Any self-respecting ISP these days with Email support should require log
on with password for each connection of the email client on your PC to
download Email, AND for each connection to their SMTP server to send
Email from your PC client. If you are using an ISP SMTP server and
local Email client on your PC, a hacker must know more than your Email
address in order to use his PC to connect to your ISP via the Internet
and send Email through your ISP as if they were you. I believe SMTP
ports for sending Email have been encrypted-password-secured by my
current ISP for at least a decade. And, even before send-password
security was added, it was typically impossible to access the outbound
SMTP server unless your own IP address was one assigned by that ISP, so
a hacker would have to have had service through that same ISP in order
to exploit the pre-password exposure. In the earlier days of the
Internet, SMTP servers tended to be less secured; but spammer exploits
long ago made that practice untenable.
I much prefer the security of having my Email folders and Email contact
lists reside on a local machine where I control the choice of operating
system, the security access, backups, and archiving. When you retain
your Email and contacts within someone else's server outside of your
control, your data is no doubt on a system which contains data from many
thousands of users -- which immediately makes it a much more visible and
attractive target for hackers. Should that server have any flaw or
weakness it is much more likely to be exploited than a flaw on my less
public Fedora SELinux system, which has minimal Internet visibility and
much less data that would be attractive or useful to a hacker.
Someone who doesn't have access to your mail account and password can
still always forge an Email FROM address, but in most cases the routing
headers should reveal the fraud. As there is no forced agreement
between the SMTP logon and the EMail-client-supplied FROM address (there
are legitimate reasons for differences), a forger could establish their
own account with the same ISP and send from that to get the correct
routing headers, but that would involve cost and also leave an
incriminating audit trail. With appropriate tools and incentive, one
can forge plausible (but not perfect) bogus routing headers that would
suggest mail with a forged web mail FROM address came from the
appropriate server for that forged address; but since only a small
minority of Internet Email users know how to examine routing headers or
how to interpret them and this would also require additional research
and effort for the forger, most forgers don't bother with this.
There's nothing special about web mail Email addresses that makes them
any more difficult to forge, since there's no need for forged Email to
actually originate from the web-mail server or ISP server that the
forged headers imply.
If you really need your Email recipients to be certain you are the
originator of Emails claiming to be from you, you probably should be
using digital signatures on your Email and be sure your contacts know
how to verify your signature. In most cases, it's simpler for all
parties to just remember that any FROM address may be bogus and act with
appropriate caution.
JC Ewing
On 09/20/2012 04:47 PM, J R wrote:
That's what he said, "Web pages *do* require passwords to access your account."
> Date: Thu, 20 Sep 2012 16:54:16 -0400
From:scott_j_f...@yahoo.com
Subject: Re: OT - disappearing responses
To:IBM-MAIN@LISTSERV.UA.EDU
Mike,
I don't follow the logic can you elaborate for me ?
I thought all web mail needed passwords ? If I am mistake man I want to know
Scott ford
www.identityforge.com
On Sep 20, 2012, at 11:57 AM, Mike Schwab<mike.a.sch...@gmail.com> wrote:
On Thu, Sep 20, 2012 at 10:19 AM, zMan<zedgarhoo...@gmail.com> wrote:
On Wed, Sep 19, 2012 at 8:01 PM, Mike Schwab<mike.a.sch...@gmail.com>wrote:
That account goes away if you change providers or move and have to
change providers. Plus it enables a lot of impersonation. And when
you upload any attachments, you are certain it gets to your email host
anyway.
"Plus it enables a lot of impersonation."?? Huh? How is a webmail account
any more immune to this?
--
zMan -- "I've got a mainframe and I'm not afraid to use it"
Someone could start their PC, start their email client, enter your
email as the sender, and start sending emails through your account via
SMTP by only getting your email address. No password required. Web
pages do require passwords to access your account.
--
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?
...
--
Joel C. Ewing, Bentonville, arjcew...@acm.org
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
