this, here are some guidelines when working with e-mail:

1. Never assume that the e-mail is really from who it says it is from. Be skeptical.

2. If a strange message is apparently from one of your friends, realize that they probably didn't send it. It is probably a virus-sent message.

3. Always, always, always assume that an e-mail asking for any login IDs, passwords, account PINs, or personal information is fake. If a bank has a problem with your accounts, they will either call you, or send you a real letter, or both. They will not e-mail you. Even if they do e-mail you, don't e-mail them back, call them, if you think there might be a problem.