The donation process

By Larry Seltzer  |  Posted 2004-08-02 Print this article Print

I actually clicked on the Donate link, which is usually safe if youre all patched up and have anti-virus software, but its still a bit scary. Since the page is down you cant verify any of this anymore, but there were a bunch of other red flags on it. First, the links in the e-mail had said that it would take me to "Make a secure donation," but the page it took me to was HTTP, not HTTP Secure. Funny how most phishers dont want to get an actual digital certificate.
There were also "contribute by mail" and "contribute by phone" links on the page, but they were dead. Gosh, I wonder why?

The Web site—the From: domain—is even more interesting. The ownership records are incomplete, but the domain is for sale. The address and phone number, if you want to buy it, are in Cape Verde, an island off Senegal in the north Atlantic Ocean.

I didnt go through with the payment process so I dont know how well-done it is, but certainly nobody with a modicum of sophistication about the Web should be fooled. Of course, the Web isnt supposed to require a modicum of sophistication in order to be used. So whats the solution?

First, the owner of (its registered to someone in India) should get in big and conspicuous trouble. Actually, just in case its unclear that they are responsible, it should be even easier to track who the credit card payments would have gone to. I want everyone to see this person carried away in chains.

Another part of the answer is SMTP authentication. This particular message may actually have come from the mail domain it claims to have come from, but the vast majority of the ones Ive seen have appeared to come from "" or "" and so on, and they can do that because SMTP is unauthenticated. All these attacks lose some credibility when the mail spoofing aspect of them is gone, and that also makes it a little easier to track down the senders, too.

A survey by MailFrontier shows a series of e-mails and asks whether you think they are real or phishing attacks. MailFrontier actually eliminated the message sender information and changed all the Web links in the messages to point to them, so in fact as a practical matter the survey is useless (and arguably dishonest). Your best tool is taken away. But look at the survey anyway and approach it as a test of how you would judge the messages if you didnt know how to look at a Web link and figure out that it isnt what it should be. Its not easy to tell.

Blithely proclaiming that "education is the answer" is a cop-out in this situation because normal users shouldnt have to learn what theyd need to learn to tell the difference—and they wont. The solution will have to come elsewhere, probably from technology. The beginning is the adoption of MARID or some standard like it, and the next step will be anti-fraud systems based on accreditation and reputation. In that sense, phishing is part of the same exact spam problem that will kill off e-mail unless we stop it.

To read Larry Seltzers in-depth analysis of MARID, the Internet Engineering Task Forces attempt to standardize SMTP authentication, click here. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel