Skip to content

How Email Addresses Are Spoofed And How You Can Tell

Spoofed Email

Spam is big business, and I think it’s safe to say that everyone has either been a victim of it, or knows someone that has. Sometimes, it is just annoying, but other times, it could be an initial vector of attack for malware.

A critical aspect of this attack is making it appear as if an email message has come from someone other than the real sender, most likely someone you know (i.e., spoofing an email address). It’s an incredibly easy hack to pull off, and today, you’re going to learn how to identify one.

From Bill Gates

When an email program displays who an email is from, no actual verification is done. It simply relays whatever information it’s given. For example, every email message has a From header that can be easily forged, i.e., a malicious third party can set the From name and email address to whatever value they desire, and your email client would have no way of knowing.

It’s useful to think of an email From field as the return address on an envelope. A sender can write anything they want in this field and the USPS does little to verify that the letter/package is really from the individual or party displayed on it.

Email Headers

A plethora of information can be obtained by perusing an email message’s headers. This information is accessed in different ways for different email clients, but for our example, we’ll use Gmail.

Show original

To examine an email’s headers, click the small arrow at the top right corner of an email and choose Show original. You’ll see a large collection of text that looks something like this:

Delivered-To: [MY EMAIL ADDRESS]
Received: by 10.182.3.66 with SMTP id a2csp104490oba;
Sat, 11 Aug 2012 15:32:15 -0700 (PDT)
Received: by 10.14.212.72 with SMTP id x48mr8232338eeo.40.1344724334578;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Return-Path: <e.vwidxus@yahoo.com>
Received: from 72-255-12-30.client.stsn.net (72-255-12-30.client.stsn.net. [72.255.12.30])
by mx.google.com with ESMTP id c41si1698069eem.38.2012.08.11.15.32.13;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Received-SPF: neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) client-ip=72.255.12.30;
Authentication-Results: mx.google.com; spf=neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) smtp.mail=e.vwidxus@yahoo.com
Received: by vwidxus.net id hnt67m0ce87b for <[MY EMAIL ADDRESS]>; Sun, 12 Aug 2012 10:01:06 -0500 (envelope-from )
Received: from vwidxus.net by web.vwidxus.net with local (Mailing Server 4.69)
id 34597139-886586-27/./PV3Xa/WiSKhnO+7kCTI+xNiKJsH/rC/
for root@vwidxus.net; Sun, 12 Aug 2012 10:01:06 –0500

From: “Canadian Pharmacy” e.vwidxus@yahoo.com

There are numerous headers, but the most relevant ones start at the top of the email’s text message. This text follows the email’s route as it departs its sender and travels to you. The oldest headers (i.e., from the servers where the message originated) are at the bottom.

Here is where you want to start looking for discrepancies. For example, if your client tells you that a message is from a Yahoo! email address, you’d expect the email to be received from a Yahoo! mail server. In the spoofed example above, you can clearly see that the sending mail server did not belong to Yahoo!.

Furthermore, additional discrepancies can be identified by examining the I.P. address of the sending mail server. For example, if you receive a strange email from a Canadian bank, but the lowest Received: header contains an I.P. address that resolves to Russia or Nigeria, then it’s safe to conclude that the email address has most likely been spoofed.

Source How-To Geek

No comments yet

Leave a Reply