Email Spoofing

The internet depends only on trust. When we click on a link, we expect to go to where it says it will take us. When we enter the password, we expect to be let into a private, safe place. When we contact someone, we expect they are who they say they are. When we make a financial transaction, we expect the money we send will get to the destination we want. All the attacks are based on some sort of spoofing, can take advantage of someone’s explicit or implicit trust. As e-mail remains one of the primary way for spammers to manipulate people and get their personal information. E-mail spoofing is the forgery of an email that appears to be originated from one source when it was actually sent from another source. Spammers use an e-mail which appear to be from an email address that may not exist. This way the email cannot be traced back to the originator. Pretending to be someone can have many advantages.

Countermeasures to protect from Email Spoofing.

Since the e-mail protocol SMTP is a text based, used to be extremely easy to spoof a sender address. There is no security/verification with SMTP itself. Most email providers are experts at intercepting spam before it hits the inbox. But wouldn’t it be much better if they were able to stop it from being sent in the first place? Well, there have been a few attempts to enforce rules that could accomplish this:

  • SPF (Sender Policy Framework): This checks whether a certain IP is authorized to send mail from a given domain or an email validation protocol designed to detect and block email spoofing. This method will tell receiving mail servers whether an IP is on the list for the sending domain. Unfortunately SPF lead to false positives and the results are not satisfactory. So this still leaves the work to the receiving server.
  • DKIM (Domain Key Identified Mail): DKIM is pretty complicated. This method uses a private and a public key fetched by a Mail Transfer Agent (MTA). These are compared and only if it is a match the mail will be sent on. But this only signs the specified parts of the message, the message can be forwarded and the signature will still match. This is called a replay attack. The problem with DKIM is that it’s more difficult to implement.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards and what actions to take and who to report to when dealing with mails that fail authentication, but unfortunately DMARC is not very widely used.

IARM Information Security