medieval-religion: Scholarly discussions of medieval religion and culture
Katie Clark wrote:
: Apparently I have become victim to something
: called 'email spoofing' whereby some rat steals
: my email address and password and uses it to
: send spam to everyone in my contacts list
Actually, there is an important distinction to be drawn
here:
1.) The problem described above and in the links given
by John McChesney-Young would be a serious issue for
the security of one's accounts, and perhaps of the
system on which they are, as it involves theft of
passwords and their use to access accounts
illegitimately. In this case, the account to which the
"from" address actually belongs is being accessed and
used fraudulently (after the account's security has
been compromised), but the address is not actually
"spoofed", as the mail IS in fact sent, albeit
fraudulently, from the account to which the address
belongs. The best ways to prevent this seem to be to
keep changing one's password, and to make it as secure
as possible (i. e., longish, containing a mix of upper
and lower case letters, numerals, and other symbols as
permitted by the system - Gmail's list is quite
extensive); never to use the password for one's e-mail
accounts as the one for websites one registers on; and
to ensure as far as possible that there is no malicious
software on one's own system that could steal login
details (e. g., by running up-to-date antivirus,
firewall, anti-phishing, and anti-spyware software).
It is important to note, however, that this kind of
illegitimate use of your webmail account does not
necessarily imply that there is any security issue with
the local machine you use to access it: that could be
the case (as keystroke-logging and other spyware would
be one way to do this), but the mere fact that your
account access details have been fraudulently obtained
does not mean that it is the case.
2.) "Spoofing" is a problem, but NOT for the security
of one's own accounts: it traditionally refers to a
different phenomenon, whereby malicious software or
individuals "harvest" e-mail addresses from websites,
infected computers, etc. These addresses are then used
for spam or malicious e-mail, in which BOTH the
apparent "from" address AND the "to" address (and
sometimes also a "reply-to" address) are taken from the
"harvested" set. In this case, the "from" address is
"spoofed" in the sense that the e-mail purports to come
from that address, but does not actually come from that
address or the account or system to which it belongs;
that is, the security of the account itself has NOT
been breached - it is only that software on an entirely
separate system has faked the "from" address. There is
nothing the owner of a "spoofed" address can do to
prevent this, since her or his own account is not
compromised, and the address is usually not being taken
from her or his own system: one can help to prevent
its happening to others by several techniques such as
never putting a personal e-mail address in the body of
a list post or at least masking it in some way that
humans will understand but software often will not (e.
g., "name / at / domain / dot / suffix"); and never
putting a long list of addresses in the "to" and "cc"
fields - rather send messages individually, or put a
list of addresses in the "bcc" field, which should make
only each recipient's address visible to her or his
system, and therefore available if their system is
compromised.
Both phenomena can result in spam reaching lists like
this one, because the first test Listserv and other
software applies to messages sent to the list address
is whether or not the "from" address is one that is
subscribed to the list. If a mail arrives with a faked
"from" address that is an address subscribed to the
list, that message will go to the list unless the
system has additional security that catches it (like a
spam or anti-virus filter).
For Gmail, Yahoo, and other webmail users, one solution
to at least protect your contact-list from the kind of
attack to which Katie Clark's has fallen victim would
be to set up and use POP access, so that, instead of
accessing your webmail on the web to send and receive,
you can send and receive mail through the same e-mail
client (e. g., MS Outlook / Outlook Express,
Thunderbird, Opera, Eudora, etc.) you would use for
your own ISP mail. There are instructions and settings
options on the various webmail services for doing this;
and it would at least have the advantage that your
address book would be housed on your local machine,
behind whatever firewalls, AV software, etc., you have,
rather than on Gmail's servers where someone with
access to your account could find and use it. If you
take this option, be sure also to remove your contacts
from the webmail service and switch OFF options therein
to, for example, place everyone you reply to in your
contacts list / address book.
Terrence Lockyer
Johannesburg, South Africa
**********************************************************************
To join the list, send the message: join medieval-religion YOUR NAME
to: [log in to unmask]
To send a message to the list, address it to:
[log in to unmask]
To leave the list, send the message: leave medieval-religion
to: [log in to unmask]
In order to report problems or to contact the list's owners, write to:
[log in to unmask]
For further information, visit our web site:
http://www.jiscmail.ac.uk/lists/medieval-religion.html
|