GAMBIA-L Archives

The Gambia and Related Issues Mailing List

GAMBIA-L@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Managers: Do something about this impersonation
From:
"Katim S. Touray" <[log in to unmask]>
Reply To:
The Gambia and related-issues mailing list <[log in to unmask]>
Date:
Sat, 6 May 2000 16:46:58 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (65 lines) 
Hi Prince,

Thanks, but no thanks for your contribution on the issue of impersonation on
Gambia-L.  The reason for the "thanks" is that all ideas are welcome on
Gambia-L, and I say "no thanks" because the last thing we need is for
someone to be giving people more ideas about how to go about messing up the
list.

Having said that, I would like to reassure everyone that, fortunately, there
is a flaw in Prince's argument.  As I indicated before, the confirmation
requirement means that whenever you send a posting to the list, the server
will re-send it to you asking that you confirm that it's indeed from you.
You will then have to acknowledge the request for confirmation before your
posting is distributed.  Please note that all you need to do to confirm that
the posting is from you is to hit your "Reply" button, and type the "OK"
without the quotation marks, and then the "Enter" key in the first line of
your reply.  The server will then distribute your posting to the list.

The fact that the request for confirmation goes to the address that it was
from means that contrary to what Prince claims, it would not be a trivial
affair to bypass this bottleneck.  Thus, if I subscribe the address
[log in to unmask] and someone impersonates me by sending a posting in that
name, that person will be able to reply to the request for confirmation only
if he breaks into my hotmail account, and replies to mail sent there.  In
that event, not only has the person committed a crime against me (by
impersonating me), but he or she as also tresspassed Hotmail's computers,
and should be prepared to deal with the consequences.

To recap, while it is fairly easy to impersonate someone in the absence of a
confirmation option, it will from now on be more difficult, simply because
acknowledgements to the confirmation requests are only accepted if they come
from the address to which they were sent.  This is because the list server
keeps track of confirmation messages using tags it generates itself, and you
can only forge them if you see them.  Given that you only see them if they
are meant for you, why would you want to forge them anyway?

I hope this clears the picture.  Again, please excuse the hassle all this
will cause.  I'm sure some will find it a bit frustrating in the begining,
as they grapple with this confirmation thing, but I'm sure very soon, we'll
all be pros at it.  Have a great weekend, and best wishes.

Katim
----- Original Message -----
From: Prince Obrien-Coker <[log in to unmask]>
To: <[log in to unmask]>
Sent: Saturday, May 06, 2000 12:44 PM
Subject: Re: Managers: Do something about this impersonation


Katim,

I am extremely sorry to inform you that your "confirmation" strategy to
prevent impersonation will not work with either dynamic IP addresses or the
"portmanteau" email accounts like that of Hotmail.com or Yahoo.com. The
method being used to impersonate someone is more sophisticated than merely
sending an email in somebody else's name. It is a method more akin to
hacking or hijacking (cyber-jacking) of someone's email account and that

----------------------------------------------------------------------------

To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html

----------------------------------------------------------------------------

ATOM RSS1 RSS2