E-mail spoofing
Encyclopedia
Email spoofing is email
activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication
, it is easy to impersonate and forge emails.
Although there are legitimate uses, these techniques are also
commonly used in spam and phishing
emails to hide the origin of the email message..
By changing certain properties of the email, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the email appear to be from someone other than the actual sender. The result is that, although the email appears to come from the address indicated in the From field (found in the email headers), it actually comes from another source.
Occasionally (especially if the spam requires a reply from the recipient, as in advance-fee frauds), the source of the spam email is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial email is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.
Prior to the advent of unsolicited commercial email (spam) as a viable business model, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP
server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to antispam techniques.
It is much more difficult to spoof or hide the IP or Internet Protocol address. The IP address is a 32 or 128 bit numerical label assigned to each device participating in a network and originates through the network provider making it more difficult to spoof or hide. Although this kind of verification is difficult for individual users, companies can use this technology as well as others such as cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
The technique is now used ubiquitously by bulk email software as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU
, Klez
and Sober will often try to perform searches for email addresses within the address book of a mail client, and use those addresses in the From field of emails that they send, so that these emails appear to have been sent by the third party. For example:
This can be particularly problematic in a corporate setting, where email is sent to organisations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:
Newer variants of these worms have built on this technique by randomising all or part of the email address. A worm can employ various methods to achieve this, including:
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, it is easy to impersonate and forge emails.
Although there are legitimate uses, these techniques are also
commonly used in spam and phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
emails to hide the origin of the email message..
By changing certain properties of the email, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the email appear to be from someone other than the actual sender. The result is that, although the email appears to come from the address indicated in the From field (found in the email headers), it actually comes from another source.
Occasionally (especially if the spam requires a reply from the recipient, as in advance-fee frauds), the source of the spam email is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial email is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.
Prior to the advent of unsolicited commercial email (spam) as a viable business model, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to antispam techniques.
It is much more difficult to spoof or hide the IP or Internet Protocol address. The IP address is a 32 or 128 bit numerical label assigned to each device participating in a network and originates through the network provider making it more difficult to spoof or hide. Although this kind of verification is difficult for individual users, companies can use this technology as well as others such as cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
Methods
Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the email it is unlikely that the email address will be active.The technique is now used ubiquitously by bulk email software as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU
ILOVEYOU
ILOVEYOU, also known as Love Letter, is a computer worm that successfully attacked tens of millions of computers in 2000 when it was sent as an attachment to a user with the text "ILOVEYOU" in the subject line. The worm arrived e-mail on and after May 4, 2000 with the simple subject of "ILOVEYOU"...
, Klez
KLEZ
KIXV is a radio station broadcasting a country music format. Licensed to Malvern, Arkansas, USA, it serves the Hot Springs, Arkansas and Hot Springs Village, Arkansas, area. The station is currently owned by Noalmark Broadcasting Corporation....
and Sober will often try to perform searches for email addresses within the address book of a mail client, and use those addresses in the From field of emails that they send, so that these emails appear to have been sent by the third party. For example:
- Alice is sent an infected email and then the email is opened, triggering propagation.
- The worm finds the addresses of Bob and Charlie within Alice's address book.
- From Alice's computer, the worm sends an infected email to Bob, but the email appears to have been sent by Charlie.
This can be particularly problematic in a corporate setting, where email is sent to organisations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:
- Bob doesn't receive the message, but instead gets a message telling him that a virus sent to him has been blocked. Charlie receives a message telling him that a virus sent by him has been blocked. This creates confusion for both Bob and Charlie, while Alice remains unaware of the actual infection.
Newer variants of these worms have built on this technique by randomising all or part of the email address. A worm can employ various methods to achieve this, including:
- Random letter generation
- Built-in wordlists
- Amalgamating addresses found in address books, for example:
- User1 triggers an email address spoofing worm, and the worm finds the addresses user2@efgh.com, user3@ijkl.com and user4@mnop.com within the users email address book
- The worm sends an infected message to user2@efgh.com, but the email appears to have been sent from user3@mnop.com
See also
- Email authentication
- Computer virusComputer virusA computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
- Computer wormComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
- HoaxHoaxA hoax is a deliberately fabricated falsehood made to masquerade as truth. It is distinguishable from errors in observation or judgment, or rumors, urban legends, pseudosciences or April Fools' Day events that are passed along in good faith by believers or as jokes.-Definition:The British...
- Chain email
- Joe jobJoe jobA joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against him , but they are now typically used by commercial spammers to conceal the true...
- Website spoofingWebsite spoofingWebsite spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organisation. Another meaning for spoof is fake websites. Normally, the spoof website will adopt the design of the target website and...