On 11 Jan 2005 at 16:36, Mark D Lew wrote: > On Jan 10, 2005, at 3:28 PM, David W. Fenton wrote:
[] > > If spammers are smart enough to check the recipients in my outgoing > > email and spoof challenge/response messages from those > > correspondents, then email is completely dead. > > > > But I really don't think that's the case. > > I think that's just a matter of time. Spammers certainly do other > clever tricks. It sounds like your email address is even more public > than mine, so if you haven't been spoofed in the Reply-to field, it's > only because you're luckier than me. . . . Oh, I've been spoofed in the From or Reply-To fields many, many times, but my point was that non-3rd-party challenge/response systems *can't* be spoofed. If you have to go to a Bway.net web page to authenticate, then, unless the spammer has hijacked my ISP, it's the real thing (of course, there's the issue of email programs that render HTML such that <A href="http://EvilSpammer.com/Authenticate";>http://www.bway.net/Authent icate</a> shows up only as the display value, without telling you that the display value and the target are not the same. That's one of many reasons why I'm so adamantly against HTML in email -- it allows the obfuscation of what's really in the email. I've been told that the more > sophisticated spoofing spams try to use Web occurrences of an email > address link to establish proximity to other email addresses. Using > that information, they might, for example, send out a spam with my > address as the return address and send it out to anyone whose email > address appears anywhere in the Finale List archives. Then, anyone > among the list members who has corresponded with me directly, or just > recognizes my name, might open a spam message which might otherwise be > trashed. That sort of thing is already starting to happen. I don't > see why they wouldn't continue on to the next step, as the address > harvesting software gets more sophisticated. But there's no way for them to spoof the authentication of a 1st- party challenge/response system under the hood -- they could only fake it, as in my example above. -- David W. Fenton http://www.bway.net/~dfenton David Fenton Associates http://www.bway.net/~dfassoc _______________________________________________ Finale mailing list [email protected] http://lists.shsu.edu/mailman/listinfo/finale
