Email spoofing is the creation of email messages with counterfeited sender addresses.
Because the core email protocol does not have a mechanism for authentication, spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.
Video Email spoofing
Technical details
When an SMTP email is sent, the initial connection provides two address information:
- MAIL FROM: - is generally shown to the recipient as the Return-path: header but is not typically seen by the end user, and by default does not exist checks is done that the delivery system is authorized to send on behalf of the address.
- RCPT TO: - specifies which email addresses are sent to email, typically invisible to end users but may present in the header as part of the "Accepted:" Header.
Together this is sometimes referred to as an "envelope" handle, by analogy with a traditional paper envelope, and unless it receives a mail server signal that has problems with any of these items, the sending system sends the "DATA" command, and usually sends some items headers, including:
- From: Joe Q Doe & lt; joeqdoe@example.com> - the address seen by the recipient; but again, by default no checks are performed that the sending system is authorized to send on behalf of that address.
- Reply-to: Jane Roe & lt; Jane.Roe@example.mil> - also unchecked
and sometimes:
- Submitter: Jin Jo & lt; jin.jo@example.jp> - also unchecked
The result is that the email recipient sees the email from the address in the header From: ; sometimes they can find the address MAIL FROM ; and if they reply to the email it will go to the address presented in the header From: or Reply-to: - but none of these addresses are usually reliable, so bounce messages can automatically generate backscatter.
Maps Email spoofing
Use with spam and worms
Malware such as Klez and Sober and many other modern examples often find email addresses on computers they have infected, and use those addresses as targets for email, but also to create credible From fields in emails which they send, so this email is more likely to open. As an example:
- Alice sends the infected email he opened, running the worm code.
- The worm code looks up Alice's email address book and finds Bob and Charlie's address.
- From Alice's computer, the worm sends infected emails to Bob, but forged seems to be sent by Charlie.
In this case, even if Bob's system detects incoming emails as containing malware, it sees the source as Charlie, though it actually comes from Alice's computer; In the meantime Alice may still not realize that her computer has been infected.
Fooling media
It has happened that the media prints fake stories based on fake e-mail.
- In October 2013, an email that looked like it came from a Swedish Card Fingerprint Company was sent to the news agency, saying that Samsung offered to buy the company. The news spread and the stock exchange rate jumped by 50%. It was later discovered that the e-mails were fake.
Legitimate use
On the Internet, emails "legally valid" are common. For example, a visiting user might use a local organization's SMTP server to send mail from a foreign user address. Since most servers are configured as "open relays", this is a common practice. Since spam emails are an annoying problem, this "official" use is not preferred.
When multiple software systems communicate with each other via email, spoofing may be necessary to facilitate such communication. In any scenario where an email address is set up to automatically forward incoming email to a system that only receives email from an email sender, spoofing is required to facilitate this behavior. This is common between ticket systems that communicate with other ticketing systems.
Effects on mailservers
Traditionally, the mail server can receive mail items, then send a Report Not Sending or a "bounce" message if it can not be sent or quarantined for any reason. This will be sent to the address "MAIL FROM:" aka "Return path". With major improvements in fake addresses, Best Practices now for not generate NDRs to detect spam, viruses, etc. But to reject emails during SMTP transactions. When email administrators fail to take this approach, their system is guilty of sending backscatter emails to an innocent party - itself a form of spam - or used to perform a "Joe job" attack.
Identify email source
Although email spoofing is effective in forging email addresses, computer IP addresses that send mail can generally be identified from the "Received:" line in the email header. In many cases, this is likely to be an innocent third party infected by malware that sends emails without the owner's knowledge.
Countermeasures
The SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice is rarely used, and other potential solutions also fail to gain traction.
But a number of effective systems are now widely used, including:
- SPF
- Sender ID
- DKIM
- DMARC
Despite its increased use, estimates vary greatly as to how many percent of emails do not have domain authentication forms: from 8.6% to "almost half". To effectively stop sending fake emails, delivery domains, their mail servers, and recipient systems should all be properly configured for this higher authentication standard.
Because modern countermeasures prevent spammers from spoofing the envelope-address from, many have moved on to utilizing a header-address than as seen by the receiving user rather than being processed by the MTA recipients. A propitiative implementation beyond the scope of the SPF scheme is required to protect against the implementation of a certain spoofing header.
See also
- Email authentication
- Sender Policy Framework (SPF)
- Computer viruses
- Computer worms
- Lies
- Chain email
- Joe's work
- Website spoofing
References
External links
- CERT Tech Tip - Falsified/Falsified Email
Source of the article : Wikipedia
0 Comments