¿ªÔÆÌåÓý

  1. GroupManagersForum
  2. Topics

Spoofing email addresses

Pete Spotts
 

Sorry folks, a newbie here. What's the best way to prevent people from using another member's email address to plant a faux post from the unsuspecting member? We've just set up our account and I've been able to file a test post using another member's email -- his email address, my signature in the body.

I know, too much time on my hands.

With best regards,

Pete
 

Pete,

What's the best way to prevent people from using another member's
email address to plant a faux post from the unsuspecting member?
I don't think there's anything the group management can do about that in terms of settings or other technological approaches. This may be something that you have to approach as a member management issue (grounds for moderation, removal, or banning) if and when it occurs.

In the case of messages posted to Groups.io I haven't tested it myself, but I would expect Groups.io to drop most forms of "spoofed" messages -- particularly those that come from spambots and other illegitimate sources. Less certain (in my mind) are those that come by way of a legit email service - as is probably the case in your test.

Major email services such as Yahoo Mail and Gmail don't allow users to spoof just any address - they require that you prove you are a legit user of that address. Usually they send a code to the address and you have to enter it. A malcontent won't be able to set up a spoof of an unsuspecting member using such a service.

I have used ISPs that don't bother with that test, and allow their users to spoof (nearly) any email address. Verizon, for example, used to allow me to spoof any address that wasn't another Verizon user. I'm not sure what, if anything, Groups.io would be willing to do technologically about malcontents who use a service like that.

If you have a specific example you might cite it to [email protected] and see what they have to say about it. There are tell-tales in the message headers that would allow them to recognize a spoof originating at a legit service. But Groups.io might be hesitant to reject all such spoofs, as there may be people using that technique legitimately.

Shal
Pete Spotts
 

Many thanks, Shal. I suspected that might be the case. We'll just have to keep
an eye out...

With best regards,

Pete

--

Peter N. Spotts -- NM5PS
ARRL Public Information Coordinator, New Mexico Section

Email: nm5ps@... | Skype: pspotts
QCWA #34679 | SKCC #4853S | QRP-ARCI #4174
NEQRP #714 | NAQCC #2446 | G-QRP #13202 | Polar Bear #348

On Tue, 2017-08-22 at 16:58 -0700, Shal Farley wrote:
Pete,

?> What's the best way to prevent people from using another member's
?> email address to plant a faux post from the unsuspecting member?

I don't think there's anything the group management can do about that in?
terms of settings or other technological approaches. This may be?
something that you have to approach as a member management issue?
(grounds for moderation, removal, or banning) if and when it occurs.

In the case of messages posted to Groups.io I haven't tested it myself,?
but I would expect Groups.io to drop most forms of "spoofed" messages?
-- particularly those that come from spambots and other illegitimate?
sources. Less certain (in my mind) are those that come by way of a legit?
email service - as is probably the case in your test.

Major email services such as Yahoo Mail and Gmail don't allow users to?
spoof just any address - they require that you prove you are a legit?
user of that address. Usually they send a code to the address and you?
have to enter it. A malcontent won't be able to set up a spoof of an?
unsuspecting member using such a service.

I have used ISPs that don't bother with that test, and allow their users?
to spoof (nearly) any email address. Verizon, for example, used to allow?
me to spoof any address that wasn't another Verizon user. I'm not sure?
what, if anything, Groups.io would be willing to do technologically?
about malcontents who use a service like that.

If you have a specific example you might cite it to [email protected]?
and see what they have to say about it. There are tell-tales in the?
message headers that would allow them to recognize a spoof originating?
at a legit service. But Groups.io might be hesitant to reject all such?
spoofs, as there may be people using that technique legitimately.

Shal
 

Pete Spotts <nm5ps@...> wrote:


Sorry folks, a newbie here. What's the best way to prevent people from
using another member's email address to plant a faux post from the
unsuspecting member? We've just set up our account and I've been able to
file a test post using another member's email -- his email address, my
signature in the body.
It's impossible to completely prevent this, since the system uses the
"aparrent" email address to know who is posting. There are ways of
comparing headers in the email, but doing so would probably block a large
number of legitimate messages.

On the other hand, many (most?) ISPs now prevent emails being sent from
addresses that are not their own, and third-party providers require a
username and password, so the risk is probably not great - and much less
than it used to be.

73

--
rgds
LAurence
<><
...
It'sdifficulttobeverycreativewithonly58characters
 

¿ªÔÆÌåÓý

On 8/23/2017 12:39 PM, Laurence Taylor wrote:

On the other hand, many (most?) ISPs now prevent emails being sent from
addresses that are not their own, and third-party providers require a
username and password, so the risk is probably not great - and much less
than it used to be.

If all the ISPs did implement the SPF checking, a parameter of the DNS record, the problem would go away...

--
73 Alberto I2PHD
Credo Ut Intelligam
 

Alberto,
Wishful thinking. ?As soon as one weak point is securely closed, the bad people will find two more. ?It is a continuous war, never seemingly won by either side, fought battle by battle.
--
Bob Bellizzi

The Corneal Dystrophy Foundation

1 - 6 of 6