How do I identify and deal with email spoofs/spoofing?

Overview

Email spoofing is a growing problem and has unfortunately reached the point where you can't reliably trust the information associated with an email to tell you who actually sent the message.  Malicious individuals commonly use email spoofing to hide the origin of an email message, in turn increasing the chances that you will respond, when sending out spam, phishing or malware laden emails.  Unfortunately it is possible because the main protocol used in sending email (SMTP) does not include an authentication mechanism.  The risks associated with spoofed emails range from being a nuisance to endangerment of personal safety.  Some jurisdictions have enacted legislation against this form of email identity fraud, but many agree that this is a technical problem that calls for a technical solution.

Details: 

Spam, phishing, and virus-laden email can take all of the usefulness and entertainment out of communicating electronically. At least you can trust email that comes from the people you know; or can you?  In this article, we look at what email spoofing is, what it is used for, why it's possible, what the risks are, and what can be done about it.

If you would like someone to investigate a spoofed email

If you are an individual associated with Purdue and have received what you believe to be a spoofed email, or if you aren't associated with Purdue, but have received an email that appears to have come from a Purdue account, please use the "Report Message" button in Outlook to forward the email and headers to the Security team. Alternatively, you can forward the spoofed email to abuse@purdue.edu along with the email headers. The headers of the email message typically contain a history of the route the message has taken to reach its destination. The headers are vital in determining if the email actually came from a Purdue host or account.

Please see the following information for assistance retrieving full internet headers, How do I retrieve the full internet headers from an email message?.   Remember that although your email address appears to have been spoofed, this does not necessarily mean that the forger has gained access to your mailbox.

NOTE: Please realize that in some cases, it either may not be possible to identify the origin of the spoofed email or take action against the forger as not every state or country has laws against spoofing.

Is There Anything I Can Do to Prevent Spoofing?

Unfortunately there is nothing that an individual can do at this point in time to stop spoofing from happening.  However, there are things that can be done to help assure the recipients of your emails that you are actually the message sender.

In order to better assure recipients of your emails that you are the actual sender you can digitally/cryptographically (e.g. PGP, S/MIME) sign your outgoing emails.  Doing so provides a method for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit.  Please keep in mind that this method of assurance is only valid as long as you are the only person who has access to your digital certificate(s) or cryptographic key(s). 

Example: If User A gets User B's certificate, User A can send out a digitally signed email posing as User B.  More information on digital certificates can be found at http://en.wikipedia.org/wiki/Digital_certificates.

If you are an IT professional employed by Purdue, consider the following for your environment:

  1. If you run your own mail server, configure your mail server to prevent an unauthenticated user from directly connecting to your SMTP port to send spoofed emails.
     
  2. If you run your own mail server, ensure that your mail server allows logging and that it is configured to provide sufficient logging to assist in tracking the origin of spoofed email.
     
  3. If you run your own mail server, consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will help by providing you with centralized logging, which may assist in detecting the source of mail spoofing attempts against your site.
     
  4. Educate your users about the university's and your group's policies and procedures in order to prevent them from being tricked into disclosing sensitive information such as their username and passwords. Make sure you teach your users to report any such activities to the appropriate IT professionals as soon as possible.

What Is Spoofing?

Email spoofing is an expression used to describe fraudulent email activity in which the sender's name, address, and possibly other parts of the email header are altered to appear as though the email originated from someone or somewhere other than the actual source.  It is essentially a form of identity fraud, as the actual sender pretends to be someone they are not in order to illicit a response from the recipient.  Typical desired responses range from merely opening a message to responding to the solicitation and sending money or revealing personal information.

Here's a simple analogy to help you understand.  If you receive a letter through the US Postal Service, you rely on the return address as an indicator of where it originated.  However, there is nothing stopping the sender from writing a different name and address, leaving you with no guarantee that the letter is actually from the person and address listed in the return address.

What is the use of Spoofing?

Email spoofing is a technique commonly used by malicious individuals when sending out spam, phishing, or malware- laden emails to hide the origin of an email message and in turn, increase their chances that you will respond or react as they hoped you would.  By changing certain properties of the email, such as the 'From', 'Reply-To', and 'Return-Path' fields that are found in the message header, malicious users can make the email appear to be from someone other than the actual sender.

While most often used for malicious intent, spoofing can also be used legitimately.  An example of this might include a sender who would like to bring something to the attention of a supervisor or the authorities but prefers to remain anonymous do to the fear of retaliation.  However, it should be noted that in some jurisdictions, spoofing a third party without their consent by altering or falsifying email headers is illegal.

Some of the common uses of email spoofing include but are not limited to:

  • The email is spam and the sender wants to make it harder to be discovered and shutdown.
     
  • The email is spam and the sender doesn't want to be subject to anti-spam laws or regulations.
     
