Email Spoofing
Spoof 1. a light-hearted imitation of someone or something; a lampoon , parody, or mockery 2. a hoax or prank
Email spoofing is a lot less good natured than the general definitions above. There is nothing light-hearted about it. In a nutshell email spoofing is the alteration of a message’s header so that it appears that the communication is originating from someone other than the true sender. This may involve forging the “from” and “reply to” addresses as well as altering the date and time the message was supposedly sent. Sometimes the sender’s IP address can also be faked. The aim is to get the recipient to open what would otherwise be an email surely destined for deletion and doom. Such an email rarely contains anything worth the click it took to get there. In some cases it can even be the concealed delivery method for computer-shredding viruses and phishing scams[1].
Spoofing 101
The vast bulk of email today is sent via a procedure called SMTP or Simple Mail Transfer Protocol. This is basically a method of communications that allows the sending machine to deliver mail to the recipient server. For our purposes it is enough to know that SMTP does not normally verify or authenticate the sender of an email. Thus a spammer can place commands into the header that will result in altered information being displayed in such places as the “from” field of the message.
Open Relaying
A server that is configured in such as way as to permit an outside sender to traffic emails through it is known as an open relay. Spammers employ open relays to forward their messages as a primary means of concealing their true source. When the spam email reaches its destination the relay server’s data will be displayed as the “source” in the header rather than the actual point of origination.
Motives
Getting the recipient to open the email. If you receive a message that appears to have come from a source that you consider legitimate then you are more likely to open it. The more people that actually open and read a piece of spam the more people will actually fall for and buy the detritus that the spammer is peddling.
Looking legitimate to get in your inbox. A spam email with a spoofed header that has been sent through an open relay stands a better chance of reaching its victim than one that comes openly from an address or server known to be frequented or operated by spammers. Such an email would be better equipped to pass by the scrutiny of blacklists and filters undetected.
Harassment and blackmail. Rather than trying to sell you something worthless a spoofed email might be sent that appears to be from someone you know. The message might contain all kinds of abusive language, threats, or demands for money that the person whose address was spoofed would never say. Conversely, you might find yourself accused of sending such messages if some cretin decides to spoof your email address.
Disseminating viruses. Spoofed email is used to aid in the delivery of virus-laden attachments. Using a spoofed address as a cloak they stand a better chance of being opened and activated by the targeted person. By the time the user recognizes the problem the damage has been done.
Basic Detection
Check the information (name or address) contained in the “from” field of any suspicious email against the address from which it was actually sent. You can view more information about where the email came from by taking a look at the “received” field in the header. Normally you won’t be able to see this, but most email programs allow you to select a setting from their options section that will reveal the entire header. If you note that the sender’s information doesn’t even come close to that in the “from” field it’s probably spam or worse[2].
Criminality
Even though the goal of a spoofer may be to steal your personal identification information the fact that they are posing as a reputable source by displaying a name or address that is not their own is a theft in its own right. In other words they are committing identity theft to facilitate further identity theft.
Although some state laws have been enacted that deal with spamming and spoofing these have been superseded by a federal law known as the CAN-SPAM Act[3]. One of its provisions states that any unsolicited email must possess accurate and unaltered information in its header so that the sender is immediately identifiable.
This seems plain and simple. However, because of the nature of email headers as well as the methods of message transmission any competent crook can easily remain too elusive to prosecute. The real solution to spoofed emails will of necessity be the same as that for spam in general: improved technology rather than legislation.
Prevention
One way this can be accomplished is for the operators of mail servers to configure their systems in such a way as to make the relaying of unauthenticated emails harder. Utilizing an add-on to the normal SMTP process that occurs whenever an email is sent is one step in this direction. This add-on is known as SPF or Sender Policy Framework[4]. SPF functions by enabling the operators of a domain to specify which sources are allowed to traffic email through their domain.
In conclusion, spoofed email is a problem to be sure, but it is only a single facet of the overall problem of unsolicited email. In the end your best protection is a good spam filter and a pair of cynical and vigilant eyes.
References
[1] Phishing is the act of stealing such things as personal identification and credit card data by posing as a reputable source, such as an email from the victim’s employer, financial institution, favorite online store, etc.
[2] For more information on spoofing detection see: Fraud Guides
[3] http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm