Overview
Email spoofing is a growing problem and has unfortunately reached the point where you can't reliably trust the information associated with an email to tell you who actually sent the message. Scammers commonly use email spoofing to hide the origin of an email message, in turn increasing the chances that you will respond, when sending out spam, phishing or malware laden emails. Unfortunately, it is possible because the main protocol used in sending email (SMTP) does not include an authentication mechanism. The risks associated with spoofed emails range from being a nuisance to endangerment of personal safety. Some jurisdictions have enacted legislation against this form of email identity fraud, but many agree that this is a technical problem that calls for a technical solution.
Details:
Spam, phishing, and virus-laden email can take all of the usefulness and entertainment out of communicating electronically. At least you can trust email that comes from the people you know; or can you? In this article, we look at what email spoofing is, what it is used for, why it's possible, what the risks are, and what can be done about it.
If you would like someone to investigate a spoofed email
If you are an individual associated with Purdue and have received what you believe to be a spoofed email, or if you aren't associated with Purdue, but have received an email that appears to have come from a Purdue account, please use the "Report Message" button in Outlook to forward the email and headers to the Security team. Alternatively, you can forward the spoofed email to abuse@purdue.edu.
NOTE: Please realize that in some cases, it either may not be possible to identify the origin of the spoofed email or take action against the forger as not every state or country has laws against spoofing
Is There Anything I Can Do to Prevent Spoofing?
There are three email protocols that help secure and establish trust for incoming and outgoing email and prevent spoofing. Those three protocols (SPF, DKIM and DMARC) work together to help prevent spoofing and will be described below:
SPF (Sender Policy Framework) is often described as the return address checker for email. Owners of domains and email servers establish a list of approved servers and IP addresses within their domain that are allowed to send email on their behalf. Email filters (such as MDO for Purdue University email) check the list for a domain and if the incoming email comes from an approved sender. This protocol restricts who is allowed to send email. While this protocol can still be abused and spoofed by attackers (i.e. making an email appear to come from an approved source) it does help weed out many incoming spam, phishing, and spoofed messages.
DKIM (DomainKeys Identified Mail) is often understood as a digital stamp for emails and uses cryptographic keys to check if email comes from the place for declared origin and was not modified on the way. Before email, rubber seals and gummed envelopes were used to seal snail mail correspondence from the sender to recipient. They also help ensure that on arrival that the mail was not read or intercepted by another party. DKIM’s purpose is similar to this idea. Each organization publishes a public TXT record and utilizes a private or secret key to stamp the email. DKIM will check that the stamped email matches the public record the organization publishes. DKIM helps ensure that an email was allowed to be sent from the sender domain, and the message was not modified in route.
DMARC (Domain-based Message Authentication, Reporting and Conformance) relies on both SPF and DKIM to help determine whether an email should be allowed to be sent or received. DMARC is configured to use a policy to either label, reject, quarantine, or allow an email through depending on if email passes both the DKIM and SPF checks. Such as, if an email fails either check the organization gets a say on what happens to the email. Strict DMARC policies will reject or return the message to sender, more conservative policies will deliver a suspicious email, and those in the middle will deliver it to a user’s quarantine folder. Misconfigured email servers, clients, and senders that are trying to send legitimate emails can often be flagged by a DMARC policy, so Purdue IT’s current DMARC policy helps Purdue IT work with end users and external vendors to establish more trustworthy emails between the parties. For specific questions about Purdue IT’s DMARC policy, please route tickets to the IT_MESSAGING team. Purdue IT’s general email policy is described here in the Electronic Mail S-7 Policy.
As a disclaimer, these protocols are not perfect but do help email filters trust and properly filter emails. No email system is both perfect and totally secure, so please continue to use caution when checking email even if all three protocols are used. If IT Administrators are having difficulty setting up and configuring their mail servers to use these protocols, please submit a ticket to the IT_MESSAGING team.
What Is Spoofing?
Email spoofing is an expression used to describe fraudulent email activity in which the sender's name, address, and possibly other parts of the email header are altered to appear as though the email originated from someone or somewhere other than the actual source. It is essentially a form of identity fraud, as the actual sender pretends to be someone they are not in order to illicit a response from the recipient. Typical desired responses range from merely opening a message to responding to the solicitation and sending money or revealing personal information.
Here's a simple analogy to help you understand. If you receive a letter through the US Postal Service, you rely on the return address as an indicator of where it originated. However, there is nothing stopping the sender from writing a different name and address, leaving you with no guarantee that the letter is actually from the person and address listed in the return address.
What is the use of Spoofing?
