This article is more than 1 year old

Online impersonations: no validation required

How do you know what's real and what's not?

Refuting email

In sensitive environments, PGP signatures or similar key-based systems can be used to authenticate the sender. These cryptographic systems validate your identity because only the sender has the right keys. However, few people use PGP for general email communications and it does not authenticate you with new acquaintances.

With free email services, disabling an imposter becomes more difficult. In most cases, you must authenticate yourself before the hosting provider will take action, but not to open the account. For example, anyone can register a Yahoo! Mail account using your name. If Yahoo! Mail has an email account that is impersonating you, then you can fill out their abuse form. This form requires you to describe the incident and identify yourself.

In contrast to Yahoo!, Gmail requires you to print out the imposter's email and mail it to them through the postal service. Gmail offers no method for submitting an online complaint about an imposter.

Although sites such as Yahoo! and Gmail do provide options for refuting and disabling an imposter's account, other public mailing systems are not as responsive. For example, Hushmail allows people to report abuse. However, they will not investigate abuse complaints (other than spam complaints) and refuse to disable any imposter's account without a court order.

Since Hushmail does not authenticate during enrolment and does not remove abusive accounts, you should personally verify the sender's identity before responding. Any email from "hushmail.com", "hush.com", "hush.ai", etc., could be an imposter. While Hushmail does use PGP for email authentication, this only validates that the email was sent using Hushmail; it does not validate the person who opened the Hushmail account.

External authentication is one option to mitigate the impact from general email impersonations. Build a reputation around a known email address and maintain a website that can quickly be used to identify you. If your emails always come from "mydomain.org", emails from some other domain should be suspect.

Mitigating mailing lists

While an imposter's email account can be disabled, the damage from posted messages is usually permanent. While some mailing lists will remove messages from their archives, most will not. And even if the message is removed, many mailing lists are mirrored; an imposter's posting could live indefinitely on hundreds of archive sites. Exposing the imposter by posting to the list or informing the list manager, is usually enough to mitigate any damage.

Unfortunately, some unmoderated forums have a large number of imposters. Contesting an imposter may not be worthwhile; if many people are impersonated, then malicious postings are usually suspect without any feedback from you. In addition, any identification of an imposter could be overlooked in high-volume forums.

Web of lies

Along with impersonating email addresses, imposters can create fictitious websites. Yahoo! Mail includes web space at Geocities, Gmail includes Googlepages, and there are thousands of other hosting providers. The inability to authenticate an owner opens the door to impersonations such as phishing; anyone can create a web page that looks like Citibank and anyone can register a domain name similar to "citibank.com". No validation required.

Refuting a fake website really depends on the type of impersonation and the hosting location. Companies such as Yahoo! and Google are extremely responsive to phishing reports. Due to well-organised efforts by groups such as the Anti-Phishing Working Group, reported phishing sites are usually taken down within hours, and sometimes within minutes. If the hosting site is non-responsive, then network routers can restrict access to these sites until the phishing site is removed.

While web impersonations usually refer to companies, they can also apply to individual people. Unfortunately, if the site is impersonating a person - and not a company - then refuting the site becomes more complicated. Yahoo! Geocities links web pages to email accounts. If you can refute the Yahoo! email account, then you can disable the imposter's web page. In general, your ability to refute a fake web page really depends on the hosting provider. Look at their site for a method to report abuse and be prepared to validate that you really are you.

Next page: Invading my space

More about

TIP US OFF

Send us news


Other stories you might like