An introduction to E-mail Spoofing

The expression “e-mail spoofing” usually refers to the activity of changing the apparent origin of an e-mail - often used in spam and phishing attacks. By changing certain elements of the e-mail, such as the From, Return-Path and Reply-To fields in the message header, a malicious individual can make the e-mail appear to be from someone other than the actual sender. Such mails are often associated with a spoof web site intended to mimic an actual, well-known website, but in fact run by someone with fraudulent intentions.

Whatever the sender’s motivation, the objective of spoofed mail is to hide the real identity of the sender. This is possible because the Simple Mail Transfer Protocol (SMTP) used to send almost all Internet mail does not require authentication (unlike some other, more secure protocols). Thus a sender can use either an entirely fictitious return address or a legitimate address that belongs to someone else.

The simplest form of e-mail spoofing involves simply setting the “display name” and “From” field of outgoing messages to show false information. Most e-mail programs permit you to change the content of these fields to anything you want.

For instance when you set up a mail account in Outlook Express, you are asked to enter a display name, which can be anything you wish. This name is then displayed in the recipient’s mail program as the e-mail sender. In a similar way, you can type anything you like for your e-mail address. These fields are entirely separate from the account name you use to authenticate with your POP mail server.

Setting display name and From field in Outlook

This method of spoofing is easily detected if you know where to look - you can tell where the e-mail really originated by checking the e-mail headers in detail. Most programs don’t display e-mail headers by default, but you can ask them to show you. In Outlook the headers are hidden by default, but you may view the Properties of an e-mail to see them. In Eudora, although some of the headers are shown by default, you may open the message and click on the “Blah Blah Blah” button to see the real source of the e-mail.

The “Blah Blah Blah” button in Eudora

Like everyone with Internet mail, I receive several phishing e-mails a week. Whilst most have been self-evident frauds thanks to their terrible English and grammar, a few are very convincing. One example of how to use e-mail headers to differentiate the genuine e-mails from scams is shown below. You will see that the display name is “HSBC Bank plc” and the From field is “onlinebanking@alert.hsbc.co.uk”, which may be sufficient to fool the unwary.

An e-mail as viewed in Eudora

However, once you view the full headers, you will be able to see the true source of the e-mail. In the case of our HSBC phishing mail, the original path of the e-mail is revealed. The sender was “userid 33” and the server was “heidelberg.ispgate.biz” - clearly nothing to do with HSBC Bank!

E-mail headers viewed in Eudora

Furthermore we can see that the sending server’s IP address was “88.198.13.35”. A query to the Internet Registries reveals that this is the correct address for “heidelberg.ispgate.biz” and that there is an e-mail contact to report abuse. This is the e-mail address you should use if you decide you wish to report that one of their users may have been sending phishing e-mails, although you should be aware that their user may be entirely innocent and had their account hijacked by the real miscreant.

Internet Registry search result

To ensure that you don’t fall victim to this type of attack, you should always check the headers of any e-mail asking you for private or sensitive information. If in doubt, you should contact the apparent originator of the e-mail directly by another method, such as telephone or fax, to verify the request.

Of course spoof e-mails may be used for many purposes other than spam and phishing. Imagine receiving a mail apparently from a colleague or fellow employee encouraging you to visit a particular site or open an attachment. The implied trust of a mail from a co-worker often overrides your normal suspicions and may result in your being infected with a Trojan or duped into revealing sensitive information.

One of the shortcomings of SMTP (Simple Mail Transfer Protocol) - the protocol used worldwide for sending e-mails - is the absence of any authentication. This means that criminals can often use an innocent party’s mail server to send spoof e-mails for phishing and spam. Most commercial mail servers now disallow open mail relaying - the practice of sending an e-mail from A to B via an innocent third party.

However, using the third party’s mail server to originate e-mails is still possible in some cases. This means a criminal may connect directly to a vulnerable server, masquerading as a legitimate mail server themselves, and send e-mails from that server to their targets. Since the e-mails typically contain links to bogus web sites, there is no need for the sender to care about the return path or that the third party’s server may receive all the failed delivery messages.

Finding a vulnerable mail server isn’t difficult, just time consuming. By their nature, SMTP servers have to be listed by name on the Internet in order to receive mail from other organisations. Thus criminals simply have to trawl through their potential victims until they find one that permits some form of relaying. Of course, they will have software to do this automatically, as they do for everything else.

To protect yourself from being used as a mail relay, ensure that your mail server will reject connections from anything but a real SMTP server and that it will not accept mails from an internal address (your own domain addresses) on its Internet-facing connection.

Peter Wood, Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.