杏吧原创

Focus : I never sent that… – E-mail forgery is a growing menace to both business and individuals. Yet it can be stopped, so why is nothing being done?

AMERICA Online, the world鈥檚 largest electronic mail and Internet service
provider, is bracing itself for attack. Its enemy, as the company publicly
acknowledged this month, is a band of anonymous computer experts who have been
evading AOL鈥檚 security screens and sending unsolicited advertisements or
offensive messages to many of its 11 million subscribers.

The problem messages do not come from AOL subscribers. 鈥淲e have always worked
on the principle that AOL members will not abuse their own system,鈥 says the
company鈥檚 European spokeswoman, Rachel O鈥橬eil. Those that do are likely to find
themselves barred from the network.

For messages that originate elsewhere on the Internet, AOL has security
systems that are supposed to block the 鈥渟pammers鈥 who send unsolicited e-mails
in bulk. It uses filter software to check for key slogans, as well as references
to sex and violence, in all messages that come from non-AOL addresses on the
Internet.

But as AOL now acknowledges, there is a loophole in this system. The spammers
simply disguise themselves as AOL subscribers by inserting an AOL address in
their e-mail software. This allows their messages to slip through the filters
unchallenged.

The technique, known as 鈥渟poofing鈥, is not new. 鈥淚t鈥檚 been going on since
hackers left phoney messages in Prince Philip鈥檚 mailbox in the 1980s,鈥 says Ross
Anderson of the computer laboratory at Cambridge University. 鈥淚t鈥檚 well known to
anyone who is up to speed with e-mail.鈥 But as he acknowledges, 鈥渢here are now
vast numbers of Net newbies鈥 who know nothing of such things.

Forged e-mails can have huge and damaging implications for businesses and
individuals, including companies that deliver goods on e-mailed order and anyone
who acts on e-mailed requests for confidential information such as security
passwords or private files. Magazines and newspapers that accept letters for
publication by e-mail are at risk from hoaxers who write in someone else鈥檚
name.

Anderson points out: 鈥淵ou can send libellous e-mail, then see someone sued
and trying to prove they didn鈥檛 send the message. Or you can send racist
messages in someone else鈥檚 name and see them reviled. Or you could e-mail
President Clinton at the White House threatening assassination, and then watch
the FBI drag some innocent from their bed.鈥

Dusan Renic of Netscape warns: 鈥淓lectronic commerce on the Internet is about
to explode. As things stand, businesses cannot authenticate orders received, and
users cannot deny they placed an order. Most Internet users are naive and do not
know they are at risk.鈥

Even some highly experienced users do not realise how easy it is to disguise
an e-mail鈥檚 source. Steve Gold, now news editor of the industry magazine
Secure Computing, was one of the pair of hackers who in the mid-1980s left
joke messages in Prince Philip鈥檚 e-mail box to demonstrate loopholes in BT鈥檚
Prestel system. (BT did not see the joke and prosecuted, but Gold was cleared on
appeal.) 鈥淚 always knew, academically, that it was possible to forge an e-mail
address,鈥 Gold says. 鈥淏ut I had never actually tried it until I needed to
recently.鈥 He was collaborating on an article and did not want to confuse his
editor by e-mailing the two parts from different addresses. 鈥淚 just sent my half
from my partner鈥檚 address. I was staggered how easy it was. I was amazed.
骋辞产蝉尘补肠办别诲.鈥

Spoofing can work no matter what e-mail service you use. All of them give
subscribers an address, which is usually public so that anyone can send a
message to the owner. If mail is sent from a PC using the service鈥檚 own
proprietary software, it should automatically add a header to the message with
the sender鈥檚 personal address. But mail can also be sent over the Internet from
a Web browser or some other e-mailing software. To do this, the user must enter
personal data when they set up the software.

Most people assume that they have to enter their own, authentic data for the
mailer to work. In reality, there is nothing to stop them entering false data.
Once this has been done, a false address will appear in the header of any
message they send. The true owner of the address has no way of knowing it is
being misused. The recipient of the mail has no reason to doubt that the message
is genuine.

E-mail service providers have done little to warn people of the risks. A
spokeswoman for CompuServe, which is owned by AOL, initially told New
杏吧原创 that the company was 鈥渦naware鈥 of electronic forgery, then said
it was 鈥渘ot possible鈥 to do. Finally, though, she admitted that forging a
sender鈥檚 identity was easy and could be done with any e-mail system. But, she
reassured us, it was 鈥渆asy鈥 to deduce the true source of a forged message from
information buried in an apparently meaningless number string in the header at
the top of the received message.

But this is not much help even if you suspect that someone is impersonating
you. To prove that this is happening, you would have to obtain a copy of the
message you never sent and persuade the recipient鈥檚 Internet service provider to
check its records to find the string. In Britain alone, 10 million e-mails are
sent every day, making such a check virtually impossible.

CompuServe claims that electronic forgery is a feature of some mail software
in browsers, not the mail service. Renic takes strong exception to this on
behalf of Netscape. 鈥淚t is a feature of virtually all Internet mail software.鈥
He says that Netscape Communicator is the first software capable of offering a
warning that received mail is spoofed.

Anderson blames the poor security offered by service providers. Renic agrees.
The only answer, he says, is for providers to use certification. This gives each
subscriber a unique and unforgeable digital signature that is automatically
added to every message they send. The signature provides proof that a message
really has been sent by the person named in the header. As yet, no service
provider uses certification for e-mail, despite the fact that a formula has been
agreed by the Internet鈥檚 standards bodies. 鈥淭here is no reason why anyone should
suffer spoofing,鈥 says Renic. Mail service providers 鈥渁re way behind the
迟颈尘别蝉鈥.

Graham Smith, a specialist in online law with solicitors Bird and Bird and
coauthor of Internet Law and Regulation, is a strong supporter of
digital signatures. He, too, is surprised by how easy e-mail forgery is. 鈥淚t鈥檚
very worrying and further proof that on the Internet, you can never be sure that
people are who they say they are.鈥

Despite such warnings about the threat of electronic forgery, the
Metropolitan Police鈥檚 Computer Crime unit employs only one skilled officer. The
unit admits it is 鈥渙perationally stretched鈥, but maintains: 鈥淲e are aware of the
fraudulent use of e-mail, but we do not see it as a growing trend and it is not
in itself an offence.鈥

Will it take a major scandal before anything is done? 鈥淟ike so many aspects
of IT, e-mail forgery is a low priority,鈥 says Gold. But, as he points out, it
is easy to do, and the potential for abuse is huge. 鈥淭he genie is already out of
the bottle.鈥

The rise in email traffic

More from New 杏吧原创

Explore the latest news, articles and features