Electronic Mail--Email

• A Brief History
• The Mailbox File
• Email Addresses
• The Format of an Internet Email Address
• Format of a Message
• The Message Header
• Privacy Issues
• Encryption
• Social Issues
• spam
• Phishing
• Email Viruses
• The Art of Replying
• Nicknames, Aliases, and Advanced Topics
• Managing Multiple Mailboxes

When an office worker wanted to communicate with a fellow worker, she had 3 choices:

1. She could get up from her chair, and go to the person's office. That is, assuming the person was in the same city, or building. However, the person might not be in their office at that particular time.
2. She could call them on the phone. This saved a trip around the building, but still has the problem that the person might not be in their cubicle when she calls, or might be on the phone with some one else.
3. She could write a quick interoffice memo, and put it in his mailbox. The person would find it the next time he went to the mail room and checked his mail. However, if the note was something like: "How about lunch in 20 minutes?", and the person only checked his mailbox twice a day, he would likely get the message too late.

Enter the first email (electronic mail) software programs. Since people where spending a lot of their time sitting in front of their computer terminals (so called dumb terminals because they only displayed 24 lines by 80 columns of fixed width text, no graphics), why not deliver a message straight to their screen?

The email software allowed the user to write a message to a coworker, and have it delivered to them moments later, right on his terminal screen. If he was not actually there working at the computer when the message was sent, it didn't matter because he would see a message "You have new mail" when he returned to use the computer. Thus, email seems to have the potential for the quick delivery of messages, like a phone call or "popping" into someone's office, but the advantage of an office memo in the person didn't actually have to be there at the time the message was sent!

The Mailbox File

As email software grew more sophisticated, it not only displayed individual messages, but allowed the user to delete some messages while keeping others, and to answer a message, or forward to a colleague.

On computers like icogsci1, which run the UNIX timesharing system, the mailbox file is usually called:

	/usr/spool/mail/cg3xzz

	/var/mail/cg3xzz

The UNIX based mail reading programs like Mail, pine, and elm know this file and open it directly when you read your mail. You could also use an editting program like vi or pico or emacs to examine your mail file (once you know the name). The email software programs have the advantage over these editors though because they deal with whole messages, for display, reply, or deletion.

Email Addresses and Aliases

Email aliases can be created to make it easier to remember address, or for lists of addresses. That is, you create an alias called "suzzy", which is easy to remember, that really sends to the email address "cg3xzz", which is probably harder to remember. Or you can create another alias called "movies", which is a list of the people's mail addresses--joe, cg3xzz, cg3xqm, and cg3xma--you like to go to the movies with. Then you can send to "movies" without having to type the whole list of names.

Then Came Networks.

Before the Internet, some early networks were set up using modems (at very low speeds back then, only 1200 bits per second). That's because there was no network infrastructure in place to connect computers, so the readily available telephone lines were used instead. One computer would call another using the modem, and the transfer any waiting mail messages. Typically, you wanted to avoid long-distance phone charges, so your computer would only call other computers that were near to it in terms of long distance costs, or wait until late at night when the phone rates dropped. Sending email to someone on a distant computer would probably involve several modem-phone calls.

• In such a network, the address would have to specify each system in the path (from computer to computer) that the mail would have to travel; something like

  A!B!C!D!E!joe
  

  This means: from the computer you are on, send to computer "A", and from there to computer "B", then to "C", and to "D", and finally to "E" which is where joe's mailbox is located. You couldn't send directly to E!joe because your machine doesn't network directly with "E", only "D" does. You may still see some of this style address (called a UUCP address) occasionally.
• This is called a store and forward system. Each computer (say, computer "C") in the chain receives the message and stores it until it is time to call/access the next computer in the chain/path. Then that computer (C) tries to forward the message to the next computer in the chain ("D").
• Without a central database of which system called up which, and what the optimal paths were (i.e., what time those phone calls were placed to minimize long distance charges), email addresses were a quite pain to manually generate. Of course, using aliases could help here.
• Because the phone calls were often made at night when phone rates were lower, exactly when the mail file would finally arrive at its final destination was problematic.

Mail Gateways.

For instance, an email address on a decnet network looked like:

host::user

user%host@decnet-gateway.some-domain.somewhere

When email passed through the gateway, the addresses (To:, Cc:, and From:) needed to be re-written from match the address format used by the other email software. (E.g., host::user) Because of the different style addresses, and assumptions built into the particular mail system, re-writing the addresses in the headers could be akin to black magic.

The growth of the Internet has caused many organizations to replace their email system (like ccMail) with one that works directly on the Internet (like Eudora). So the need for mail gateways is disappearing.

Internet Email Addresses

Now many/most email addresses use the Internet form of:

  username@host.domain

  cg3xzz@icogsci1.ucsd.edu

There are several top level domains in the United States: gov, mil, com, net, org, and edu. So you have addresses that look like: wallen@nprdc.navy.mil and of course cg3xzz@icogsci1.ucsd.edu. Note: the notation following the @ sign is not a path to the host, it is a unique name, unlike the A!B!joe example we talked about earlier.

cg3xzz@icogsci1.ucsd.edu means a user/account called cg3xzz on a computer called icogsci1, which is located in the domain ucsd, which, in turn, is part of the .edu domain (in the United States).

The Internet is more than a little USA-centric, because it was first invented here. That's why there are domains like .gov and .edu without a geographic indicator. Other countries use a 2 character country domain code. For example:

• .de is Germany,
• .uk is Britain (United Kingdom),
• .au is Australia,
• .br is Brazil,
• .us is United States,
• and one of my favorites: .ch is Switzerland!

  kalish@rat-maze.psy.uwa.edu.au

Fully Qualified vs Unqualified

But if someone is sending mail from off campus, then the fully qualified domain name of cg3xzz@icogsci1.ucsd.edu must be used.

In terms that will appear several more times during the quarter, we might say that an email address with the "fully qualified" domain name is an absolute (email) address. The address is always correct, though perhaps longe(r) and (more) cumbersome to use. On the other hand, an email address with the "unqualified" domain name (i.e., just the host name, and no domain specification) is a relative email address. That is, relative to the domain that you are in when you use it.

Of course, you could always just create the alias "suzzy" and have it point to the fully qualified address.

POP (Post Office Protocol).

• Identify herself to a mail server via an account and password
• Read/Copy mail messages from the mail server, and then read them offline.
• Delete mail messages from the mail server

SMTP

In fact, in order to help combat spam many ISPs (Internet Service Providers) require you to use their SMTP server in spite of what POP server you use. UCSD has this policy in place--campus Network Operations requires you to authenticate yourself before you can use one of the campus SMTP servers.

IMAP

POP works fine for people who primarily work from a single computer. IMAP is better for people who use more than 1 computer frequently; e.g., a computer at the office, and another at home, and a 3rd while "on the road".

IMAP is more flexible POP, but puts much more "strain" (computing and storage load) on the server, which is why it is not more widely implemented.

What is Eudora?

UCSD has a site license from Qualcomm for Eudora. There is also a free version (called the "sponsored" version becaus it displays ads while you are using it). You can get either version by FTPing to ftp://ftp.eudora.com.

UNIX Mail Readers vs Eudora (an other POP clients)

Format of a Message

Email messages were originally modeled after interoffice memos. Some of the format is reminiscent of those office memos.

There are several distinct parts to an email message. From top to bottom

1. The headers contain the address information about who you are sending the message to, both directly via the To: line, and indirectly via the "carbon copies" (Cc: line.) You should also enter a Subject: line. Your email software will add a From: line with your email address, and probably a line with the Date:. Mail servers add "Received:" lines to the headers to show the mail routing.
2. The body which contains the message portion of the mail.
3. You may also include an attachment of one or more "documents". The document is encoded in a way to allow it to pass through the email systems. When you receive email with an attachment, you may be informed that there is one, or it might just show up as a block of garbled text as part of the message. Different email readers: (Eudora, pine, elm, Netscape), handle attachments in different ways.

