e-Computer: Targeted by e-mail spoofers
NEW YORK - Arab-American activist Nawar Shora checked his e-mail one day and found scores of angry messages asking why he hated Americans and Jews. The messages were responding to e-mails marked as coming from him.
Only one big problem: Shora never sent the hate mail.
Shora, a legal adviser to the American-Arab Anti-Discrimination Committee, was the victim of a new form of harassment in which fake e-mail is sent using real addresses.
By exploiting the simplicity and openness of the Internet's mail protocols, unidentified provocateurs have been sending incendiary messages posing as Shora and other Arab-Americans.
The tactic, known as e-mail spoofing, requires little technical know-how and no illegal computer break-ins. Yet it has caused a lot of trouble - wasting time, damaging reputations, and even leading to the suspension of e-mail accounts.
"One was a long, detailed essay about how evil Jewish people are and how we have to kill them all. (Another said) America deserved what it got as if we were a branch of al-Qaeda," Shora said. "In the times we live in, those are all dangerous. There's already a negative sentiment against Arab-Americans."
E-mail can easily be spoofed by tweaking settings on standard e-mail software. Several Web sites even automate the process by creating Web-based forms for sending fake e-mail.
It's analogous to putting someone else down as the return address on letters dropped in the corner mailbox.
Spoofing generally isn't illegal because no hacking is required, FBI officials say, leaving prosecutors with little recourse unless there's a threat of death or violence involved. And finding culprits is tough - after all, they are using someone else's identity.
Though messages carry an electronic version of the postmark, which can sometimes betray a spoof, few bother or know how to check.
Instead, they assume the message is genuine. The purported senders then get angry replies, along with e-mails returned as undeliverable because they went to bad addresses or full mailboxes. These returns are how individuals and groups learn they've been spoofed.
As if that weren't bad enough, someone who used Francis Boyle's address requested return receipts for each message, leaving the University of Illinois law professor with 55,000 items when he returned from a three-week vacation last August.
Boyle, whose pro-Palestinian viewpoints are controversial, tries to respond to each message but laments that much of the damage can't be undone.
The messages harassing Arab-American activists began about a year ago and intensified as the conflict in Iraq dominated headlines. Some groups reported another increase after the United States' invasion last month.
The Anti-Defamation League, a Jewish civil rights organization, says it has not been the victim of spoofing. But it stepped in to help clear a private company, International Information Systems Security Certification Consortium Inc., which found anti-Semitic remarks circulating under its name in September.
The practice isn't limited to the Mideast and the Iraq war.
Last month, Scottish bankruptcy lawyer Gregor Murray learned someone had sent out a fake pitch declaring, "I'm a ruthless bastard and I will screw the opposition to the wall even if it means bending a few rules." The firm suspects a losing party sent the e-mail, though police could not trace it.
Some individuals also found their names used in junk e-mail. Mike Masnick, president of Techdirt Inc., got angry replies "using all sorts of language I wouldn't repeat in normal company."
Spoofing will only get worse as kids, pranksters and fired employees discover its ease, said David Ferris, president of a messaging research firm in San Francisco.
Laura Gurak, director of the Internet Studies Center at the University of Minnesota, said spoofing underscores the need for greater cyberliteracy so Internet users can better sort fact from fiction.
Little can be done to prevent it without completely reworking mail protocols, which were developed when the Internet was far smaller and more genteel. And even changes to require authentication of senders can threaten whistle-blowing and other needs for anonymity.
Digital signatures, using systems such as Pretty Good Privacy, can help. Jon Callas, chief technology officer for PGP Corp., notes that many security bulletins now carry such signatures so recipients know a recommendation is for real.
"The Internet is a pretty rough-and-tumble place," said Ibrahim Hooper, spokesman for the Council on American-Islamic Relations. "If you're going to take advantage of the things that it can do for you in terms of advocacy and outreach, you have to be prepared to deal with these situations and work around them."
Cybercrime News Archive
^macro[showdigestcomments;^uri;e-Computer: Targeted by e-mail spoofers;]