E-Mail spoofing

Someone got an E-mail from me that I did not send?

You are probably a little confused as to how that can happen. This trend is called E-mail spoofing.

E-mail spoofing is basically a forged E-mail header, with the “sent from” address edited so it appears to be coming from one address when in fact it originated from another.

This is a good way to target people and companies, because you will be more willing to open an E-mail when you know the sender. These emails usually contain spam or phising content. In more severe cases it might even contain malicious code (read: virus, malware, spyware) in an attached file.

Most of the time the goal is to:

People: Harvest personal and sensitive data.

Companies: Change bank details from legit suppliers to fraudulent accounts, maybe even harvest sensitive proprietary, financial and or company data.

E-mail spoofing is possible because the internet standard for electronic mail transmission – SMTP (Simple Mail Transfer Protocol) – does not provide for address authentication.

FEAR NOT!!

There are ways to combat E-mail spoofing, namely:

SMTP AUTH Extension –

Is an extension whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server. The authentication extension is mandatory for submission servers.

SPF (Sender Policy Framework) –

Is an email validation protocol designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address (Internet Protocol Address) authorized by that domain’s administrators. The list of authorized sending hosts and IP addresses for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Publishing and checking SPF records can be considered one of the most reliable and simple to use anti-spam techniques.

DKIM (DomainKeys Identified Mail) –

Is an email authentication method. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. Lets a domain associate its name with an email message by affixing a digital signature to it. Verification is carried out using the signer’s public key published in the DNS. A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed. Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than message’s authors and recipients. In that respect, DKIM differs from end-to-end digital signatures.

DMARC (Domain-based Message Authentication, Reporting & Conformance) –

Is an email authentication, policy, and reporting protocol and is built on top of two existing mechanisms, SPF and DKIM. It allows the administrative owner of a domain to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email from that domain and how the receiver should deal with failures. Additionally, it provides a reporting mechanism of actions performed under those policies. It thus coordinates the results of DKIM and SPF and specifies under which circumstances the From: header field, which is often visible to end users, should be considered legitimate.

Like anything and everything in Information Security nothing is guaranteed 100% and it is still highly recommended that you use proper antivirus software.

Our team have tried out and can recommend these awesome ones:

Eset (Enterprise version for companies)

Eset (Mobile)

Avast (Free version for home and personal use)