E-mail spoofing

E-mail spoofing

E-mail spoofing is a term used to describe (usually fraudulent) e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. The result is that, although the e-mail appears to come from the address indicated in the From field (found in the e-mail headers), it actually comes from another source.

Occasionally (especially if the spam requires a reply from the recipient, such as the '419' scams), the source of the spam e-mail is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial e-mail is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.

Prior to the advent of unsolicited commercial email as a viable business model, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's smtp server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to antispam techniques.

Methods

Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.

The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party. For example:

User1 is sent an infected e-mail and then the e-mail is opened, triggering propagation

The worm finds the addresses of User2 and User3 within the address book of User1

From the computer of User1, the worm sends an infected e-mail to User2, but the e-mail appears to have been sent from User3

This can be particularly problematic in a corporate setting, where e-mail is sent to organisations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:

User2 doesn't receive the message, but instead gets a message telling him that a virus sent to them has been blocked. User3 receives a message telling him that a virus sent by them has been blocked. This creates confusion for both User2 and User3, while User1 remains unaware of the actual infection.

Newer variants of these worms have built on this technique by randomising all or part of the e-mail address. A worm can employ various methods to achieve this, including:

• Random letter generation
• Built-in wordlists
• Amalgamating addresses found in address books, for example:
  • User1 triggers an e-mail address spoofing worm, and the worm finds the addresses user2@efgh.com, user3@ijkl.com and user4@mnop.com within the users e-mail address book
  • The worm sends an infected message to user2@efgh.com, but the e-mail appears to have been sent from user3@mnop.com

Spoofed/Forged Email

I. Description

Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Examples of spoofed email that could affect the security of your site include:

• email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this
• email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

• Prevention (Deterrence)

  • Use cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
  • Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.
  • Ensure that your mail delivery daemon allows logging and is configured to provide sufficient logging to assist you in tracking the origin of spoofed email.
  • Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.
  • Educate your users about your site's policies and procedures in order to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible. See also CERT advisory CA-1991-04, available from

Q. "I found out from returned "undelivered" email that those address does not exist in my lists--in the first place, I have never sent them".

A. Many affected owners of email domain being spoofed are complaining of having their account being suspended for spamming and receiving "tons" of harassing hate mails marked as coming from them--which they have never sent and only found-out when they start receiving angry replies or returned undelivered bounce email.

The victims of these new from of harassment in which fake or boogie messages was sent-out posing as the original owner of the email address by spoofing, are usually done by dissatisfied or fired employees, competitors, pranksters, junk mailers, provocateurs or spammers trying to sell something--not that they want you to respond to the email but to click on a link in the message.

According to the FBI, spoofing is generally not illegal because no hacking is required, unless it involves a direct threat of violence or death and by using such tactic, know as email spoofing--they exploit the simplicity of Internet SMTP (simple mail transport protocol RFC 821).

Email can be spoofed by tweaking the settings on standard email client like; Eudora, Outlook Express, etc.

There are also many website that offers an automated process for creating and sending spoofed email by inserting someone else email address into the Mail FROM: or REPLY TO: fields--which also contains information about the "origin" of the message--but most people don't know how to decipher it or simply assume that the spoofed message is genuine.

Spoofing is usually to obtain info, sell something, computer infected by spam zoombie, spambot or simply hate mail by assuming another's ID and making the recipient think that the email is from the sender...

a) Pretending to be a legitimate bank, etc., to get your ID.

b) A link in the message body taking you to a sales site

c) Attachments with virus or hate message

d) Selling something by using an infected computer to send-out sales pitch (unknown to the owner of the machine) and at the same time "spoofing" the spam using the computer owner address book email list.

Spam and e-mail-laden viruses can take a lot of the fun and utility out of electronic communications, but at least you can trust e-mail that comes from people you know – except when you can’t. A favorite technique of spammers and other “bad guys” is to “spoof” their return e-mail addresses, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the sender pretends to be someone else in order to persuade the recipient to do something (from simply opening the message to sending money or revealing personal information). In this article, we look at how e-mail spoofing works and what can be done about it, examining such solutions as the Sender Policy Framework (SPF) and Microsoft’s Sender ID, which is based on it.