Email Spoofing

By: Kevin Copeland
info@drakehs.com

Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information.

Spoofers don’t necessarily have to have access to your account. In fact, generally it has nothing at all to do with your account, and your account is quite safe.

Spoofers only need a legit email address

For further assurance, spoofing does not mean that your computer is infected by a worm, virus, spambot, zombies, etc. and sending out messages from your address book.

It could be that "someone's" machine containing your email address in the address book is infected or hijacked and sending out messages with your email address randomly taken from the infected machine's address book.

Or your email address is on a website somewhere and the spoofer happened to use it. Either way it doesn't mean you have done anything.

How it's done

Spoofers or spammers setup an email client or program, such as Outlook, Thunderbird, or something they have created. They start with the display name. All this is used for is the name that's displayed on the "From:" line in emails sent. Normally this would be your own name, but in reality it can be whatever you like. Therefore if a false email address is used, this will be what shows to the email recipient. As a result, if the email address in the "To:" line isn't active the false email used will receive the bounce back message, it is a legitimate email address afterall.

It's not until later that the spoofer separately specifies the actual account name and password they need to login to their mail server to send and receive email.

So here's the key, to send email appearing to be from someone else, all they need to do is create an email account in an email program using their own email account information, but specifying someone else's email address. Then typically they will use a spamming program to send mass emails to either spread viruses, send links to other sites or whatever.

Reaction

1. You may be alerted to spoofed email attempts by reports from your contacts or by receiving bounced/returned email error messages.

2. Forward a copy of a bounced email to your email administrator

a. The header of the email message often contains a complete history of the "hops" the message has taken to reach its destination. Information in the headers (such as the "Received:" and "Message-ID" information), in conjunction with your mail delivery logs, should help you to determine how the email reached your system.

b. Provide as much information as possible to help trace this type of activity, you can increase the level of logging for your mailer delivery daemon.

c. Realize that in some cases, you may not be able to identify the origin of the spoofed email.

What Can You Do

1. Run your anti-virus/anti-malware software

2. Change your password

3. Depending on your email provider, contact them with the problem. They may be able to provide additional security to your account.

Even using these steps may not solve the problem. Since a Spoofer doesn't necessarily need access to spoof an email account it is a difficult problem to solve.

For more information on protecting your PC, contact Drake Hardware & Software at 319-752-1155.