When you create a new email message, or read one that some one has sent to you, Eudora and pine show a horizontal line between the headers and body of the message. There is not really a line in the message itself, of course; a blank line is what actually separates the headers from the body.

The Message Header

• To: [Required] Contains the email addresses of the main recipients of the message. There must be at least one address on the To: line. If you want to send to multiple email addresses, use a comma as the delimiter (separater) between the addresses.
  Note: the SMTP protocol allows recipients to specified outside the message headers. That is, there is a conceptual envelope that accompanies a email message, much like real mail has an envelope. The address information inside the envelope and outside may not match!
• From: This line is automatically added by the email software along with your email address. This allows people to reply to your message.
• Date: This another line usually added by your email software package. This is typically the date and time you started composing your message, rather than the time it was sent.
• Subject: [Optional] But you should always put in a subject line, and make it meaningful. It's a courtesy to your recipient because it is helps the recipient organize her email.
• Cc: "Carbon Copies" [Optional] Other people you want to see the message. For instance, suppose you had spoken to Doris on the phone about meeting for lunch. You would also like Jane to join you and Doris as well. So you send an email message To: Jane inviting her to join you both, and you Cc: Doris. That way, Doris knows that Jane is invited, and when Jane replies, Doris will know whether Jane is coming or not. (But only if Jane replies properly, including all message recipients; more later in the art of replying.
• Bcc: Blind Cc: [Optional, rarely used] When you want other people to see the message but you don't want the main recipients to know they are getting the message too. That is, the message will be sent to all the To: and Cc: addresses as normal, but to the Bcc: addresses as well. However, there is no line in the header (or anywhere else) that lists the Bcc: recipients.

  If this sounds a little sneaky, it probably is. Not all email packages even offer a blind Cc: capability. Because it is rarely used it is difficult to conjure up an example, however... Recall the previous luncheon scenario with Doris, Jane, and you. Now imagine that you have a third friend, Phyllis, who does not get along with Doris (at all!). You might send your note to Jane, inviting her, with the Cc: to Doris, so she knows Jane is coming, and a Bcc: to Phyllis so she doesn't show up at the same restaurant by accident. (Yes, I know it's contrived.)

  Another use of the Bcc: is to send email to a list of people, for instance, a list of your clients, where you don't want any of them to see each other's email addresses or names. In this case, you send the email to yourself, and then Bcc: everyone else.

  Eudora has a Bcc: line in its headers, ready to use. Pine also has a Bcc: capability, but it is more subtle to use. You must have the cursor (UNIX cursor) in the headers part of the message, and then you can type ^R (Ctrl+R) for "Rich Headers", which will open a new Bcc: line.

• Attachments. [Optional] Used to send "native" Macintosh (or Windows) documents that can be recognized by the receiver.

  When you include attachments as part of the message, they do not appear in the message that you see either, except for a line in the header area.

  • It's good to mention in the text of your note that you are sending an attachment. Eudora can be configured to automatically save attachments. If you don't say anything in your note, the recipient might not even know they got the attachment!
  • Use the Attachments selection in the Message Menu to send an attachment.
  • The person receiving your email needs to have Eudora or a similar email client that knows how to decode the attachment. Otherwise, separating the attachment from the rest of the message, and restoring the original document can be painful.
  • The person receiving your document needs to have an application capable of dealing with it! That is, if I send you an mpeg type movie clip, your Eudora will save it back into its original state, but you may not be able to see it unless you have a program that understands the mpeg format.

Other Header Lines

Typically, your mail reader (pine or Eudora) will hide these from you. In Eudora, simply click the "blah blah" icon on the toolbar above the message to see all the headers.

In pine, you use the "H" command to see the additional headers, and you may have to have enabled/turned on the "enable-full-header-cmd" in the pine set up, in order to have the "H" command.

• In the process of delivering the mail, SMTP servers will tack on "Received:" lines. These may help you trace the route your message took in getting to you.
• The SMTP delivery process will probably also tack on a Message-Id line with an unique identifier that can be used to trace the message through server log files. (Privacy Invasion?)
• There might be a "Reply-To:" line, which can added by the sender's email package. It is the preferred address to use when Replying to her, as opposed to the address in the "From:" line. That is, when you reply, your email program should use the Reply-To: address. If you have multiple email accounts (@UCSD, @HOTMAIL, @AOL, etc), you might wish to set the Reply-To: for all of those accounts to point to a single address (like the @UCSD one). That way all mail should come back to one place (mailbox).
• There may be any number of "X-" header lines that are added by particular software packages. For instance, UCSD has recently started scanning incoming and outgoing email for viruses. The scanner will add a line like:

  X-MailScanner: PASSED (v1.2.6 81531 g97FTxLx097448 mailbox1.ucsd.edu)
  

  to the headers.

An Example -- a Scam letter

The Message Body

Some mail readers, notably those from Microsoft, have had bugs in the software that interpreted stylized text which (potentially) allowed hackers to compromise your computer by sending a specially crafted message.

Privacy

Also, SMTP servers keep log files of mail transfers. Generally, these only have the date, time, sender name, and recipients; not even the Subject: is logged. The log files are used to help track down problems with delivery. But they might also be used to find out who you correspond with.

Email Privacy in Industry

The courts have generally upheld this policy (corporate email is not private).

Scanning for Viruses and spam and ...

Some ISPs scan email for spam (unsolicited commercial email); UCSD is now doing so as well. (See spam below.)

Some online services, for instance Prodigy, even "screen" their discussion forums for offensive content.

When you first start using an email service you should ask the provider of the service for a written copy of their policy on email. That way you can be sure that your use of email is consistent with their policy. That is, if you work for a company that says it will read every message, you probably would not want to send or receive private/personal messages. [By the way, companies have every right to have such a policy.]

Privacy in the UC System

On the UCSD instructional systems, email privacy is maintained as much as possible according to that UC Policy. However, as the policy states, the ACS people who maintain the computer systems may have to access to mail files in order to keep the systems running. However, complaints about students abusing email or another computer service will be investigated. Such abuse may lead to academic expulsion.

Email Can Come Back to Haunt You

LESSON BEING LEARNED FROM MICROSOFT TRIAL: E-MAIL CAN HURT

With old e-mail messages playing an important role in the charges and countercharges being leveled in the Microsoft antitrust case, organizations are busy reminding their employees to think before they type (and then always clean up after themselves). One example is the Amazon.com company, which created an event called "Sweep and Keep" to reward employees for purging e-mail messages no longer required for business or legal reasons. This "documentation retention" policy [Orwell, where are you?] was followed by a "documentation creation" policy that said: "Quite simply put, there are some communications that should not be expressed in written form." (New York Times 11 Nov 98)

E-PRIVACY MAY BE UP TO THE INDUSTRY

Addressing the audience at a free public conference in London concerning anti-online crime legislation, public key encryption inventor Whit Diffie said that the high-tech industry and Internet users must take full responsibility for protecting privacy on the Internet. Intelligence agencies are becoming more aggressive in their efforts to spy on online transmissions, according to Diffie. Yet, world governments will be powerless to stop criminals from increasingly targeting Internet users over the next several years, Diffie added. The London conference centered on two pieces of legislation--the Electronic Communications Bill and the Interception of Communications Act. The U.K. government says the two measures will help it crack down on criminals on the Internet. The regulatory approach has its critics, however. "The solution is to get away from regulating the technology and move to regulations based on functionality," says Ross Anderson, chairman of Cambridge University's Computer Laboratory. (TechWeb 09/23/99)

TIMES COMPANY DISMISSES 23 OVER E-MAIL

The New York Times Company yesterday fired 23 workers for internally circulating e-mail that violates the company's e-mail policy. The company's policy states that "computer communications must be consistent with conventional standards of ethical and proper conduct, behavior, and manners and are not to be used to create, forward, or display any offensive or disruptive messages, including photographs, graphics, and audio materials." Other workers at the company's administrative center in Norfolk, Va. where the dismissals occurred received warning letters as a result of the episode. Although the company has terminated employees in the past because of e-mail violations, this is the largest group to date, says the New York Times' Nancy Nielsen. (New York Times 12/01/99)