Email spoofing is a technique commonly used by scammers when sending out spam, phishing, or malware- laden emails to hide the origin of an email message and in turn, increase their chances that you will respond or react as they hoped you would. By changing certain properties of the email, such as the 'From', 'Reply-To', and 'Return-Path' fields that are found in the message header, malicious users can make the email appear to be from someone other than the actual sender.
While most often used for malicious intent, spoofing can also be used legitimately. An example of this might include a sender who would like to bring something to the attention of a supervisor or the authorities but prefers to remain anonymous due do to the fear of retaliation. However, it should be noted that in some jurisdictions, spoofing a third party without their consent by altering or falsifying email headers is illegal.
Some of the common uses of email spoofing include but are not limited to:
- The email is spam and the sender wants to make it harder to be discovered and shutdown.
- The email is spam and the sender doesn't want to be subject to anti-spam laws or regulations.
- The email is spam and the sender wants to use an address that he/she knows will be likely to make it through the recipient's spam filters.
- The email contains malware such as a virus, spyware, or trojan and the sender believes that the recipient will be more likely to open it if it appears to be from somebody they know.
- The email requests information that the recipient may be willing to give to the individual the sender is pretending to be (e.g. the recipient's email administrator asking for their password).
- The email is sent in an attempt to trick the recipient into making a damaging statement about a co-worker, supervisor, or opponent by posing as an individual that might illicit that type of response.
- The email is sent in an attempt to cause trouble for an individual by posing as that person (e.g. a politician posing as their political rival sending out sexist or racist statements in email messages that will conveniently be leaked to the press).
- The contents of the email message itself is in violation of some other law (harassing, threatening, extortion, blackmail, etc...).
Why Is Spoofing Possible?
Email spoofing is possible because the main protocol used in sending email, Simple Mail Transfer Protocol (SMTP), does not include an authentication mechanism. However, an SMTP service extension for authentication does exist that allows an SMTP client to negotiate a security level with an email server. Unfortunately, this extension is not always used. In instances where this extension is not used (known as an open relay server), anyone with the required knowledge can connect to the server and use it to send messages that appear to be from the address of the individual's choice. This can either be a valid email address or a correctly formatted fictitious one. The same goes for the return address.
NOTE: Even when a mail server uses the available SMTP service extension for authentication, it does not stop authenticated users (those with a valid username and password to use the mail server) from being able to send out spoofed emails. Compromised accounts are scrambled by the Purdue IT Security team to prevent further unauthorized usage.
What Are The Risks of Spoofed Emails?
The risks associated with spoofed emails range from being a nuisance to endangerment of personal safety. While most spoofed emails, like spam, fall into the nuisance category, which require minimal action on the recipient's part to remove, the more malicious varieties can cause serious problems. These problems may range from identity theft to threats to personal safety. For instance, a spoofed email may claim to be from someone or some group in a position of authority asking for sensitive data such as account credentials (username and password), credit card or bank account numbers, or other personal information (e.g. date of birth, social security number), any of which could be used for an assortment of criminal purposes.
However, having your own email address spoofed can be even worse. For example, if an individual sending out spam uses your email address, it is possible that you may find yourself flooded with angry complaints, or even threats of physical harm, from the recipients of the spam. You may also receive bounced-back emails (known as a bounce message) from bad addresses used by the spammers. It is also possible in this example to end up having your address being added to a known spammers list or a group's email blacklist which would result in your messages being banned from delivery. Self-sending spam, a type of spoofing in which the sender is forged to be the same as the recipient of an email, makes it seem as if you sent the email to yourself.
The Legality of Spoofing
The Federal CAN-SPAM Act of 2003 makes it illegal to send unsolicited email with deceptive subject lines or false/misleading headers. However, the problem with such legislation is that spoofing conceals the identity of the sender and thus makes it very difficult to prosecute. Nevertheless, it doesn't hurt to report deceptive email to the Federal Trade Commission (FTC) at https://reportfraud.ftc.gov/.
Many agree that while legislation may help to deter some spoofing, spoofing itself is a technical problem which requires a technical solution. More information about spam and spoofing laws can be found at http://www.spamlaws.com. Content goes here
NOTE: If you have any additional questions concerning legal issues, you are encouraged to work with your legal counsel.
Summary
In summary, ensure that emails sent and received by you pass the SPF, DKIM and DMARC protocols as described above to prevent email spoofing. Purdue IT’s email filter MDO (Microsoft Defender for Office) does check and enforce policies, but please continue to use vigilance when checking work, school, business, and personal emails. No email filter is perfect, and scammers will always find ways to bypass technical controls. Always seek another method of communication to contact the email sender if you are unsure or uneasy about an email. Such as calling someone via phone or Teams, visiting their website to verify, or using an established communication channel outside of email. Please submit suspicious or questionable emails to the Purdue IT Security team at abuse@purdue.edu or via the Report Message button.