On Sun, 11 Oct 1992 06:33:36 EDT Elliott Parker <[log in to unmask]> said: > I know it is possible, but can someone give me a rough indication of >how much knowledge would be needed to do it? It is very easy once you know how. You need an IQ of about 80 to understand what needs to be done, the only difficulty (if you can call that one) is to know which RFC you need to read to find the recipe. And that only if you are unlucky enough not to have a mail user interface which lets you send from the address you want simply by editing the header or activating some obscure option. > And is there anything I can tell the person to minimize the chances >of it happening again? There is nothing that can be done about it, Internet mail is insecure - intrinsically. One is supposed to use encryption if one wants a nonzero amount of security. There are IETF groups working on that, unfortunately it seems that with current computer technology one can reach at most the equivalent of 64kbps of bandwidth when encrypting messages with a modern dedicated workstation using the selected algorithm (RSA). Of course computers will get faster, but networks get faster as well and it is not a given that the computers will catch up. Furthermore crypto-analysis experts are starting to claim that RSA isn't that difficult to break after all, so you may want not to hold your breath for too long. Even if all technical problems are solved, the legal issues are a can of worms outside the US/Canada trade zone. You first have to get the US to authorize software manufacturers to export the secret RSA technology (which newspapers claim you can buy on the black market in Russia for 5 bucks a diskette), then you have to take into account local encryption laws in many european countries. One may be able to trace the forgeries by examining mailer logs, but at best this would give you a hostname. There is no way presently to associate a userid with Internet data transfer (that is why anonymous FTP servers ask you to tell them your userid, but you can type anything you want of course - at best they can check the hostname). Eric