THE WEB: NEW TICKET TO A PINK SLIP

Employees caught surfing forbidden Web sites are increasingly being fired. At Xerox, for example, 40 employees were fired after software recorded them visiting Web sites pertaining to shopping or pornography and spending inordinate amounts of their work day online. Overall, the company monitors the online activities of all of its 92,000 employees worldwide. In 1999, 45 percent of employers admitted they monitor employees' phone calls, computer files, or e-mail messages. The issue of privacy is therefore arising, but employers claim monitoring is needed to see if workers are sending hate e-mail or wasting too much time online. Employers can record and view everything done on a computer, which makes privacy obsolete in the workplace. The consequences for misusing the Internet are great, and employees may not find any help in a court of law, since the judges usually handling the cases do not often rule in favor of employees. Lawyers argue that employers should warn that they may read workers' e-mail and review their Web use. (New York Times 12/16/99)

PRIVACY WATCHDOGS SUE FEDS OVER E-MAIL

The federal government may be monitoring the private e-mail of its citizens, as well as those of other countries, according to the Electronic Privacy Information Center (EPIC), which has filed a lawsuit to force the National Security Agency (NSA) to hand over documents it says will prove the accusation. The NSA engages in international surveillance for the U.S. government, and a growing body of evidence suggests that the agency's efforts include the harvesting of e-mail, says EPIC director Marc Rotenberg. EPIC filed the suit because the NSA failed to respond to a Freedom of Information Act request for the documents. Earlier this year the House Intelligence Committee requested access to the documents, but was snubbed by the NSA, which said it could not release the documents for reasons of national security. EPIC, the ACLU, and other privacy groups claim that an NSA program called Echelon is responsible for the e-mail surveillance. An NSA spokeswoman refused to confirm or deny the existence of Echelon, but said that the agency is in strict compliance with U.S. laws and regulations regarding the privacy of U.S. citizens. (Interactive Week Online 12/06/99)

POLL: MORE WORKERS VALUE E-MAIL, VOICE-MAIL PRIVACY

Forty-four percent of employees say the workplace monitoring of email represents a serious ethical breach, compared with only 39 percent who say the same of workplace video surveillance, according to the third workplace ethics survey from the Society of Financial Service. The poll also found that a greater percentage of employees think the monitoring of voice mail and inspection of lockers or work areas is more invasive than the monitoring of email. The survey polled 436 workers and 121 high-ranking members of management. Just 39 percent of the bosses surveyed say email monitoring is seriously unethical. Furthermore, the poll finds that 50 percent of bosses and 45 percent of employees say using personal email at work is unethical, and 56 percent of bosses and 58 percent of employees say the same of Web surfing. A survey conducted last year by the American Management Association determined that roughly 67 percent of companies electronically monitor their employees in some fashion. "Employers are on a collision course with employees regarding privacy," says National Work Rights Institute President Lewis Maltby. (USA Today, 27 March 2000)

E-MAIL CATCHES UP TO SNAIL MAIL

E-mail is now used by more than half of U.S. households and has taken on a variety of new tasks, such as conveying important medical, legal, and financial information. However, experts warn against the vulnerability of many of today's electronic messages. Whereas mail delivered by the U.S. Postal Service is slow, it is much more secure, in part because of the culture that degrades the value of e-mail while criminalizing the violation of snail mail. ISPs and employers, too, have a free rein to observe the e-mail activity of those using their networks. The number of employers watching their workers' e-mail has risen to 47 percent, according to the American Management Association, up from 38 percent in 1998. Moreover, ISPs keep some record of user activity in logs that can be accessed at the behest of the FBI or a court order. (USA Today, 15 May 2001)

And here is, perhaps, a solution to some of the problem:

'SELF-DESTRUCT' E-MAIL OFFERS VIRTUAL PRIVACY

The problem of e-mail being stored on computers on both the sending and receiving end as well as along the networks they travel long after being erased by sender and recipient--and sometimes coming back as evidence, as in the Iran-Contra and Microsoft antitrust cases--could become a thing of the past after the introduction of a new system from San Francisco-based startup Disappearing. The Disappearing system creates a temporary "key" for sender and recipient to encrypt and decrypt messages. After a certain amount of time set by the sender, the "key" will be destroyed at Disappearing's site and the e-mail message will no longer be readable. The system should be available in the first part of 2000. (USA Today 10/07/99)

Forgery

Forging email is explicitly forbidden by the UC Policy.

"Human Engineering"

This is called "human engineering" because it is people using their people/social skills (to get your account information) rather than people using computer skills to hack into a system.

THAT E-MAIL FROM THE NETWORK ADMINISTRATOR COULD BE A VIRUS

A new e-mail virus is circulating the Internet posing as a message from a network administrator. The e-mail, which has a subject line of "your account," spoofs a return address to make recipients believe it is a legitimate e-mail from an administrator; if opened, the attachment attempts to mass e-mail itself. What makes this virus notable, said Sharon Ruckman of Symantec Security Response, is the "social engineering aspect." The message in the e-mail indicates that the "administrator" needs to relay important information about the account. "This e-mail address will be expiring," says the note. "Please read attachment for details." Ruckman noted that such language is likely to fool many users into opening the attachment. ZDNet, 4 August 2003 http://zdnet.com.com/2100-1105_2-5059087.html

Digital Identity

In order for Internet business to grow, at some point we'll need to have some sort of digital signature, and have it recognized as having legal standing.

The whole issue of being able to identify oneself in a convenient, but difficult to forge/impersonate, way is of great interest. Things like smart cards, or bio-based systems (finger prints, retinal scans, voice "prints") are being developed and tried. There is a $100 device that can be attached to a floppy drive that will read finger prints.

These "biometric" devices are getting much cheaper to produce. You can expect to see them in wide use within a few years. For instance:

FINGERPRINTS AS PASSWORDS: TWITCHING TO TAKE HOLD IN INDUSTRY

Fingerprint scanning technology should be gradually implemented by the banking industry as a means of verifying identity, says Identix CEO Randall Fowler. Identix, a leader in image scanning technology, produces biometrics products capable of distinguishing between an actual fingerprint and a photo of one. Fowler stresses the need for fingerprint scanning technology, noting that financial transactions no longer occur face to face, but "between two strangers with a piece of silicon in between them." He says, "Somebody has to give the silicon the ability to recognize who it's dealing with, particularly in the banking industry." In line with providing this technology, Identix and Motorola recently formed a partnership to develop biometrics devices that will eliminate the need to use PIN numbers in accessing a banking network. Motorola's Digital DNA unit has reduced the size of its CMOS-chips that store fingerprint optics, so the chips can be attached to the side of phones, cash registers, ATMs, and other devices. Fowler says financial institutions are likely to adopt biometrics technology slowly, as they replace computer systems. (Future Banker 07/99)

DIGITAL SIGNATURES, ANTICYBERSQUATTER BILL APPROVED

The U.S. House Judiciary Committee gave its approval to two pieces of technology-oriented legislation, one a bill that gives digital signatures equal standing with written signatures in the eyes of the law, and the other a bill that empowers businesses to take civil action against cybersquatters. The digital signatures bill, which does not extend as far as similar legislation passed by the House Commerce Committee, urges the establishment of a federal standard for digital signatures that would foster the growth of electronic commerce. States and the parties involved in transactions will retain the option of using handwritten signatures for some documents, according to terms of the legislation. The bill may be considered by the House Rules Committee early next week. The anticybersquatter bill gives domain name registrars the power to bar people from registering trademarks if it can be determined that they have unscrupulous motives for doing so. (Bloomberg 10/13/99)

