Senate Takes Action to Deal With Hoax E-Mails

Posted July 8, 2010 at 1:02pm

Updated: 4:35 p.m.

The Senate Sergeant-at-Arms has started using an e-mail validation system and is asking news outlets to do so as well following a string of hoax e-mails sent to the media proclaiming the deaths of four Democratic Senators.

“Hoax e-mail messages spoofing official Senate sources have recently been sent to a number of media outlets,” reads an e-mail from the Sergeant-at-Arms to Senate administrative managers and chief clerks. “At present, there is no need to report spoofed messages to the Sergeant at Arms, as they did not originate from the Senate.”

Hoax e-mails sent over the weekend and early this week announced that Sens. Harry Reid (Nev.), Patrick Leahy (Vt.), Dianne Feinstein (Calif.) and Frank Lautenberg (N.J.) died of cancer. While the e-mails appeared to come from Senate offices’ domain names, they were sent with the technique known as spoofing, whereby a computer program cloaks the actual e-mail address with a mimic address.

“To help combat the problem of e-mail forgery, the Sergeant at Arms has implemented a commonly-accepted industry technology called sender policy framework (SPF) for the Senate,” the memo reads. “This framework allows the senate.gov domain to specify what servers are allowed to send messages for users with senate.gov addresses, and allows recipients’ e-mail systems to automatically check inbound messages to validate that they originated from a server authorized for the sender’s e-mail address.”

The memo also states, “Messages that fail this check can then either be discarded or tagged with a warning that the source might be spoofed.”

The Sergeant-at-Arms asked that the notice be forwarded to Senate press staff and media outlets and directed them to openspf.org to learn more about the program.

“If they have not already done so, we recommend that news media and other organizations that regularly communicate with the Senate via e-mail take advantage of this technology by implementing SPF checking on their inbound e-mail processing servers,” the note reads.

Jeffrey Carpenter, technical manager of the CERT Coordination Center at the Carnegie Mellon Software Engineering Institute, said anyone looking for more information on avoiding these types of e-mail scams should visit the website of the U.S. Computer Emergency Readiness Team at uscert.gov.