When the Internet was first conceived, it was built on a naive sense of trust. There was a naive idea that the people who were smart enough to use the Internet were also ethical enough to use it for higher purposes. As a result, there was a great explosion of knowledge. The Internet also became easier to use and there was a great explosion of users of all kinds.
Could this virtual Woodstock last forever? Not surprisingly, many forms of malicious behaviour have arisen. As a result, the managers of Internet sites, must attempt to keep their sites safe. This involves all kinds of activities, some of which you would not want to document on a blog, but some of which are worth sharing in a short blog. For me, the activity of the day is email spoofing.
"Email spoofing" is a specific activity by which a nasty individual can send out an email that appears to be in your name. They do this by creating a virtual email server at emulates the real server to the point where the from fields appear identical to a real email. If one were to receive such an email on a smartphone, it would be nearly impossible to know that it is a fake. If the email is viewed on a desktop computer, there are telltale signs that the source is fraudulent.
What does this mean to the site manager who has created the email account? Basically, you are on your own, if the individual is foreign based. Your local police authorities are not equipped to deal with this. You should report it to ICANN but that will not help in the short run. The ISP who hosts your web service is the first point of reference. Essentially, when you request an email address to be created, you need to understand the various parameters.
Why would creating an email address be complicated? Basically, when the Internet was created, a lot of flexibility was granted out of that naive sense of trust. Generally, the default email accounts, allow for a high degree of flexibility as noone wants to lose time when configuring their email setup. This is only possible if the security is relaxed.
Relaxed security in creating an email account means that it is easy to connect multiple devices to your account such as Smart phones, laptops, as well as your main work computer. The down side of this is that it become relatively easy for someone to pretend that they are one of your multiple devices. The prime way to tighten up your security is to go to your ISP, and follow the best practices that they have listed.
In the case of email spoofing, you can look at the email "source" with your email software. You will likely see a trail that is very different than what you would have seen if you would have seen with a real email sent with one of your devices. If you check the ip addresses listed, they will likely not be listed. The domain server will also likely not be one used by your Internet Provider but a virtual one such as EXIM (ironically created at Cambridge). If you tighten up the SPF record that governs who uses your email address, this should solve the problem. If not, you will have to bite the bullet and shut down the email address.
If this sounds frustrating you are right. I am dealing with this issue right now. If it is not just bluff, there may well be embarrassing emails going out from my account. Still it is the price we pay for our freedom on the Internet. Do not be surprised if this note is updated, as I learn more in the near future.
 |
| A portion of the email source trailer. Note I XXX out my personal information. The IP address is that of the spoofer. |
No comments:
Post a Comment