ALKHOBAR, 17 September — All things, good, bad and horrible, generally make it to the Kingdom. First we had the Internet, then we got spam and now we have e-mail spoofing. What is e-mail spoofing? The most basic description is that it is an appropriation of your e-mail address. Let me explain how it works.
Let’s say that you are a company — Microsoft for instance, and that you have an e-mail address, [email protected]. Some nefarious person takes your e-mail address and uses it to send out false, malicious e-mail loaded with a very ugly virus as a payload. The person sends the e-mail in Microsoft’s name to journalists throughout the Middle East. Microsoft would of course be completely unaware that anything of the nasty sort was going down until their representatives started receiving unhappy telephone calls from people who insanely opened the e-mail attachment without scanning it first. They had naively considered Microsoft to be a "trusted source."
Think this is the stuff of fiction? Time for a reality check, folks. This is a true incident, which happened on Sept. 1. The e-mail had the header "salam" and was purportedly from Microsoft Inc. More than half the addresses on the recipients’ list belonged to journalists at Arab News. Initial investigations have shown that the individual who sent the mail had some professional training. The person attached a variant of a known virus hours before the fix was available. Although the criminal was creative, unfortunately the virus chosen came with a .exe extension. Frankly, I wouldn’t open a .exe attachment even if it came from my mother. Many networks won’t allow the opening of such attachments, either stripping them from the e-mail or rejecting the mail completely, so lots of people never received the virus at all. Microsoft was not too happy about the abuse of their e-mail address. I was informed that they have launched an investigation. Maktoob.com, which handles my public e-mail, told me that the spoofed mail came from an IP address in Azerbaijan, but this really means nothing.
E-mail spoofing is the forgery of an e-mail header or "From" section on an e-mail so the message seems to have come from someone or somewhere other than the actual source. E-mail spoofing works because Simple Mail Transfer Protocol (SMTP), the main protocol used in sending e-mail, does not include an authentication methodology. Although an SMTP service extension allows an SMTP client to negotiate a security level with a mail server, this precaution is not often taken. If the precaution is not taken, anyone with the right knowledge can connect to the server and use it to send messages. To send spoofed e-mail, senders insert commands in headers that will alter message information. It is possible to send a message that appears to be from anyone, anywhere, saying whatever the sender wants it to say. Thus, someone could send spoofed e-mail that appears to be from you with a message that you didn’t write.
There is nothing that a personal user can do at this time to prevent e-mail spoofing. Internet service providers (ISPs) and network managers can help control this problem, but in the Kingdom few have the correct security measures in place. With this bleak assessment what can individuals do? First, contact your ISP and express your concerns about Internet spoofing. Next, always remember that e-mail has the potential to be fraudulent and use a back-up for very important correspondence. I personally make sure, that every important e-mail I receive is backed up by a signed fax. For example, if a company wants me to publish their quarterly results, I must receive the information by both fax and e-mail. Some people believe this system is neurotic but until electronic signatures become common, I can’t think of a safer method.
If you do receive an e-mail that you believe is fraudulent, do not hesitate to pick up the telephone and contact the individual involved. The Washington Report on Middle East Affairs, ran an article on Sept. 3, by Michael Gillespie, titled, "Israeli computer hackers foiled, exposed."
The Washington Report story told how the e-mail addresses of dozens of human rights and anti-war activists had been abused by Israeli hackers during the months of July and August. For example, Israeli hackers targeted Stephen "Sami" Mashney, an Anaheim, California, attorney who has publicized the plight of Palestinians. According to Gillespie: "Mashney, who co-manages a popular pro-Palestinian e-mail list hosted by Yahoo! logged onto his Internet accounts on July 31 to find hundreds of e-mail messages from angry Americans. He quickly realized that hackers had appropriated or "spoofed" his e-mail addresses and identity and sent out a message titled "Down With America" in his name. The message named and included contact information for 16 well-known human rights activists and falsely claimed the activists wished to be contacted by anyone desiring advice or assistance in fomenting and carrying out anti-American, anti-Christian, or anti-Jewish activities. In an obvious attempt to damage Mashney’s reputation, the hackers appended his name, law office telephone number, and website address to the spurious e-mail."
Investigations into the attacks were launched. Management representatives at various ISPs around the world were contacted and they were informed that their equipment was being abused. Some of the attacks originated from a West Bank ISP reached on dial-up from an Israeli telephone number.
Interestingly, while Internet spoofing is immoral, it’s not illegal in the Kingdom. Just as there are no local laws to prosecute those who might spam you, there is little you or the authorities could do to someone who stole your e-mail address. Where is that legislation we’ve all been waiting for? If it isn’t approved soon we’ll be pushed right over into virtual e-nsanity.
(Comments to [email protected])
