Life After Spoof

Contrary to what you and thousands of other innocent e-mailers might have read in your inbox last month, I am not selling pills to temporarily cure erectile dysfunction, I am not offering discounts on prescription drugs and I do not know where to find designer watches.

Instead, I was “spoofed,” apparently an IT security colloquialism for saying that some spammer found my email address online and put it in the reply field of thousands upon thousands of junk messages he (or she, I guess) sent to people I’ve never met in my life.

It’s not like I knew what was happening at the time. One day, my email was working normally — the usual deluge of notes from colleagues and friends. The next day, a Sunday, my account was inundated with thousands of bounce-back messages from Web servers all over the world.

“Returned mail: see transcript for details,” read the subjects. “Undeliverable.”

Some of the blowback came from well-known anti-spam solutions, declaring, “Message you sent blocked by our bulk email filter.”

Immediately, I feared the worst: someone had hijacked my machine. I ran Norton, Zone Labs and Adaware (yes, I have all three); each of which turned up blank for malware, spyware and viruses. Quizzically (but thankfully), additional diagnostics also came back negative.

The next morning, I tried my Internet Service Provider, where a cordial customer service representative checked the logs and told me that none of the messages actually was sent from my account.

Relief was followed by curiosity and concern. What the heck happened? And how could I clear my name?

Dermon Hartnett, principal analyst for the anti-spam engineering team at Symantec, was the first to tell me I’d been spoofed. Hartnett looked at some of the messages I received, and noted that the only difference between traditional spam and spoofed spam messages is that with the latter, spammers rely on the tactic of ‘familiarity’ between sender and recipient.

True meaning of horror

Later in the week, Rand Wacker, group product manager for IronPort Systems, offered an even more serious perspective. Walker said that especially for we freelance writers who constantly use our Web sites to broadcast our email addresses to the world, very little can be done to permanently prevent a similar spoof attack from happening again.

Given this reality, I was worried that being spoofed might blacklist me from some important email servers down the road — the true meaning of horror for us freelancers, who use e-mail  to connect with sources and editors all the time..

But Ofer Elzam, director of product management at Aladdin Knowledge Systems, said occasional (and innocent) spoofing victims like myself don’t have to worry about being blacklisted at all.

Elzam told me that because it’s so easy for spammers to spoof legitimate email addresses, most network administrators set up anti-spam filters to block entire e-mail servers instead, a practice that blocks spoofing when legitimate users send mail through trusted pathways.

“Security managers are aware of the spoofing techniques so they do not really accuse the real email owner of spamming or attacking,” he said.

Still, there had to be some sort of precautions I could take to improve my chances against spoofing the next time around.

Sven Krasser, director of data mining research for Secure Computing Corp., suggested two different options — both of which I have since taken to heart.

The first suggestion revolved around something called a Sender Policy Framework (SPF), an open standard that specifies a technical method to restrict which mail servers can send on behalf of a domain.

Krasser said this data is published using the same system that maps host names to IP addresses, which means that when a third party receives an email from a particular mail server, it can retrieve the SPF record for that host name and see if the mail server trying to deliver the message is listed as a valid sender for that domain.

The second suggestion focused on another open standard: Domain Keys Identified Mail, or DKIM.

Like SPF, DomainKeys also requires users to publish a record for their domain names, but when you send a message, it is cryptographically signed by your outgoing mail server. The receiver of your email can then check whether your signature is valid by retrieving the domain key record for your domain.

Because spammers can’t produce valid signatures, their messages will be identified as spoofs.

“In both cases, it’s like the post office which stamped your letter must be in a pre-approved list to send letters with your postal address,” he quipped.

Armed with these two standards, I feel like I’ve beaten my spoofer once and for all.  Sure, complying with the two new standards slows down my email a bit, and yes, haters, both efforts require widespread adoption to ever make that much of a difference.

At this point, however, after surviving a terrible spoofing attack, I’ll take all the help I can get.