ONLINE CONTRACTS FAIL IN HOUSE

The House of Representatives narrowly defeated the Electronic Signatures in Global and National Commerce Act yesterday. The bill, which grants online signatures the same legal status as those on paper, needed a two-thirds majority to pass, and received 234 votes in favor and 122 opposed. The White House and consumer advocates such as Margot Saunders of the National Consumer Law Center were opposed to the bill due to fears that it removed critical consumer notification protections in the banking and insurance industries. A White House statement said consumers need to be guaranteed the same sort of protection online that they receive in the traditional business world. Bill sponsor Rep. Thomas J. Bliley (R-Va.) called the opposition's allegations and concerns "absolutely false" and noted that the bill was revised after initial consumer protection concerns arose. (Washington Post 11/02/99)

ELECTRONICS INDUSTRY BACKS DIGITAL SIGNATURE BILL

The American Electronics Association (AEA) recently sent a letter to the Senate Democratic leadership, urging legislators to enact the Electronic Signatures in Global and National Commerce Act, known less formally as the E-Sign bill. The letter called on legislators to speed up the deliberation process by appointing conferees to a committee assigned to the act. AEA President William Archey said the act is an essential ingredient to the continued growth of e-commerce and will help establish a legal framework for companies conducting business on the Internet. "The E-Sign bill would establish certainty in online contracting by recognizing the validity and enforceability of electronic records and signatures for online vendors," Archey said. Ensuring that Congress passes the bill is one of the AEA's top priorities this session, according to Archey. A House version of the bill was approved in November; the Senate is now attempting to reconcile differences between the two versions. (EE Times Online, 7 March 2000)

Encryption

Uif dbu jo uif ibu.

a b c d e f g h i j k l m n o p q r s t u v w x y z

b c d e f g h i j k l m n o p q r s t u v w x y z a

This is a very simple code, obviously, and easily broken. It is an example of a Caeser Cipher, an encoding by rotating the letters in the alphabet. Secret decoder rings that used to (still do?) come in cereal boxes used this principle.

But it illustrates the point. You would tell the recipient the key (to the code) is to "rotate the alphabet to the left 1 letter". Or turn your decoder ring to the right 1 click.

By the way, the coded phrase is: "The cat in the hat".

Another example of a simple encryption would be to convert each of the letters/characters in your message to their hexadecimal equivalent. What? On modern computers, each simple letter, digit, or punctionation mark is represented as 7 bit binary value; instead of using the letter, or digit represented by that value, use the numeric value instead, expressed in hexadecimal. (This is one scheme used to obfuscate email addresses on web pages to prevent them from being "harvested" by spammers.

Or maybe compress your message. That would render it unintelligible too. That would turn the ASCII text into binary codes. But presumably it would be easy to uncompress it too.

Or Or how about hiding your message into an image? That's what software from In the Picture (http://www.intar.com/ITP/) does.

Serious Encryption

Until recently, a 56 bit key (56 digit binary number) was thought to be pretty secure. (A 56 bit number will probably have almost 25 decimal numbers in it!) However, a research group was able to build a special purpose computer built with off the shelf components that was able to break codes with 56 bit keys in less that 24 hours! Obviously, more bits in the key are needed, but how many more.

From Edupage

RESEARCHERS DEMONSTRATE COMPUTER CODE CAN BE BROKEN

Researchers this week proved that 512-bit encryption, the standard used to protect most online financial transactions, is not secure. The international group of researchers broke the security codes by factoring a number of about 155 digits and using the two prime factors to find the key used to decode a specific piece of data. The effort took seven months and required 292 computers at 11 different sites. However, one participating researcher says the codes could be broken in less than a week using the computing power of government agencies or large enterprises. By demonstrating the inadequacy of 512-bit encryption, the researchers have also fueled doubts about U.S. export control laws regulating encryption. Currently, 512 bits is the strongest level of encryption that can be exported in most instances. (New York Times 08/27/99)

As general purpose computers get faster, the need for more secure keys increases since the faster hardware can crack weak keys quickly.

Symetric Key Systems

WEP (Wireless Encryption) at UCSD

The problem is that WEP is flawed in that it is a single key system. Everyone who would use WEP must know the singlesecret password in order to utilize the encryption. Securely getting that password out to thousands of wireless users is impossible. So rather than let people think their data was safely protected in a code, no encryption at all is used.

But don't worry. As long as you are using a secure web connection (that little lock you see on the status browser status bar), or ssh (Secure Shell), or other "end to end" encrypting application programs, your data is safe.

Public Key Systems

To use a public key system, the sender uses the receiver's public key, to encode the document; the receiver then uses her separate private key to decipher the contents.

With a public key scheme, each person publishes his public key (on their web page, or in their email signature, or ...). Anyone wishing to send to that person then uses that public key to encrypt and send a message. The receiver uses their private key to decypher the message.

Okay. Now imagine this.

I'm pretty sure that only you can read it, because only your private key can unencrypt the message coded with your public key. And, by the same token, you can be pretty sure that I sent it because only my public key can decode my signature.

What we lack now is a) the government's blessing, and b) the infrastructure (i.e., how are we assigned keys, where do people find our public keys).

"PGP", Pretty Good Privacy, is one such public key scheme that can be used to create "digital" signatures. There are also PGP key servers like http://www.keyserver.net/en/ where you can publish your PGP public key(s) and look up other people's keys.

The article at http://www.linuxsecurity.com/feature_stories/feature_story-83.html has a good description (with figures) of PGP public key encryption.

The other thing we lack is encryption that is easy to use-- like using a secure web connection. Until we get government sanctions, infrastructure and easy to use software, email will not be secure.

Encryption and the Government

Prior to 1996, the rules for exporting cryptography were set by the International Traffic in Arms Regulations governed by the US State Department. Even taking a telephone scrambling device out of the country could be a trying affair, as http://www.netsurf.com/nsf/v01/01/local/courier.html tells.

As one compromise with public demand for encryption, the government agencies proposed an encrypting chip (one version was called the "clipper chip"), which had a "back door" that would allow the government to decode messages encrypted with it. Freedom advocates successfully opposed the introduction of the chip.

The government is now advocating an "escrow" system in which an agency holds the secret keys. Law enforcement agencies would then show a warrant to this escrow agency to get access to particular keys to track crimes. Here people argue that the government doesn't do a very good job of keeping secrets.

And do everyday citizens need encryption? Yes! The UK recently passed the the Regulation of Investigatory Powers bill--RIP--to intercept and decode encrypted e-mails.

The most immediate industry casualties of the bill are Internet Service Providers in the UK, who will have to offer a permanent interception capability. The government has yet to decide what technology it will impose. But many other businesses are also taking a hard look at the implications of doing business in the UK. It will allow state officials to demand access to a private decryption key or to a plain text copy of an encrypted message. Disclosing a key could compromise the security of a whole network. But it will be a criminal offence to warn any third party that the key has been requested!

Back in the United States, the FBI has reluctantly revealed the presence of Carnivore. See http://www.robertgraham.com/pubs/carnivore-faq.html for a FAQ.

CONGRESS TO HOLD HEARINGS ON FBI CYBER-SNOOP DEVICE

The House Constitution Subcommittee announced late last week that it would hold hearings on the FBI's controversial Carnivore e- mail surveillance system. The hearings will take place July 24 and will address "the needs of law enforcement and the personal privacy rights of individuals guaranteed by the Constitution," a congressional staffer said, speaking on condition of anonymity. The staffer said law enforcement officials, privacy groups, civil liberties groups, and industry representatives would be invited to provide testimony at the hearing, although no witnesses have yet been confirmed. Janet Reno said last week that she would investigate Carnivore out of concern that the system could jeopardize Americans' privacy rights. (Newsbytes, 14 July 2000)

