more on re spoofing scams?

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Fri, 16 Jan 2004 12:14:29 -0600
From: gep2 () terabites com
Subject: [IP] re spoofing scams?
To: dave () farber net

> How can one tell if an organization is what it claims to be online? Matt
Dircks, vice president of anti-spam software developer NetIQ Corp., of San
Jose, Calif., said if you receive an offer online, make sure to check out
the seller's Internet Protocol address, before transacting any business.
"If it says Citibank.ru, as in Russia, be wary," he told UPI.

One of the things that Microsoft needs to change in Internet Explorer is that
there needs to be a way you can see what ACTUAL IP address (and domain name!)
you're dealing with... after all the obscuring, bogus links, forwarding 
through
geocities.com and other stuff is done.

Second, there ought to be a way in IE that you can "authenticate" a Web server
you're connected with, perhaps with a built-in "Traceroute" function that you
can use to see if the domain name in question resolves to that of a known "bad
guy" rogue server.  For example, spammers have started using disposable domain
names, randomly generated subdomains, and "front" servers (often at
www.geocities.com) that make it harder to block these rogue sites.  It 
would be
a big improvement if one could block actual final IP addresses (and not just
domain names and specific subdomains) such that a fraudster's geocities.com 
site
that forwards folks to a known rogue server somewhere else could be easily
blocked.

> Whether a for-profit or non-profit company sends an e-mail solicitation,
and the IP address seems legitimate, people should look through the site to
see if there is a corporate history page, as well as sufficient contact
information to reach the firm offline, Larson said. "If you can't reach
them by telephone to confirm the offer, it could be fraudulent," Larson added.

> Lastly, experts advise, never respond directly to an e-mail ad by clicking
on a link in the message -- no matter how familiar you are with the brand.
"E-mail seems to be the medium of choice for these hackers," Weider said.
"But very few real banks, or companies, will ask you for financial
information by e-mail. These are definitely criminals."

Again, the big problem there is caused by HTML-burdened E-mail, scripting, and
links which claim they're one thing (say, "http://confirm.ebay.com";) and which
actually behind the scenes link to some rogue site in Romania or 
somewhere.  The
fact that HTML-burdened E-mail is permitted by default (both for sending and
receiving) by Outlook, AOL, MSN and other folks is **directly** to blame for
this.  If people would instead have to cut-and-paste the URL into their 
browser
then much of this kind of URL spoofing wouldn't be possible... (likewise when
the images come from a different server than the rest of the page) and if the
browser would tell people what Web server(s) they ACTUALLY are connected with,
that would also be a BIG help.

HTML, and attachments (by class, perhaps) in E-mail messages ought to ONLY be
allowed when sent by individual WHITELISTED senders (as specified by each
individual recipient).  The default should ABSOUTELY be to block HTML-burdened
E-mail from unapproved senders.  That, combined with a similar restriction on
attachments (and especially executable attachments) would have an IMMEDIATE
impact on the effectiveness of both spam AND viruses/worms.

This is an area where I'm surprised there hasn't been a class action lawsuit
against Microsoft (yet).  Their not-very-clever design choices have explicitly
provided a strong cover for this kind of widespread fraud and abuse.

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/