Did you get an unexpected e-mail that appeared to be from bioneural.net, but contained a virus or a message about following a link to read the full message? You've just been spammed via a trick called "spoofing"! Can PGP or S/MIME help you separate the wheat from the chaff?
Spam, or unsolicited e-mail, is so-called in homage to a Monty Python sketch in which a group of Vikings drown out a conversation by singing "spam, spam, spam". You can hear the original sketch here.
Spammers (may they burn in hell) use a number of tricks to achieve their evil goals. Among these is "spoofing": using a fake e-mail header to make it appear that an e-mail was sent by someone else and not from the spammers own account. Someone has been spoofing e-mails that appear to come from me. How do I know? Because I've recently been getting a number of mail delivery failure messages concerning e-mails I never sent to persons I don't know.
Is spoofing ever legitimate?
Yes. If you change the "Reply-to:" field in your e-mail client to redirect any replies to e-mail sent from one of your own accounts to another account of your own. Read more here.
What should I do if I have received (illegitimate) spoofed e-mail?
If you receive a spoofed e-mail, never open any attachments and never follow the link: delete it immediately. If you are curious and have the time, you may be able to trace where it really came from.
How can I verify the sender's identity?
Public-key infrastructure (PKI) cryptography is a method of protecting information in transit, but provided the verification of the identity of the key-holders is carried out in a dictatorial fashion, the origin authentication of the message is also assured. If only Alice knows the private phrase key to make an exchange work, then only Alice can have sent the message. A PKI process is used to 'sign' a message whereby the private key of an individual can be used to 'hash' the message.This can then be verified against the sender's public key. This ensures the data's authenticity and origin without conferring privacy, and is called a 'digital signature' (see Medicine and the Internet).
Using a public/private key pair to verify a digital signature
Even the spammers have tried to bypass spam filters by inserting digital signatures. But an authenticated digital signature is still, at this time, a guarantee that the message is from a genuine origin and has not been tampered with.
Authentication and privacy of e-mail via encryption is offered by OpenPGP-compliant products and by Secure Multipurpose Internet Mail Extensions (S/MIME), both proposed Internet standards. OpenPGP does not rely on certification of your identity by a third party, whereas S/MIME does.
What does a PGP-signed message look like?
Here is an example of a PGP-signed message being received in Apple Mail, with PGP Desktop 8.1 for Mac OS X (from PGP Corporation) installed. Note the "Verify" button:
Click the Verify button to reveal from whom the message originally came:
If you are not able to verify this signature against my Public Key it may be a spoofed message.
Is there another PGP solution that works with Mail?
Yes. An alternative OpenPGP solution is to install Mac GNU Privacy Guard (MacGPG) together with the GPGMail plugin for Apple Mail. This will enable you to verify messages signed with any other OpenPGP-compliant tool, including PGP Desktop.
Are there drawbacks to PGP digital signature authentication?
Firstly, you need to have PGP software installed on the signer's machine, and also on the machine of the person receiving the message. Secondly, as my wife pointed out, the PGP digital signature might be mistaken for an attached virus by the unwary:
Is there a non-PGP solution that works with Apple Mail?
Yes. The version of Mail that shipped with Mac OS X 10.3 (Panther) allows you to sign and validate the authenticity of e-mail addresses with an S/MIME certificate. You could get a Thawte Personal E-mail certificate (X.509 format) as described here. But you might want to read this first.
Once you have downloaded and installed your certificate in Mac OS X Key Chain, when you compose a message you will see this icon in the New Message window:
When the recipient opens a signed message, s/he will see this indicator:
Are there drawbacks to S/MIME digital signature authentication?
Getting a certificate is a bit complex, and you/ your contacts need an e-mail client that supports S/MIME. You also need a separate certificate for each e-mail address you might use. Incidentally, you cannot protect the contents of a message unless the proposed recipient also has a certificate and s/he has previously sent you a signed message. Received certificates are automatically added to your Key Chain so that when you compose a message to another S/MIME user, you see these icons in the New Message window:
When the recipient opens a signed and encrypted message, s/he will see these indicators:
Is a message from bioneural.net was spoofed or genuine?
As of 25.04.04, genuine messages will carry an S/MIME digital signature.
How do I validate a digital certificate using Mail?
In the version of Mail that shipped with Mac OS X 10.3 there doesn't appear to be any way to manually check that a digital certificate is valid (using CRL or OCSP). Wouldn't this defeat the point of using digital signatures? However, Apple says Mail users can "Sign and validate the authenticity of email addresses with an S/MIME certificate" suggesting an automated solution. If you receive a certificate that can't be validated, Mail will warn you with the following message:
Note that if you click Show Details you can choose to trust the certificate anyway by clicking OK; this will then give you the option to exchange encrypted messages:
Has anybody found a way of changing which of their certificates are automatically attached to an outbound e-mail sent using Apple Mail? By default Apple Mail only appears to send my own signing certificate. It would be useful if I could also attach my organisation's root certificate as well.