CARNIVORE E-MAIL TOOL WON'T EAT UP PRIVACY, SAYS FBI

The FBI is attempting to convince lawmakers and privacy advocates that its Carnivore surveillance system is not as menacing as its name implies. The FBI says the system is a "diagnostic tool" that would be used only in rare circumstances, and with court approval. The system ignores the vast majority of Internet communications and targets only the specific information packet it is meant to retrieve, says Thomas Motta, assistant general counsel for the FBI. The system also does not examine or record the content of e-mails, including subject lines, says the FBI. Still, lawmakers have many questions about the system and they intend to get answers from FBI officials at a House judiciary subcommittee next week. The head of the subcommittee, Rep. Charles Canady (R-Fla.), wants to be sure that the system does not jeopardize the constitutional rights of U.S. citizens. Iconn.Net, EarthLink, and other ISPs have been openly critical of Carnivore. Congress is unlikely to pass legislation outlawing Carnivore and other such systems, but lawmakers may decide to strengthen applicable privacy rules or place more restrictions on the system's use. (Wall Street Journal, 20 July 2000)

OPINION SPLIT ON WEB PRIVACY

Just one in five Americans has heard of the FBI's Carnivore e-mail surveillance system, but 54 percent say they favor government e-mail snooping efforts as a means of curbing online crime, according to a new survey conducted by the Pew Internet & American Life Project. The survey also shows that 62 percent of those surveyed favor the introduction of online privacy laws; 90 percent worry about their credit card numbers being stolen on the Internet; 80 percent worry about online fraud; and 82 percent have concerns about online terrorism. The numbers suggest that Americans want to be protected from criminals on one hand but want to keep the government from abusing its authority on the other, said Susannah Fox, the project's director of research. "It's going to be very difficult for Congress to create legislation that makes sense for Internet users, the Internet industry, and law enforcement," said Fox. David Sobel of the Electronic Frontier Foundation said the Pew survey runs counter to most polls on the Carnivore system. An FBI spokesman said the agency is pleased with the results of the poll. (Washington Post, 3 April 2001)

FBI'S CARNIVORE MIGHT TARGET WIRELESS TEXT

An association of telecommunications carriers warns that the FBI could soon be using the Carnivore electronic eavesdropping device to capture wireless text messages. In a letter sent to the FCC, Cellular Telecommunications & Internet Association general counsel Michael Altschul said that the telecom industry could not devise sufficient standards and procedures to allow FBI investigators to capture the contents of wireless text messages the same way they can listen in on analog communications. Such ability is required by law, and thus the industry's failure to provide the FBI with a solution could mean the use of Carnivore, which privacy and technology experts say gleans far more information than is needed by investigators. Privacy advocates say that Carnivore has not been shown to be as selective in the gathering of information as targeted data collection carried out by ISPs. (Washington Post, 24 August 2001)

FBI MUST TURN OVER CARNIVORE INFO

A federal judge has ordered the FBI to dig deeper in trying to locate information collected by its Carnivore e-mail surveillance tool. The FBI contends that all data collected using Carnivore was gathered under the authority of court orders. The FBI had turned data over as part of a legal battle with the Electronic Privacy Information Center (EPIC), but the judge agreed with EPIC that the FBI may not have produced all of the documents related to Carnivore searches. EPIC took the FBI to court in July of 2000 to try to gain access to the data under the Freedom of Information Act. The outcome of the case will likely affect how the federal government uses electronic surveillance in its investigations. (ZDNet, 27 March 2002)

REPORT URGES MORE ENCRYPTION

Echelon, the U.S.-based spy system whose existence has been long rumored but never substantiated, does indeed exist and poses a serious privacy threat, according to a newly released, 108-page report from the European Parliament. The report is based upon interviews with experts in the fields of security and communications, who have provided testimony that the United Kingdom, Australia, Canada, and New Zealand are helping the United States manage the communications-interception system. The report claims that Echelon intercepts "a very small portion" of corporate and civilian communications across the globe, but could come up with no proof that the system is sharing these communications with U.S. companies. The report suggests that computer users protect their e-mail communications from Echelon by using encryption. (Associated Press, 29 May 2001)

Note that most of this concern came before September 11, 2001! After that terrorist attack on the World Trade center, the U.S. Congress passed the PATRIOT act which gives greater leeway for government agencies to "spy" upon its citizens. See http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.php for some of the issues. Citizens need encryption.

Encrypt your Hard Disk

As convenient as electronic mail can seem, it has serious limitations. First and foremost, you have only the printed word of the sender.

English is a very large language, with more than 100,000+ words; probably the largest vocabulary of any language. And written English can be treacherous! For example:

• We polish the Polish furniture.
• He could lead if he would get the lead out.
• A farm can produce produce.
• The dump was so full it had to refuse refuse.
• The soldier decided to desert in the desert.
• * The present is a good time to present the present.
• * At the Army base, a bass was painted on the head of a bass drum.
• The dove dove into the bushes.
• I did not object to the object.
• The insurance for the invalid was invalid.
• The bandage was wound around the wound.
• There was a row among the oarsmen about how to row.
• They were too close to the door to close it.
• The buck does funny things when the does are present.
• They sent a sewer down to stitch the tear in the sewer line.
• The wind was too strong to wind the sail.
• After a number of Novocain injections, my jaw got number.
• * I shed a tear when I saw the tear in my clothes as I sat in the shed.
• I had to subject the subject to a series of tests.
• How can I intimate this to my most intimate friend

tomb comb bomb

rough cough bough though through

there their they're

With email, Words Is [sic] All You Gets

Keep that in mind as you compose a message and try to avoid those ambiguous terms and phrases.

What might happen to your friendship wiht Jane if you miss spelled "shifty" in "you have a shifty personality, Jane"? Proof read all your email, and use that spell checker!

Email is a half duplex communication. Information flows in only 1 direction at at time. When speaking in person, if you see a negative affect produced by what you say, you can change the conversation, or appologize. Even on the phone, you might notice a pause after you've said something inappropriate, and can "take it back". With email, you probably won't have a chance to "take back" what you wrote said if it gets an adverse reaction.

To help increase the "bandwidth" (the amount of communication flowing back and forth), you may see some strange symbols in some email:

These have been called emoticons; pictures that represent an emotion. They can be used to help convey irony, sadness, humor, etc. Here are some compilations of Smileys:

• http://smileys.antville.org/,
• members.aol.com/bearpage/smileys.htm particularly, http://members.aol.com/bearpage/smileys.htm#widely.
• http://www.astro.umd.edu/~marshall/smileys.html
• Unfortunately, these next two very amusing links are no longer valid
  • www.randomhouse.com/features/davebarry/emoticon.html (an amusing look)
  • www.randomhouse.com/features/davebarry/forums.cgi?page=1&messages_per_page=20 (roll your own and post it!)

Another common way to help clarify your messages is to use some scheme to add emphasis to some words. One technique is to use "*" (or some other symbol) around the words you want to stress; e.g.,

I got it, did *you* get it?

I got it, did YOU get it?

Eudora has a feature that will scan your outgoing messages for potentially "unsocial" messages. When the feature is turned on, 1 to 3 chilli peppers appear on the right part of the tool bar of your new message, depending on how "inflamatory" your remarks are.

Javier Movellan, a former professor in Cognitive Science at UCSD is devoloping software programs that can interpret emotions from faces. Perhaps in the near future, email won't just contain emoticons, but animated faces that convey real emotion! (And the government will be able to detect it. )

Acronyms

ACRONYM	Literally	Means
FYI	For Your Information	I think you should see this, but you needn't do anything about it.
BTW	By the way,	Say, did you know ...
ASAP	As Soon As Possible	I wanted it yesterday
IM(H)O -- seen with and without the "H"	In My (Humble) Opinion	This is what I think
YMMV	Your Mileage May Vary	(from U.S. automobile advertizements) different drivers may experience different results
FWIF	For what it's worth	For what it's worth
TTFN	Ta ta for now	See ya
IIRC	If I recall correctly	If I recall correctly
AFAIK	As Far As I Know	As Far As I Know
ROTFL	Roll on the floor laughing	A response to a funny joke

Many sites on the Internet seem to specialize in computer related acronyms, which I guess makes sense. http://www.acronymfinder.com/ lets you look up acronyms. http://members.aol.com/nigthomas/alphabet.html has a dictionary like way to look up the meaning of acronyms.

Limitations

Some people read their email only rarely. So no answer may simply mean they really haven't looked at it yet.

