<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2/25/15 2:07 PM, Rick Moen wrote:<br>
</div>
<blockquote cite="mid:20150225220718.GM25066@linuxmafia.com"
type="cite">
<pre wrap="">Quoting Scott DuBois (<a class="moz-txt-link-abbreviated" href="mailto:rhcom.linux@gmail.com">rhcom.linux@gmail.com</a>):
</pre>
<blockquote type="cite">
<pre wrap="">A good example of why I send _signed_ mail and suggest others do as
well.
</pre>
</blockquote>
<pre wrap="">
Sending signed e-mail seems at first useful to ensure that other people
won't believe forgeries are from you. You think 'Ah, other people will
_know_ it's not from me because it doesn't verify as having my GPG
signature.'
This _could_ work if (1) people have a chain of signatures permitting
them to trust that the key is yours, and (2) they are bothering to check
keys at all.
And that's almost nobody, at present.
General-case spam sent out from a compromised webmail account is not
relying on recipients _believing_ that the sender is real. The spammer
is merely trying to reach more people and take advantage of
whitelisting.
For the second case of 'send money to me because I'm a stranded
traveler' fraud mail, the spammer _is_ hoping some recipients believe
the impersonation, _but_ as with similar 419 advance-fee frauds, they're
consciously aiming at unusually credulous people. Indeed, they're
tailored to be worded to have a particular, very peculiar narrative with
the explicit intent of reaching a narrow, vulnerable subpopulation:
<a class="moz-txt-link-freetext" href="http://news.yahoo.com/study--obvious-nigerian-scam-emails-appear-that-way-for-a-reason.html">http://news.yahoo.com/study--obvious-nigerian-scam-emails-appear-that-way-for-a-reason.html</a>
<a class="moz-txt-link-freetext" href="http://www.techrepublic.com/blog/it-security/the-truth-behind-those-nigerian-419-scammers/">http://www.techrepublic.com/blog/it-security/the-truth-behind-those-nigerian-419-scammers/</a>
All the 'send money to me because I'm a stranded traveler' scammers need
is to find a _single_ person in a compromised Yahoo Mail account owner's
address book who falls for the story, and they can steal vast amounts of
money. And the odds of their target population even noticing a missing
gpg (let alone wrong) signature is exactly zero.
</pre>
</blockquote>
<br>
The 'send money to me because I'm a stranded traveler'
is know as the Spanish Prisoner
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
. It's one of the oldest confidence scheme known, dating back to the
16th century. A number of studies have shown that the return on
these scheme, that is the number of people who respond to this, is
miniscule, if I remember correctly it's hovering around 0.01%.
Considering the cost to sent out tens of thousands of emails is
basically nothing and the fact that Nigeria and most of west Africa
are very poor countries, the couple of thousand they do manage to
bilk people out of is, for them, lucrative.<br>
<br>
Until the underling protocols of email are revamped to include
strong and automatic authentication and authorization we will never
be rid of these schmucks. If one thinks about this for more than a
few seconds one quickly comes to understand that task of developing
such a protocol, getting the various group that develop and support
email to adopt this new gee-wiz protocol and, then get the world
converted over is the proverbial
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
kicking a dead whale down the beach.<br>
<br>
<br>
<br>
Josef<br>
<br>
<pre class="moz-signature" cols="72">--
Josef Grosch | Another day closer |
<a class="moz-txt-link-abbreviated" href="mailto:jgrosch@gmail.com">jgrosch@gmail.com</a> | to Redwood Heaven | Berkeley, Ca.</pre>
</body>
</html>