Thought for the day: Don't get duped by the spoofers

Spoof e-mails are on the increase and users should be made aware of how they can avoid being duped, says Pete Simpson.

New Asset  
Spoof e-mails are on the increase, and users should be made aware of how they can avoid being duped, says Pete Simpson.




Faked, or "spoofed" sender addresses are not a new phenomenon, but over the past few months this characteristic seems to have become increasingly common.

The recent Barclays and Citibank scams have shown innocent victims can still be easily duped by fake e-mails purporting to come from legitimate sources.  

The impersonation of an individual is one matter, but the impersonation of large multinational corporations has recently become an issue, with the entry of the "cybersquatters".

Vast amounts of cyberspace real estate have been hijacked by using forged e-mail and false business fronts to trick the non-profit organisations responsible for the allocation of address spaces.

Identity in cyberspace has, indeed, become a murky issue.

The ePrivacy Group recently published a standard for e-mail digital signatures, and assertions about the sender's intent and integrity, as a proposed means to combat spam.

Perhaps, prompted by such initiatives, some spammers have taken to displaying bogus signatures in their mail. However, any such encryption schemes are liable to suffer the same drawbacks as PKI infrastructures and browser certificates: great in principle, but largely unworkable in practice. 

There is also a worry that any scheme demanding proof of identity will deny innocent users access, as well as spammers.  This raises serious civil rights implications, particularly for those resident in countries where the authorities are keen to curtail those rights.

Any such access control system may also be easily overcome. Some spammers are in league with a number of highly inventive individuals, technically knowledgeable in internet security, who will continue to find new tricks and channels, such as pop-up Windows messaging.

As well as deploying content-filtering software, organisations and individuals may be better served by adapting to meet the challenges of spoofed identities, as well as learning to use multiple aliases to their own advantage.  

By keeping tight control over professional e-mail identities and ensuring they're used for work purposes, and encouraging employees to use alternative e-mail accounts for family and friends, organisations can reduce the threat of the spoof. 

For other purposes on the internet, such as usenet groups, disposable e-mail addresses should be used - the longer and more obscure the address the better. 

E-mail users should also use trustworthy e-mail providers and ensure they never divulge financial details and passwords in e-mail forms or at e-mail-linked web pages. 

What do you think?

What measures have you gone to prevent spoof e-mails? Tell us in an e-mail >> reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.

Pete Simpson is manager of ThreatLab at e-security specialist Clearswift

Read more on E-commerce technology