Sunday, June 10, 2007

Politicians + Sex Spam

I was looking for something interesting to blog about today. Our PM's wedding seemed to have sucked up so much newsprint that no other interesting news was getting through. However, this little bit of news did get through. It's so funny that I just had to blog about it.

The news is about an email that was sent to the various print media in Malaysia. The email supposedly contains doctored graphical images of some DAP politicians engaged in sex acts. That alone isn't very funny, but the political finger pointing and mud slinging that ensued, sure is. The DAP asserts that "certain quarters are resorting to this immoral and unscrupulous act to defame DAP," while the MCA says that "someone in DAP is using this as a cheap tactic to divert people’s attention from their own crisis". The question now is, whether or not we can find out who actually sent the emails out? To answer this question, I will digress briefly into how Internet email is set up.

Simple Mail Transport Protocol (SMTP) was one of the early transport protocols developed for the Internet. It is the second most widely used service on the Internet, after the web. It's primary task was to ferret mail from one Mail Transfer Agent (MTA) to another. In no part of this protocol was it necessary to verify or specify that another MTA was legit, much less actually verify that a user is legit. Anyone who uses email must know that it is fairly trivial to fake someone else's email address. All you need to do is change your From address to that of another person. SMTP merely requires that the From field be an email address in a valid format.

However, it is not quite so simple to actually fake the path of travel for the email. Once a person sends off an email, the email is relayed from one MTA to another until it finally reaches the receipients mailbox. Along the way, the MTA usually tags the email to indicate it's source. Hence, it is quite possible to tell which MTAs that particular email was routed through, just by looking at the right email headers. So, even if the From field may say the sender is foo@bar.com, the email headers have to also say that it's from the bar.com email server. Thanks to the spammers, most MTA these days require a valid reverse-DNS entry before they will relay mail from a foreign MTA. This means that if an MTA claims to be @bar.com and wishes to relay email to foo@thestar.com.my, the MTA@thestar will check that the IP address actually corresponds to MTA@bar.com.

So, at the very least, it would be fairly trivial to trace the source of an email to a specific source server and date/time. From there, a simple request by the proper authorities to the appropriate NOC should give us the username and IP for the particular sender. However, it would still be next to impossible to prove who actually sent the email unless the sender was stupid enough to either do it from his office or home. If the person was smart enough to use a public Internet cafe, the trail will get cold at this point.

Or does it? Actually, it doesn't have to get cold. All this information is merely a start. How this information is used after that, depends on the investigators. With help from an ISP, an IP can be traced down to a specific geographic area. Knowing the senders actual account can also help with smoking the sender out. What I'm trying to say is that, Internet forensics can only provide us with so much useful information. Beyond that, it would still take regular police work to actually catch the person.

So, in this case, I doubt that anyone will spend that much effort on it. Nobody lost millions of dollars due to this. Only some feelings might have been hurt. However, I can expect both sides to trade some words over this for a few days. There might even be some quips and comments made about it in parliament. Anyway, it's just something interesting to read about.

No comments: