Monday, November 28, 2005

You didn't get email from me

I just received automated responses from approximately 341 of you about spam supposedly sent from my email address and advertising various products (mostly logos, as indicated by a sample). Looking at the headers, it seemed clear that the email was sent from other computers, and the "Return-path" address was spoofed as one I've put out for people to contact me but which I never use myself to send messages. If you happen to have gotten a spam email from me in the last couple of hours, it's highly likely that it was part of that bogus mailing.

If you want to understand more about the spam process and how to trace spam to its source, Google can find multiple articles on the subject. While I'm no expert in the subject, Dan Boneh at Stanford University seems to have published a good and not-too-technical explanation.

If you get a legitimate email from me, there's a high likelihood it will be signed. About the only email I don't sign are short messages I send to people when I've been in an email conversation over the course of a few hours and those people probably expect another email soon.

You can check the signature of any such email using GnuPG and my public key, which you can download from available keyservers. If it's signed but the signature won't validate, then it wasn't from me.

If you ever get an email from me that you consider out of place, please let me know. While I'd like to think I'd never send such an email, I'm open to the notion that others' perceptions of email is different than mine, and I like to hear about it anytime I cause anyone a problem.


Post a Comment

<< Home