Date: Wed, 31 Oct 2001 13:46:46 -0800
Reply-To: "Karsten M. Self" <kmself@IX.NETCOM.COM>
Sender: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From: "Karsten M. Self" <kmself@IX.NETCOM.COM>
Subject: OT: Mail authentication (was Re: Demand for our new)
from raypass@ATT.NET on Wed, Oct 31, 2001 at 01:19:55PM -0500
Content-Type: multipart/signed; micalg=pgp-sha1;
on Wed, Oct 31, 2001 at 01:19:55PM -0500, Ray Pass (raypass@ATT.NET) wrote:
> I just spoke with Ben Cochran (I've known Ben for years - he is an
> ex-SASie now out on his own for a number of years) and as I suspected,
> he is NOT sending out these bogus messages. He is aware that his home
> machine was infected a while back, but he thought hat he had dealt
> with it via McAfee. Anyway, he's out of town today but promises to
> purchase the latest Norton Anti Virus tonight (on my recommendation)
> and deal with the situation. He asked me to post this to SAS-L as he
> is not currently even subscribed. I'm sure that he will do all that
> he can to end this nonsense on his machine.
Incidentally, a similar incident, though in this case a spoofed email
address no longer in use (indeed the domain no longer exists) prompted
me to begin signing my emails with GPG (http://www.gnupg.org/). The
attachments some of y'all see on my email are an encoding of the
original text message (this is done to tell various, compliant, software
not to mess with the content as this breaks the system), and a
signature, computed as a one way hash function, against the contents of
and what's called a private key.
With access to my public key (posted to various GPG/PGP keyservers
worldwide), it's possible to ascertain that:
- The message originated from a specified key. The task then is to
determine whether or not you're familiar with this key, and whether
or not you've grounds to trust it.
- The message has not been modified or changed in any way since it was
signed. This is the reason for the encoding, mentioned above. The
SAS-L listserv, for example, is noncompliant, and replaces tab
characters with spaces, generally affecting posts in which I've
included code samples, as I indent to indicate structure.
Note that the signature block isn't the same for every message, but is
dependent on the contents.
My policy regarding email: the burden of identification rests with the
recipient. If you haven't taken reasonable means to determine that I am
the author of a message, the assumption should be that its status is
indeterminate. A GPG signature provides a mechanism to this means. As
I have no way of determining what messages you've received claiming to
be from me, the onus cannot rest on the sender.
Use of encryption, exploit-averse operating systems, and non-exploitable
email clients is another lesson.
Incidentally, someone might want to confirm that Ben is or isn't a
Mindspring customer, as that's where the email in question appears to
have originated (mail header forgeries were previously touched on here,
but the detailed lecture is also deferred).
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What part of "Gestalt" don't you understand? Home of the brave
http://gestalt-system.sourceforge.net/ Land of the free
Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire http://kmself.home.netcom.com/resume.html