Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.2  Email
           9  2.2.3  Vulnerabilities

Previous Topic/Section
Header Privacy
Previous Page
Pages in Current Topic/Section
1
Next Page
Password Security
Next Topic/Section

Message Forgery

Another email issue is forgery, or message spoofing, due to the lack of sender authentication in vanilla (as opposed to PGP or S/MIME) email. If you’ve gotten spam, you’ve probably seen forged email. By “forged”, we mean email whose “From:” information along with other possible identifiable information is deliberately incorrect. Email can be forged for a variety of reasons, such as not wanting replies (senders of “make money fast” pleas generally don’t want tens of thousands of replies telling them to bug off, in their personal mailboxes), not wanting their identity to be known (in the case of someone who wants to communicate anonymously, just to protect their privacy), or wanting to pretend to be someone else (like the virus email which masquerades as an email from Microsoft Security). How do they do it?

Sometimes, it’s as simple as changing the “Name” field in their mail program, but leaving the email address as is. (Not very effective, but it is occasionally done, particularly when someone is using a “throwaway” Hotmail or ISP account to send a large volume of junk mail, and doesn’t care how many replies the sending account receives.) At other times, users take advantage of a feature of the SMTP protocol – you can claim to be anyone, without having to prove to the mail server that you are that person, by manually issuing commands to the SMTP server (or using a program designed to issue these commands for you, supplying whatever identifying information you provide it).

[spacer]New Anti-Spam Measures

The vendors are working on new measures to reduce forgery used for spam. Two of them are likey to be first. They are Caller ID
171 and SPF172 since they work within the existing framework.173 Domain Keys174 is a PKI solution which required a change in how mail client software is currently using.



 __________________

171. http://www.microsoft.com/mscorp/twc/privacy/spam_callerid.mspx

172. http://spf.pobox.com/

173. http://www.nwfusion.com/edge/news/2004/0303earthlink.html

174. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci944600,00.html

Previous Topic/Section
Header Privacy
Previous Page
Pages in Current Topic/Section
1
Next Page
Password Security
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.