  • The email is spam and the sender wants to use an address that he/she knows will be likely to make it through the recipient's spam filters.
     
  • The email contains malware such as a virus, spyware, or trojan and the sender believes that the recipient will be more likely to open it if it appears to be from somebody they know.
     
  • The email requests information that the recipient may be willing to give to the individual the sender is pretending to be (e.g. the recipient's email administrator asking for their password).
     
  • The email is sent in an attempt to trick the recipient into making a damaging statement about a co-worker, supervisor, or opponent by posing as an individual that might illicit that type of response.
     
  • The email is sent in an attempt to cause trouble for an individual by posing as that person (e.g. a politician posing as their political rival sending out sexist or racist statements in email messages that will conveniently be leaked to the press).
     
  • The contents of the email message itself is in violation of some other law (harassing, threatening, extortion, blackmail, etc...).

Why Is Spoofing Possible?

Email spoofing is possible because the main protocol used in sending email, Simple Mail Transfer Protocol (SMTP), does not include an authentication mechanism.  However, an SMTP service extension for authentication does exist that allows an SMTP client to negotiate a security level with an email server.  Unfortunately, this extension is not always used.   In instances where this extension is not used (known as an open relay server), anyone with the required knowledge can connect to the server and use it to send messages that appear to be from the address of the individual's choice.  This can either be a valid email address or a correctly formatted fictitious one.  The same goes for the return address.

NOTE: Even when a mail server uses the available SMTP service extension for authentication, it does not stop authenticated users (those with a valid username and password to use the mail server) from being able to send out spoofed emails.

What Are The Risks of Spoofed Emails?

The risks associated with spoofed emails range from being a nuisance to endangerment of personal safety. While most spoofed emails, like spam, fall into the nuisance category, which require minimal action on the recipient's part to remove, the more malicious varieties can cause serious problems.  These problems may range from identity theft to threats to personal safety.  For instance, a spoofed email may claim to be from someone or some group in a position of authority asking for sensitive data such as account credentials (username and password), credit card or bank account numbers, or other personal information (e.g. date of birth, social security number), any of which could be used for an assortment of criminal purposes.  Bank One, Citibank, Pay Pal, eBay, AOL, Yahoo!, the IRS, and the FDIC are a few among the many groups that have been spoofed in mass phishing campaigns.

However, having your own email address spoofed can be even worse.  For example, if an individual sending out spam uses your email address, it is possible that you may find yourself flooded with angry complaints, or even threats of physical harm, from the recipients of the spam.  You may also receive bounced-back emails (known as a bounce message) from bad addresses used by the spammers.  It is also possible in this example to end up having your address being added to a known spammers list or a group's email blacklist which would result in your messages being banned from delivery.  Self-sending spam, a type of spoofing in which the sender is forged to be the same as the recipient of an email, makes it seem as if you sent the email to yourself.

The Legality of Spoofing

At the time this article was written, roughly 31 states have adopted legislation regulating spam and prohibiting spoofing. Many state anti-spam laws, such as those of Indiana, Illinois, Colorado and Washington explicitly prohibit the use of a third party's domain name or mail servers without the permission of the third party.  Some states even go so far as to offer compensation to the wronged party.  Illinois' statute generously offers both the ISP and the wronged person the right to recover both attorney's fees and costs incurred in a successful lawsuit, or the lesser of $10 for each unsolicited illegal email transmitted, or $25,000 per day.

In addition, the federal CAN-SPAM Act of 2003 makes it illegal to send unsolicited email with deceptive subject lines or false/misleading headers.  However, the problem with such legislation is that spoofing conceals the identity of the sender and thus makes it very difficult to prosecute.  Nevertheless, it doesn't hurt to report deceptive email to the Federal Trade Commission (FTC).  The FTC has a special email address set up for receiving reports, uce@ftc.gov.

Many agree that while legislation may help to deter some spoofing, spoofing itself is a technical problem which requires a technical solution.  More information about spam and spoofing laws can be found at http://www.spamlaws.com

NOTE: If you have any additional questions concerning legal issues, you are encouraged to work with your legal counsel.

Summary

Until a technical solution can be developed, a possible workaround consists of digitally signing your emails so that your recipients know that they are actually sent by you.  The important thing to remember is that if you receive an email that seems suspicious or too good to be true, don't necessarily take it at face value.  If possible, contact the individual or group that sent you the message using a means other than email such as phone, text message,  IM, or face to face.  Then ask the sender to verify that the email is legitimate.  You never know, you might have just received a spoofed email.

Still need help?  Click the 'Purdue IT Request' button to start a ticket.

Purdue IT Request Print Article

Related Services / Offerings (2)

Cybersecurity supports Purdue’s cybersecurity training programs, initiatives, and answering your questions.
Cybersecurity supports Purdue’s cybersecurity training programs, initiatives, and answering your questions.