If you are a website owner, or run an email account, you will be familiar with the term "Spamming". Most people will quickly identify a spam email when they receive it. But seeing a strange email from a friend, a colleague or partner or even from yourself drop right in your inbox will make you want to think that someone has been hacked. You are also likely to respond positively to an email from a friend or colleague. If you have seen such email that looks like it's from a friend, it is the work of spammers who spoof those addresses all the time, and it's not hard to do. We will, in this post examine how they do it and how you can protect yourself.
You may also want to read:
7 Ways to Build Your Email List
Any listserv or mailing list service?
Email Problems: What Should I do?
How to Check and Send Emails Using Webmail
How to Solve Email Bounce Back Issues
How to configure Email Client
Spammers have been spoofing email addresses for a long time. Years ago, they used to get contact lists from malware-infected PCs. Today's data thieves choose their targets carefully, and phish them with messages that look like they came from friends and trustworthy sources.
Spoofing had been a more successful spamming approach as tt turns out that spoofing real email addresses is surprisingly a lot easy.
Why Email Addresses Are So Easy to Spoof
Most email servers have been able ddress the spamming significantly. Gmail and Outlook have strong, sophisticated spam catching algorithms and powerful filtering tools. Back in the early 2000s, though, that wasn't the case. Spam was still a huge problem that mail servers had yet to seriously tackle with much less develop advanced tools to manage.
In 2003, Meng Weng Wong proposed a way for mail servers to "verify" that the IP address (the unique number that identifies a computer on the internet) sending a message was authorized to send mail on behalf of a specific domain. It's called the Sender Permitted Form (renamed to "Sender Policy Framework" in 2004), and Matthew explains how it works:
Each time an email message was sent, the receiving email server would compare the IP of origin for the message with the IP address listed in the SPF record for the email address’s host (the “@example.com” part.)
If the two IP addresses match, then the email could pass through to the intended recipient. If the IP addresses did not match, then the email would be flagged as spam or rejected altogether. The burden of deciding the outcome was completely in the hands of the receiving server.
Over the years, SPF records have evolved (the most recent RFC was published in April 2014), and most domains on the internet have SPF records (you can search for them here).
When you register a domain, you also register a number of DNS records that go along with it. Those records tell the world which computers to talk to depending on what they want to do (email, web, FTP, and so on). The SPF record is an example, and ideally it would make sure all the mail servers on the internet knew that people sending email from, say, @example.com, were actually authorized users and computers.
Then, in 2012, a new record type was introduced, designed to work alongside SPF. It's called DMARC, or Domain-based Message Authentication, Reporting, and Conformance. After a single year, it's expanded to protect a large number of consumer mailboxes (although the self-proclaimed 60% is probably optimistic.) Matthew explains the details:
The DMARC boils down to two important flags (although there are 10 total) - the "p" flag, which instructs receiving servers on how to deal with potentially phony emails, either by rejecting, quarantining, or passing; and the "rua" flag, which tells receiving servers where they can send a report about failed messages (usually an email address at the domain admin's security group). The DMARC record solves most of the issues with SPF records by taking the burden of deciding how to respond away from the recipient.
The problem is that everyone is yet to use DMARC
How Spammers Spoof Email Addresses
The tools necessary to spoof email addresses are surprisingly easy to get. All you need is a working SMTP server (aka, a server that can send email), and the right mailing software.
Any good web host will provide you with an SMTP server. (You could also install SMTP on a system you own, port 25—the port used for outgoing email, is usually blocked by ISPs. This is specifically to avoid mass-emailing malware. For his prank on us, Matthew used PHP Mailer. It's easy to understand, easy to install, and it even has a web interface. Open PHP Mailer, compose your message, put in the "from" and "to" addresses, and click send. On the recipient's end, they'll get an email in their inbox that looks like it came from the address you typed in. Matthew explains:
How Did My Email Get Compromised and What Can I Do to Stop It?
How to enable spam assasin in cPanel
How to fix error 500 no such user here
How to grow your mailing list ethically
The email should have worked without issue, and appears to be from whomever you said it’s from. There is very little to indicate this didn’t come from their inbox, until you view the source code of the email (“View original” option in Gmail).
You’ll notice that the email “soft” failed the SPF check, yet it came through to the inbox anyway. It’s also important to note that the source code includes the originating IP address of the email, so it’s possible that the email could be traced, if the recipient wanted to.
It’s important to note at this point that there is still not a standard for how email hosts will treat SPF failures. Gmail allowed emails to come in. Outlook.com, however, did not deliver a single falsified email, whether soft or hard failed. A corporate Exchange server let them in without issue, and my a home sever (OS X) accepted them, but flagged them as spam.
Managing the Mail Function in CPanel
Webmail Programs in CPanel
How to create an email forwarder in cPanel
What is Spamming?
Why Would Someone Fraudulently “Spoof” an Email?
There are several reasons why spammers will target your email for spoofing:
1: the email spoofer is trying to “phish” your passwords and login names. Phishing is where the dishonest sender hopes to lure you into trusting the email. A false (spoofed) website will be waiting off to side, cleverly disguised to appear like a legitimate online website or paid Web service, like eBay. Far too often, victims will unwittingly believe the spoofed email and click to the false website. Trusting the spoofed website, the victim will enter his password and login identity, only to receive a false error message that “web site is unavailable”.
During all of this, the dishonest spoofer will capture the victim’s confidential information and proceed to withdraw the victim’s funds or perform dishonest transactions for monetary gain.
2: The email spoofer is a spammer trying fill your mailbox with advertising. Using mass-mailing software called “ratware”, spammers will alter the source email address to appear as an innocent citizen, or as a legitimate company or government entity. The purpose, like phishing, is to get people to trust the email enough so that they will open it and read the spam advertising inside.
3. Hiding your true identity, although if this is the only goal it can be achieved easier by registering anonymous mail addresses.
4. Easy to rotate. If you are spamming, you are bound to be blacklisted quickly. If you’re able to switch sender addresses, you can get away with it
5. Pretending to be someone the receiver knows. This can be used to ask for sensitive information or just plain orders to transfer funds.
6. Pretending to be from an organization the receiver has a relationship with.
7. To give the sender a bad name. Sending out insults or other messages that put the so-called sender in a bad light.
8. dentity theft. Being able to send messages in someone’s name can be the start of an identity theft procedure.
Measures to Counter Email Spoofing
The email protocol SMTP (Simple Mail Transfer Protocol) lacks authentication and can be extremely easy to spoof a sender address. As a result, most email providers have become experts at intercepting spam before it hits inbox. Altogether,stopping spoofing should be a preferable solution. That will be possible with the enforcement of strict rules
- SPF (Sender Policy Framework): this checks whether a certain IP is authorized to send mail from a given domain. This method uses records that tell receiving mail servers whether an IP is on the list for the sending domain. Unfortunately using SPF lead to many false positives and the rules are applied loosely at best. So this still leaves the work to the receiving server.
- DKIM (Domain Key Identified Mail): this method uses a private and a public key fetched by a Mail Transfer Agent (MTA). These are compared and only if it is a match the mail will be sent on. But DKIM only signs the specified parts of the message, the message can be forwarded and the signature will still match. This is called a replay attack.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): this policy gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM and what actions to take and who to report to when dealing with mails that fail authentication. This takes away the doubt on the receivers end. It is however not so well used.