watch out for this guys!!! [Fwd: Access restricted: Verify your account information.]

From: Frank McConnell <fmc_at_reanimators.org>
Date: Sun Nov 10 16:25:01 2002

Mike Ford <mikeford_at_socal.rr.com> wrote:
> At 01:08 PM 11/9/02 -0800, Frank McConnell wrote:
> >What really cheeses me off about this sort of thing is that the
> >service providers don't go out of their way to make it easy to
> >identify fraudulent use of their names (or do any kind of sane mail
> >filtering, for that matter) by looking at the source and destination
> >domain names in e-mail headers and URLs.
>
> Two great opposing forces are at work on the internet, total control and
> verified identity, vs, anarchy and annonmenity (sorry spelling is not a
> major force).

I guess I put this the wrong way round. The company on whose behalf
this stuff was e-mailed (HP) has allowed someone to make it hard to
identify that the stuff really originated with or in fact has anything
to do with them, beyond easily-forgeable bits in the From: header name
(the text bit, not the address) and body which I know better than to
trust.

> Unfortunately the same verified ID that would let me track down a spammer,
> also would allow oppressive regimes to control internet content.

I'm not asking for a cryptographically verifiable ID, I'm asking that
those who would allow other parties to send authorized corporate
communications in their behalf via unencrypted e-mail at least put
enough effort into making sure that these communications at least give
the appearance of coming from the authorizing party. Allowing the
mailing-list company to use specific name(s) in hp.com in the From:
header address and URLs would do; allowing the mailing-list company to
use specific name(s) in hp.com in the Received: headers and SMTP
envelope address would be nice too. This is all just DNS tricks.

Absent this, how can I (as the receiver) tell the difference between
authorized and unauthorized communications? I can't, and if I can't
I don't see how I can expect anyone else to do so.

That's what makes it possible for some miscreant to forge e-mail
claiming to be from HP, or eBay, and get people to reply with their
credentials. The recipients can't tell which messages to trust.

ObCC: turned up a copy of Abrash's _Zen of Assembly Language_ at the
book sale yesterday. It's a good book (and hard to find), but you
can probably get most of his message out of his later books that are
somewhat easier to find: _Zen of Code Optimization_ and/or _Graphics
Programming Black Book_ (which latter I believe is available in some
form or other online).

-Frank McConnell
Received on Sun Nov 10 2002 - 16:25:01 GMT