Security researcher beguiled by email spoof


One would expect someone who is reading and contributing to comp.risks since 1990 to know better, especially if he is also lecturing courses on IT security, and has written a couple of papers in the area. Maybe it was also a well deserved punishment for laughing at emails titled "Valuable business proposition" and "Renew your e-bay account" (who is so dumb so as to fall for these schemes?)

Well, as the saying goes, "one is born every minute". Yesterday, in an email titled "Ars Electronica Festival 2003 --CODeDOC II", I was informed that as part of the Ars Electronica Festival 2003 -- Code - The Language of Our Time -- Ars Electronica would commission an extension of the online exhibition CODeDOC which was curated for the Whitney Museum of American Art's artport site. For CODeDOC II, Ars Electronica was inviting 8 (mostly European) artists to continue the project and I was asked if I could participate. The three thematic domains "Code=Law, Code=Art, Code=Life" ("how strong is the socially regulative and normative power of the structures and rules of the game that computer programs and their standards implement and enforce? What possibilities exist to get around them?") appeared provocative and interesting. To make the proposal a bit more tempting a commissioning fee of $500 was set for each project.

As a four times winner of the International Obfuscated C Code Contest and author of the recently published book Code Reading: The Open Source Perspective (Addison Wesley 2003) I marvelled at the enlightened curator who saw the connection between the IOCCC and the exhibition's theme (one of my IOCCC winning entries was at the "abusing the rules" category), accepted the invitation, and started thinking on an exhibit based on a self-replicating Java applet.

Today I was in for a rude surprise. In a reply to my original email the real curator of the Whitney Museum informed me that the message was a very well-done spoof. While the message text was the original one they sent to 8 artists about 6 weeks ago, the fake invite was sent to all the previous winners of the IOCCC. A quick look at the two email headers confirmed my fear: I had indeed been a spoof victim.

The spoofed mail header contained the lines:

Received: from (
while the real mail from the curator header's contained:
Received: from ( [] (may
be forged))

It is interesting to note that Spam Assassin flagged the spoof as suspicious and that the real mail's header was marked "may be forged"! Nevertheless, it is unfair to try to locate a technology related risk when the real culprit is human vanity.

Comments   Toot! Share

Last modified: Friday, September 26, 2003 11:17 am

Creative Commons Licence BY NC

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.