On the other hand, some versions of the program tell you when someone on a UNIX system last read their mail. However, with email packages like Eudora and pine that can be set to automatically read your mailbox file, you can't tell when the person has actually read the mail.

There are even some email systems (Outlook and Eudora) that support return receipt; that is, when the mail reading program loads/reads the email, it sends an automatic message back to the sender of messages marked with a return receipt request. Is that an invasion of your privacy?

Flames

Something as silly as sending a reply to everyone who received the message, instead of just the sender, might get you flamed.

Here is a poem about what can happen when you post a question to a newsgroup on the Internet:

I shot a query into the net.
I haven't got an answer yet,
But seven people gave me hell
And said I ought to learn to spell;

A posted message called me rotten
For ignoring mail I'd never gotten;
An angry message asked me, Please
Don't send such drivel overseas;

A lawyer sent me private mail
And swore he'd slap my ass in jail --
I'd mentioned Un*x in my gem
And failed to add the T and M;

One netter thought it was a hoax:
"Hereafter, post to net dot jokes!";
Another called my grammar vile
And criticized my writing style.

Each day I scan each Subject line
In hopes the topic will be mine;
I shot a query into the net.
I haven't got an answer yet ...

spam

In case you didn't know, SPAM (with caps) is a type of luncheon meat that has been popular (?) for years. The term "spamming" was derived from a "Monty Python" sketch in which a group of Vikings start singing a chorus of "spam spam spam...", eventually drowning out all other converstation. See http://www.spam.com/ci/ci_in.htm for more information on spam and its relationship to SPAM (the meat).

Spam has become such a problem that the United Nations is considering ways to combat it!

UNITED NATIONS TO ADDRESS SPAM PROBLEM

Officials from a United Nations agency said this week it will work to fight spam on an international scale. According to Robert Horton, the acting chief of the Australian communications authority, the International Telecommunications Union (ITU) will work to bring the problem of spam under control within two years. The ITU, which is meeting this week in Geneva to address the growing problem of spam, will write examples of legislation that would allow effective cooperation among governments in fighting spam. Many countries currently lack any legislation dealing with spam, and those that do often have laws that are difficult to reconcile across borders. According to the ITU, spam may account for as much as 85 percent of all e-mail today, as well as a significant portion of text messages received by cell phones. San Jose Mercury News, 6 July 2004 http://www.siliconvalley.com/mld/siliconvalley/9089737.htm

Dealing with spam

Even if the From: address is a real one, probably you should never reply to spam, or even send email to their "remove me" address. Many of lists of email addresses are old and the spammers are trolling (fishing) to see which addresses are "live". If you answer, they know the "From" line on your email is a valid address! That's why we tell people never use the "remove" mechanism on spam mail.

If you can trace through the Received-by lines in the headers, you can try complaining to postmaster@, or perhaps abuse@, the sytem the mail appears to come from. This may or may not yield results. http://www.ecofuture.org/jmemail.html is one of many sites that talk about spam and ways to combat it.

A Study of Spam

They found that the most common source for email addresses getting spam were those published on public web sites. The more popular the site, the more likely those email addresses were to get (more ) spam.

Also, they discovered that most commercial web sites that had published privacy policies and offered a way to "opt out" would, in fact, respect the opt out request.

The study is located at: http://www.cdt.org/speech/spam/030319spamreport.pdf and is an interesting read.

Hotmail Has Quite a Job to Save Its E-Mail Empire From Spam

You think you've got a problem with spam e-mails because of the dozen or so you get every day? Welcome to Hotmail, where they get more than a billion.

Hotmail, owned by Microsoft, is, by virtue of its 110 million users, among the world's biggest e-mail providers. It is, therefore, one of the world's biggest spam buckets. The number of messages it gets each day is closing in on two billion. Up to 80% are spam.

Spam, for someone in the e-mail business today, is like cold for someone at the North Pole. It's everywhere, and if you forget about it even for a minute, it can kill you. Hotmail engineers constantly monitor their machines. A sudden deluge of spam, if not tended to, will take down the whole system.

Wallstreet Journal, July 8, 2002

People are trying to fight spam and spammers. See http://www.spamcon.org/. spam costs people real money (the time they are connected to their ISP and down loading their mail). If you really get ticked off, you can visit spamcop.net and fight back.

The legal view on spam is just gelling, unlike FAXes. Did you know that it is illegal to send an unsolicited FAX.

spam: Governor Pete Wilson of California has signed into law two new anti-spam bills, both of which will take effect on January 1, 1999. The laws will require that all commercial e-mail messages be labeled as advertisements in their subject lines, will prohibit forged return addresses and relaying mail off of third-party computer systems. Copies of the bills are available at

• http://www.leginfo.ca.gov/pub/bill/asm/ab_1651-1700/ab_1676_bill_980828_enrolled.html and
• http://www.leginfo.ca.gov/pub/bill/asm/ab_1601-1650/ab_1629_bill_980827_enrolled.html
  For more, see
• http://www.wired.com/news/news/politics/story/15291.html,
• http://www.news.com/News/Item/Textonly/0,25,26859,00.html?st.ne.ni.pfv,
• http://www.mercurycenter.com/business/top/044290.htm, and
• http://www.sjmercury.com/business/center/spam092998.htm.

POLL SHOWS RISING FRUSTRATION WITH SPAM

A new poll from Harris Interactive indicates that nearly 75 percent of e-mail users support making spam illegal; only 12 percent would oppose such an action. Ninety-six percent of respondents said that unsolicited e-mail is "annoying," and 80 percent said it is "very annoying." Categories of spam most commonly cited by respondents were pornography (90 percent), mortgages and loans (79 percent), investment opportunities (68 percent), and real estate (61 percent). Unfortunately for those annoyed by spam, the problem is getting worse. Some states have passed laws banning or limiting spam, but e-mail marketers typically fall outside the scope of state laws. Federal efforts to limit spam have stalled. Brightmail, maker of software to control spam, said that unsolicited messages accounted for 40 percent of all e-mail in November, compared to 13 percent a year earlier. Wall Street Journal, 3 January 2003 (sub. req'd) http://online.wsj.com/article/0,,SB1041520792726749513,00.html

REPS. WILSON, GREEN PLAN SPAM BILL

The war on spam will be continued with the expected introduction this week of the Unsolicited Electronic Mail Act, which will be introduced today in a press conference by sponsoring Reps. Heather Wilson (R-N.M.) and Gene Green (D-Texas). The act will allow e-mail users "to keep their current e-mail address and block out all unsolicited e-mail without having to change providers or get new e-mail addresses," according to a press release from the two representatives. The act also calls for the establishment of "virtual gated communities" that prohibit spam, and would allow users to put "no trespassing signs" on their PCs. Violators of the act's terms would be subjected to fines of $500 per offense, or $25,000 per day the violation remains in effect. Another House antispam bill, the Can Spam Act, would give ISPs the option of suing spammers. (Newsbytes 10/13/99)

APPEALS COURT UPHOLDS ANTI-SPAM LAW

Commercial e-mails, or spam, must contain valid return addresses and other identifiers that make it easier for consumers to remove themselves from mailing lists, according to a ruling upheld recently by a California appeals court. The defendants in that case, two Palo Alto-based companies, had argued that the previous ruling violated the commerce clause of the U.S. Constitution. Because Congress has yet to settle on any comprehensive anti-spam law, consumers must rely on state law. But that could result in a hodgepodge of restrictions on legitimate Web-based businesses. The California ruling requires that commercial e-mailers also mark their messages with an "ADV:" in the subject heading, and a special "ADV:ADLT" for messages linked to adult content. The Supreme Court in October refused to hear a challenge to a Washington state law that stringently regulates spam in that state. (Cnet, 7 January 2002)

