Email Spoofing: Are You At Risk?

I often receive messages from concerned parties stating that their email account has been hacked or compromised, or that there is a virus infecting their system. They come to this conclusion based on the messages bounced back from "mailbox not found" or "unknown address", AKA the 550 error – but these returned messages were never sent in the first place.

The sad truth is, one need not hack,corrupt or subvert an email account in order to use it. Just spoof it.

Yesterday, I received one such message from a friend, who of course worried he had a virus. I asked him to forward the returned message to me so that I could analyze the header information codes and perhaps trace the source. I traced it back to a legitimate-looking site and I notified the technical contact in charge of the hosting, which is about all I can do to resolve the end on that side. Afterwards I notified my friend that his account was not corrupted and I would demonstrate what happened.

I threw together a PHP script that took me literally less than 30 seconds, and with it I sent him a spoofed email both from and to his own address.. I could have sent him an email from any name and account. Any number of celebrities would have made an interesting analog, but I decided impersonating him would best fit the spirit of the spoofing demonstration.

I’ve said for years that email as a technology wasn’t well thought out, and in its current state is broken. According to RSA, over 260 million malicious emails are sent to consumers every day impersonating a trusted company in attempts to lure them into installing malware or handing over private account information. Gartner Inc. estimates the direct costs of repairing the damage from phishing{{1}} and spoofing{{2}} at $3.6 billion a year.

Imagine for a moment that I unscrupulously wanted to destroy someone’s reputation with the same PHP script I wrote earlier. All I would need is to know some of his contacts (or business contacts if I were feeling particularly nasty). From there, it would be too easy to send abusive spoofed messages to friends, family, or random people which could at the very least add him to publicly available spam blacklists, and at worst, lose him friends and clients.

There is a clear and present danger with it comes to electronic communications identity.

So how do you protect yourself from spoofing?

The most current technology standard in the battle against email spoofing and spam is something called SPF, or "sender policy framework". To see how this works, here’s a bit of background info. When sending an email, servers communicate similar to the way people do. They greet each other, identify themselves, and continue with the conversation (email transmission). But one can force a server to lie, or at least to distribute a lie. When someone sends an email, it goes from their outbox to their server, which then passes it along to the recipient server who passes it to the final destination. Unless security measures are in place, this is essentially all that happens and nothing prevents anyone from masquerading as anyone else. SPF allows servers to ask two questions: "are you really who you say you are?" and/or "are you authorized to speak on their behalf?". So when server X identifies itself as ALPHA (even though it is not), server Y will look up the real ALPHA and ask for its SPF record to see if the impostor’s IP address matches who it claims to be. Since it is not, it will reject the message.

What does it take to create an SPF record? About 30 seconds of work and access to your domain’s DNS server. When finished, it looks like this:

v=spf1 mx mx:servername -all

That’s it. One little txt record in your DNS settings.

The main failing of this measure is for it to work, it requires action both by the sender’s domain (or server host) and the receiver’s. If one wishes to protect their address from being spoofed, one must create an SPF record for their domain. To protect your domain from receiving spoofed messages, the email server must be configured to look for those SPF records. Any failing on either side makes both vulnerable.

Ultimately, the answer is obvious: SPF records MUST be a standard procedure for all domains and email servers (both hosted and internal). Without it your brand is extremely vulnerable.

[[1]]From Wikipedia: Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.[[1]]

[[2]]From Wikipedia: E-mail spoofing is e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Because core SMTP doesn’t provide any authentication, it is easy to impersonate and forge emails.[[2]]

Homepage feature image courtesy of empty_inbox.

Update: TechRepublic released a supporting article dated April 11, 2011. http://www.techrepublic.com/blog/security/identity-theft-businesses-are-at-risk/5324