interesting-people message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [IP] More insecurity

  • From: David Farber <>
  • To: Ip ip <>
  • Date: Wed, 22 Jun 2005 15:31:21 -0400

Begin forwarded message:

From: Bob Frankston <>
Date: June 22, 2005 2:46:29 PM EDT
To: Dave Farber <>
Subject: More insecurity

I just found another letter from Bank of America that I had quarantined. I keep a list of sites that require extra security and make sure that their mail comes from a site in their domain. This isn&#x2019;t a perfect algorithm but it&#x2019;s a first order projecting against a large percentage of the phishing attacks.

Maintaining my own site I can take measures that I would not tolerate if forced upon me. I can also catch exceptions and handle them myself.

In this case the message was a notification that I had changed my email address (which is correct) but it came from ( Looking back one level I find that it had come from ( Makes it hard to verify its authenticity.

Of course Outlook&#x2019;s &#x201C;security&#x201D; isn&#x2019;t troubled by this &#x2013; it simply believe the &#x201C;from&#x201D; address and thus when I say I should trust mail from it does nothing to deal with spoofing.

Approaches with a third party security token and encryption are steps in the right direction though only early steps that have their own issues.

The problem is compounded by AOL and others that don&#x2019;t allow me to send mail from my domain &#x2013; I must use UNTRUSTED third paties like Comcast and RCN instead. For now I go through DynDNS or TZO.

Bob Frankston

You are subscribed as
To manage your subscription, go to

Archives at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help


Powered by eList eXpress LLC