MONSTERHUT LOSES SPAM CASE

A victory against spam was scored when New York State Supreme Court Justice Lottie E. Wilkins banned MonsterHut, a Niagara Falls-based company, from sending unsolicited e-mails. Accused of sending around 500 million unwanted commercial e-mails, MonsterHut told recipients who complained that they had requested the solicitations through an ^Óopt in^Ô feature. State Attorney General Eliot Spitzer sued MonsterHut on behalf of roughly 750,000 Internet users who, since March 2001, had tried and failed to get off MonsterHut^Òs e-mail lists. MonsterHut claimed that it had obtained "third-party, permission-based" agreements, which amounts to having acquired e-mail addresses from other organizations that had received permission to send ads. Judge Wilkins determined that MonsterHut had "not offered any proof or legal basis to demonstrate that their practice conforms with industry-wide accepted 'opt in' protocols" and barred MonsterHut from further "fraudulent, deceptive and illegal acts and practices." Wired News, 23 January 2003 http://www.wired.com/news/business/0,1367,57363,00.html

SPAM ON THE RISE

Analysts offer varying explanations, but e-mail spam is definitely on the increase. According to Brightmail Inc., which monitors junk e-mail, June of 2001 saw 879,000 spam attacks; June of this year saw 4.8 million. The company also reports that the percentage all e-mail that is spam has risen from 7 percent a year ago to between 12 and 15 percent today. Some speculate that the weak economy encourages spam as a marketing vehicle because it is relatively inexpensive. Others cite the ongoing battle between those who want to get unsolicited e-mails delivered to users and those who want to filter it out. All acknowledge that the increase of spam means it is not simply a nuisance but a daily problem. Much time is wasted dealing with spam, and many legitimate messages, for example, are deleted when users suspect them of being spam. NewsFactor Network, 8 August 2002 http://www.newsfactor.com/perl/story/18939.html

MIT CONFERENCE ON SPAM

Several hundred high-level programmers attended a conference at the Massachusetts Institute of Technology (MIT) devoted to the latest tactics to fight spam. Spam is a formidable foe, as evidenced by its increase in total Internet e-mail traffic from 8 percent in 2001 to as high as 40 percent last year alone, according to Brightmail. According to Ferris Research, spam costs businesses in the United States $8.9 billion and in Europe $2.5 billion annually. MIT computer scientist William S. Yerazunis compared spam to petty street crime and claimed that ^Óthe theft efficiency ratio is about the same as stealing hubcaps and car radios.^Ô The conference centered on a language developed by Yerazunis, touted as nearly 100 percent effective, that ^Óhashes^Ô messages by matching incoming phrases with previous text sent by the user, thereby identifying inconspicuous spam. Another programmer is working on code that will recognize disguised text as spam. Such filters, however, must be able to sort out spam from ^Óham,^Ô or desired e-mail. Some involved in the fight against spam, including Era Eriksson of the Coalition Against Unsolicited Commercial Email, believe that only legislation will stop spam. New York Times, 18 January 2003 (registration req'd)

COOKIES POPPING UP IN E-MAIL

Cookies have long been a part of many commercial Web sites. Now that HTML e-mail has become increasingly common, cookies are showing up in HTML e-mail messages, many of which are sent by spammers, who have little or no obligation to disclose how they use consumer data they collect. Whereas cookies on Web sites generally collect data "anonymously," e-mail cookies have the potential to connect individuals' surfing habits with particular e-mail addresses. The technology is also used by some legitimate marketers, though the types of information collected, as well as when and how it is collected, vary among companies that use the technology, depending on how aggressive they choose to be. CNET, 4 April 2002 http://news.com.com/2100-1023-875992.html

What can be done?

Indeed, spam is a hard problem, especially because its difficult to track down the offenders, who may well be in a different country, with different laws, 1/2 way 'round the world.

It also seems like the attempt to legislate a solution has encouraged spammers. The laws are not consistent from state to state. Moreover, spammers now feel it is OK to send spam as long as the format of their message agrees with that defined in the legislation.

BUFFALO SPAMMER GETS JAIL TIME A judge in New York this week sentenced Howard Carmack, the so-called Buffalo Spammer, to the maximum three-and-a-half to seven years in prison under the state's new identity theft statute. Carmack was charged with setting up hundreds of e-mail accounts under false or stolen identities and sending 850 million spam e-mails through those accounts. Internet service provider EarthLink previously won a $16.4 million civil judgment against Carmack, though the company has yet to collect any money from Carmack. At his sentencing, Carmack said his prosecution was politically motivated and that he didn't see any victims of his actions. In response, Judge Michael D'Amico said, "I'm having a heck of a time figuring out why you think everybody is unfair to you," telling Carmack he caused a lot of harm to many people. Wall Street Journal, 27 May 2004 (sub. req'd) http://online.wsj.com/article/0,,SB108568739201123150,00.html

UCSD's Anti Spam System

X-Spamscanner: mailbox6.ucsd.edu  (v1.2 Mar 17 2003 15:04:36, 6.3/5.0 2.43)
X-Spam-Flag: Spam YES
X-Spam-Level: Level ******
X-MailScanner: PASSED (v1.2.7 42894 h37F78jV051562 mailbox6.ucsd.edu)

Will UCSD delete spam from your incoming mail? No. One person's spam is another's discount vacation! Plus, in a University atmosphere, information (even junk mail) should be allowed to flow.

UCSD SPAM Statistics for May 26, 2003

UCSD SPAM Statistics for June 22, 2004

You can now view UCSD's daily and weekly statistics.

Phishing -- a New Form of spam

When you click on the email, you are taken to a site with a form to fill out with your account info, name, perhaps SSN, and other information. The look of the site, and the URL for it, makes you believe you are really dealing with Visa, or CitiBank, etc. However, the site is a sham, and the info you enter is going straight to crooks who will use your credit card, or clean out your bank account.

Email Viruses

• Make sure your anti-virus software updates itself daily
• Virus email often contains an enticement like: "here is your bank balance", "your credit card has been charged ...", etc to get you to open the attachment.
• Email viruses often have their own built-in SMTP server, so they can avoid mailhubs (like UCSD's) that scan for viruses
• Email viruses scan the machines they infect looking for more email addresses. Then they use those on both the To: line and as a forged From: line. That's why you receive virus emails from someone you know--your address was on their computer. This is what makes email viruses so insidious.
• Recently, the "MyDoom" virus usurped "SoBig-F"'s title of the fastest spreading virus ever
• You must have anti-virus software, and it must be uptodate (updated daily).

The Art of Replying.

• I think that usually you really want everyone listed on the To: and Cc: lines to see your reply. However, some people seem to get upset when you reply to all the recipients of a message instead of just the sender (they might send you a flame ). So, you may want to reply only to the sender; this is generally the default behavior. And this is generally what most people do (because it is the default). However, it is configurable in Eudora (and other mailers).

  In EUDORA, holding down the option key when selecting reply will send the message to all recipients. (Note: the option key is said to toggle the behavior; that is change between 1 of 2 possible choices/behaviors.)

  Suppose someone sends you a note, either directly (your address is on the To: line) or indirectly (your address is on the Cc: line), and there are several other recipients listed. The sender wanted all those people to see that original message. Presumably, everyone would also be interested in seeing the answer as well.

  For instance, suppose Donna sends a message to several people asking how to include an image in an HTML document. If you reply only to her, then each of the other recipients might reply as well, needlessly. On the other hand, if you reply to everyone (including Donna, of course) then the others will know they need not answer, or could expound upon your explanation.

  Sometimes you can't easily tell how many people received a message because one or more of the recipient names is an alias, perhaps for an email list. In this case, it's usually best (safest) to reply only to the sender.

• Most email packages automatically include the text (body) of the message that you are replying to. This old message is set off from the message that you will enter by "> " or perhaps just indented. It is a good idea to leave this text in your message, because it helps refresh the recipients mind about the "conversation", should it be needed. However, don't make the recipient read all of the old message before your response. Insert your response at the very beginning, before the included reply.
• If some one sends you a message with several questions in it, you can intermingle your answers with the automatically included text when you reply. That is, reply to the message, and at the beginning of the message body say something like "My responses are placed next to your questions below." Then edit the text of the message you are replying to (as inserted by the reply software) and add in your answers to the questions.

