Email Identity Theft.

My gmail account was hijacked apparently. Many of the addresses on my address list received spam from me at 9:00 am EST 4/24/2010. This makes the issue of email identity theft personal for me. It is an issue that needs to be addressed before it effects you.

I've changed passwords, etc. But once they have an email list, it gets shared among spammers and I cannot stop them from using the email addresses forever. Damn.

What most likely happened is that a sight was hacked where i registered with the same password as gmail. Shame on me Or, I shared my address list on a social networking site that was hacked, shame on them.

If your email was in my address book beware of links presumably sent by me but not signed "Jim". They are not from me really, they are spoofed. Sorry folks.

Now I understand why emails clearly not spam from some members are flagged as spam in groups I moderate, and why email from some people often gets blocked as spam. I had wondered if they had been spammers in their past that they were being punished now. It makes more sense that they had been victims of email identity theft as I now am.

I ban members from my groups who enter spam, and report spam when I receive it. Unwittingly I have been victimizing the victims of email identity theft. As I judged, now I am judged. If the spammers send a lot of email from my account my electronic world will get smaller and smaller. The victims of email identity theft will become isolated and not contribute what they otherwise could to society.

I am still trying to notify everyone in my email address book, but there are too many addresses and gmail blocks me from sending email for 24 hours when I hit the limit. I can't even defend myself.

It is impossible for any national government to control email identity theft. China. a most repressive nation is where must of the spam originates or is relayed. It is a good thing the internet is an open bottom up protocol. Only name services are controlled centrally. The problem is not the freedom of the internet, the problem is that 99.99% of us are not using digitally signed email.

This will not change until email clients people use to send email validate and encourage using digital signatures, and that will not happen until people choose to only use clients that do. A digital signature uses cryptographic techniques to provide verifiable proof of authorship. This has not happened because standards need to be accepted to accept digital signatures in emails that are backwards compatible with the billions of legacy clients. There is no accepted standard means of including a digital signature in a plain text unencrypted ordinary email. Any suggestions?

The problem is the transition. If there was a standard way to digitally sign a plain text email in the header or the body, any email client that already had your public key, or could get it, could flag spoofed emails as not really from you. Email programs that did not support the signitures would still work fine but with no identity check. Email providers and mailing list and forwarding programs could have keys for their email addresses and support this

The use of a service, one time, to create and serve your keys, and an email client that supports it, is all that is needed.

If one big email provider, like google, supported this, I think it would give them a market advantage, and every client would follow along. The threat of email identity theft and spam generally would be greatly reduced.

Jim

Links to more info:
http://mail.google.com/support/bin/answer.py?hl=en&answer=50200
http://answers.google.com/answers/threadview/id/14096.html
http://www.scamdex.com/
http://en.wikipedia.org/wiki/Digital_signature
http://en.wikipedia.org/wiki/Pretty_Good_Privacy