[IP] ACM e-mail looks like Phishing -- again! [RISKS] Risks Digest 24.08

To: Ip Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] ACM e-mail looks like Phishing -- again! [RISKS] Risks Digest 24.08
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 26 Oct 2005 19:11:27 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <CMM.0.90.4.1130362194.risko@xxxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:


Date: Tue, 18 Oct 2005 15:08:08 -0500
From: James Garrison <jhg@xxxxxxxxxxxxxxx>
Subject: ACM e-mail looks like Phishing -- again!

The organizations that should know better just don't seem to belearning.

Today I received a request to participate in a survey, titled "New ACM

Products/Services Survey" (I am a member of ACM). There were anumber of

things wrong with it:

1) The "From" address was not an acm.org address.
2) The link to the survey pointed to a site also not in acm.org
3) The survey link included an opaque token
4) The message was not digitally signed

The fact that the from address and link don't point back to acm.org is a

classic hallmark of phishing. The fact that the link contained anopaque

token marks it as possible e-mail address harvesting.  The lack of a

signature means it's not possible to validate the message'sauthenticity.


Actually, come to think of it, items 1 & 2 may ironically point to the

message's authenticity. A real phisher would have made sure thereply-toaddress and displayed link were in acm.org. So this is eithergenuine or a

very incompetent phisher :-)

Unfortunately, this is the third such e-mail I've received from theACM inthe past couple of years. Each time I point out the obviousproblems, andget a polite, if miffed-sounding reply. And nothing changes. Howhard isit to buy a copy of PGP (or install GPG) and publish a key for thispurpose

on the ACM's website?

Of all organizations in the world, I would hope that ACM would beleadingthe battle against e-mail fraud by example, not lagging far behind.Yes, I

know key management isn't simple, but you'd think it would be worth the
effort for the ACM.

James Garrison, Athens Group, Inc.  5608 Parkcrest Dr Austin, TX 78731
http://www.athensgroup.com  1-512-345-0600 x150  jhg@xxxxxxxxxxxxxxx


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Colleges Protest Call to Upgrade Online Systems [RISKS] Risks Digest 24.08
Next by Date: [IP] EFF: Court Issues Surveillance Smack-Down to Justice Department
Previous by thread: [IP] Colleges Protest Call to Upgrade Online Systems [RISKS] Risks Digest 24.08
Next by thread: [IP] EFF: Court Issues Surveillance Smack-Down to Justice Department
Index(es):
- Date
- Thread