You can create a nickname that contains a list of email addresses; an email list. For instance, the addresses of the people on your water polo team. Then you can refer to it (say, as "wetties") on the To: line and Eudora will expand it to the list of addresses when it connects to the SMTP server for delivery. In this case, all recipients show up on the To: (and every one sees who recieved the message). If you don't want that, you can Bcc: wetties, and just send it to yourself (on the To: line). Or, I believe Eudora will let you set up a nickname, and associate with it a "name". If you use that name, Eudora will expand the list but not put it on the To: line.

A system wide alias is one that is defined and maintained by an email administrator (sometimes called the postmaster). Anyone can use that alias. An example might be: repair@icogsci1 for notifying ACS personal about broken computer equipment in the labs. Another example is: macintosh@ucsd.edu, which is a campus wide discussion group about macintosh computers.

This is also an example of an email list or discussion group; mail sent to macintosh@ucsd goes to hundreds of people. This is similar to netnews groups, but results in an email message, rather than a discussion that you go and look up with a netnews news reader.

Some of these discussion lists allow you to automatically add or delete yourself from the list via email. Such lists are called "listserv" after one of the software packages used to manage them. For such lists, you send email to listserv@somewhere or perhaps majordomo@somewhere with the body of the message set to some command like:

add macintosh

For non-listserv type lists, (ones maintained by an individual (human )), you need to communicate with a list administrator (to be added or removed from the list). The address to use is the listname followed by "-request". E.g., managers-request@ucsd.

• If you send a request (say to be added or delete from the list) to the list itself (so that people on the list see your request), you may get flamed .

Forward, Redirect

Forwarding creates a copy of the message in the body. You can, of course, add more text, or edit it in some other way. When you forward, none of the original recipients will get a copy unless you put their addresses on the new To: or Cc: line.

The ability for forward a message is one reason to be careful about what you "say" and how you "say" it in email. If someone takes offense, they can just forward your message to your boss (or spouse), for instance.

Redirecting is like forwarding, except that the message appears to come from the original sender. You would do this if some one sent you email in error. The Eudora redirect adds a "(by way of Stu Dent)" to the From line address.

Sending documents as attachments.

Recall that old email systems were built to expect text only, not graphics or other binary data. There are encoding schemes that are used to transmit binary data (attachments) that would otherwise not be able to transverse the text only email pipelines. Examples are: uuencode, base64, and binhex.

The idea is to take 3 bytes of binary data (3 x 8 bits = 24 bits) and turn it into (24 bits = 4 x 6 bits); 6 bits (= 64) will easily map into the 26 upper case letters, 10 digits, and various punctuation characters: (),;:"'/?<>,.~!@#$%^&* etc.

The email program at the receiving end can decipher the attachment, and hopefully knows how to take 4 of the encoded bytes and decode them back into the original 3 eight bit bytes.

This is sort of encrypting the document, but with a goal of making it text that can pass through the mail protocols.

• Again, the receiver must be able to decode what you have sent her; that is, she must have some mail program like Eudora that knows about attachments.
• And she must have an application that knows how to deal with the type of document once it is decoded by Eudora (or other).
• Also, a word processing document for a Macintosh might not be able to be interpreted on a Windows machine, or visa versa. In fact, Microsoft Word isn't necessarily compatible with itself! Old versions may not be able to cope with (read) documents produced by new versions.
• Its even worse with graphics; the common formats for the Macintosh are not common on Windows machines and visa versa.

When in doubt, send just the text (ASCII) of the document (sans graphics, etc). That is, just copy and paste your text into the body of the email message. The formatting will be destroyed, but (hopefully) the message will get through.

One final consideration, some mail systems (SMTP servers) are picky about how big an email file can be. You may not be able to mail more than 100K bytes including the attachment.

Receiving documents as attachments.

You must be very careful about opening an attachment, even from some one you know. Many viruses go through an infected system's address list to look for new victims. So if your friend gets infected it's quite likely that the virus will send email to you because you are in their address book. And the email will seem to you to come from someone you know!

Be sure your antivirus software is up to date! More on viruses later in the quarter.

Filters

Once UCSD's anti-spam system is up and working, you can create a filter that will look at the special "X-" headers that the system will add to a message, and then accept or reject it.

Managing Multiple Mailboxes

On Unix mail servers, it is possible to set up a .forward file that will copy any mail to your account to a different account on a different mail server. Its relatively easy to use.

Let's suppose your UCSD email account is sdent@sdcc17 and you have a class account cg3xzz@icogsci1. You want all your class account email to get sent to your sdent mailbox.

• Log in to your cg3xzz account on icogsci1
• Create a file in your home directory called: .forward (note the leading "." (dot)).
• In the .forward file, put:

  	sdent@sdcc17
  

  One way to do this is, at the UNIX prompt, type:

  	echo sdent@sdcc17 > .forward
  

  The .forward file will cause all mail to cg3xzz@icogsci1 to be automatically sent off to sdent@sdcc17.
• If you want the mail to get forwarded but also keep a copy on icogsci1, put this line in your .forward file instead:

  	\cg3xzz, sdent@sdcc17
  

  You'll need to check your email quota on icogsci1 occasionally to make sure it doesn't overflow. (Use the quota -v command.)
• Do NOT create a .forward file on sdcc17 that points back to icogsci1. That will case a mail loop, and you will loose email while the loop exists.

If the mail is being sent to a mailbox on a different computer, then you may get a MailerDaemon email message back.

Once you have located the problem with the address, you can simply use the send again feature to forward the MailerDaemon message to the corrected address. Send again removes the MailerDaemon headers and error first from your message.

Tools for finding an email address.

• Infopath has a document on how to find someone's email address.
• If you know the domain and host, you can try using a web browser to see if there is an online "phone" directory.
• If you know the domain and host, then you can use the Unix programs whois or finger.
• Eudora has both built into the PH (Phone book), which is really whois, dialogue in the Special menu. PH queries a special database on the server you've configured into Eudora (UCSD.edu in our case).
• finger is a more generally available program that queries login names. Some sites have figure "turned off", and you will get a connection refused error.
• Try using one of the on line email databases
• Send email to "postmaster" at the site and ask for help

Mark's Tips About Email

• You must have current, uptodate anti-virus software, especially on a Windows PC.
• Always create a Subject: line; brief but meaningful. This is a courtesy to the people you send to.
• Never ask more than 1 (one) question per email. Most people seem to answer only one of them, and not necessarily the first one!
• If responding to a message which has a number of recipients on the To: and/or Cc: line, generally you should reply to all. The main exception is when you really want to say something personal to just one person ("you are such an idiot" ).
• Be careful about what you say in email; remember it is easy who receives your message to forward it to a large group of people, or perhaps your boss. Or print it out and mail it to the Guardian (or other newspaper). Always use those emoticons, if appropriate.
• When replying to a message, most email programs give you the option of including the message you are responding to, usually offset somehow (to distinguish it). This is generally a good idea, as it serves as a reminder about what you are responding to. However, in my opinion, it is best to be your (new) response up at the top of the message body before the old message. That way the recipient can see your answer without having to scroll through old message, but can refer to the old message if they wish to.

  An exception to this is if you are answering several questions (remember, you shouldn't ask multiple questions ). In this case, it might be useful to intersperse your answers in the the original message, adjacent to the questions.

• If you are sending someone an attachment, tell them so in the body of your message. If possible, tell them what version of what software package was used to create the attachment.
• If you send someone email, and they don't respond "promptly", does it mean they are ignoring you? Probably not. Some people don't have ready access to email (no computer at home, or no Internet connection). Some people only read their email once a day, or once a week.
• Always respond in "the same media". That is, if some one calls you and leaves a message on your answering machine, don't send them an email response (unless they request it).
• Finally, as handy as email may seem, sometimes you just can't explain things via email, because words are not adequately explaining the situation. It's time for a phone call or a face to face meeting.

Terms to Know

©opyright 1995-2004 Mark R. Wallen Last updated: Thu Oct 7 13:47:07 2004