We’ve all become accustomed to receiving spam and know what to look for, & to spot it in our in boxes. However, sometimes you may see a message from yourself, which can be a little unnerving. Or you may see an email that looks like it came from a friend.
These signs don’t necessarily mean you and your friend have been hacked. It’s a sign that spammers have spoofed these email addresses. In fact, it’s a process that’s quite easy. In this article, we’ll take a look at how spammers spoof your email address and how to protect yourself.
Spoofing isn’t new—in fact, spammers have used this method for years. When spoofing first took off, all a spammer needed was to get a contact list from a PC infected with malware. These days, thieves are driven by data, which they use to carefully choose their targets and then send phishing emails that look like they came from trusted sources, their own account, or from friends. Being tricked in this manner can be disconcerting, especially if you’re a somewhat techy person.
Why are Emails Easy to Spoof?
Let’s take a quick walk down history lane. Back in the early 2000s, spam was a huge problem and mail servers had a very difficult time trying to tackle and stop the high levels of spam jamming the web. They tried to develop tools to stop spam in its tracks.
Back in 2003, Meng Weng Wong came up with a way that mail servers could verify an IP address was authorized to send an email message from a specific domain. This method is called Sender Permitted Form, which was later renamed to “Sender Policy Framework” in 2004.
When an email message was sent, the receiving mail server compared the IP address’s origin with the IP addressed listed in the SPF record for the specific email address’s host (for example: @someplace.com).
If the two IP addresses matched up, then the email was allowed to pass on to the recipient. However, if the IP addresses didn’t match, the email was flagged as spam and/or rejected. This method placed the deciding outcome on the receiving server.
SPF records eventually went on to become the method used to detect spam on domains across the web. This became the way to determine if an email sent from a domain is truly authorized to work from that domain.
Today, when we register a domain, the DNS records that go with the specific domain are also registered. Previously, these records are used to tell which computers to talk with depending on what they need to do, such as email, web, FTP, etc. If a person received an email from a trusted source, they could rest assured the email was truly from that source and not spam.
However, over time, it was found this was not a perfect way to catch spoofing and spam. The reason is that SPF records need to be administered. It actually takes someone to add new IP addresses, remove old ones and time for the record to spread across the Internet each time a change is made.
Most companies still use a “soft” version of SPF; rather than risking false positives by blocking “good” emails, they use a system of “soft” and “hard” fails. In addition, email hosts somewhat loosened restriction on how messages are dealt with if they fail this check. This has made emails easier to manage but makes phishing easy.
Then in 2012, DMARC was designed to work with SPF. DMARC (Domain-based Messages Authentication, Reporting, and Compliance), uses flags to instruct how email should be treated; while it uses 10 flags, two of these are the mots important, the “p” flag that tells receiving servers how to deal with possibly fake emails (either with rejection, quarantining, or passing). The “rua” flag tells receiving servers where to send a report on failed messages, which may be a specific email address at the domain, such as the admin’s security group. The DMARC record has solved most of the problems with SPF records by placing the burden of decision on how to respond away from the recipient server.
The main issue with DMARC is that not everyone uses this method to verify emails, yet. However, with this tool you can check any domain’s DMARC record. Try the tool with one of your favorite websites. If you don’t have any idea, try Wikipedia.com. Did you notice that it doesn’t have a DMARC record? This means that most email hosts that try to conform to the rules of DMARC will not have instructions on how to handle failed SPF emails and would most likely the messages through. This is what makes it easy for fake emails to get through to an inbox.
However, if a domain has a DMARC record, the SMTP server trying to spoof an email with this domain will be blocked. This stops spoofing and spam emails in their tracks.
On the other hand, if a domain does not have a DMARC record, then spammers can spoof emails, making messages look as if they’re sent from that domain. After reading this article, it’s probably a good idea to make sure each of your sites does have a DMARC record. If not, then it’s easy and fast to create them using the tool above.
How Spammers Spoof Email Addresses
It’s actually pretty easy to spoof email addresses; the tools you need to use are very easy to get. Then all that’s needed is an SMTP server and the mailing software. That’s it.
Most decent web hosting services provide their customers with an SMTP server. And spammers can use a tool such as PHP Mailer, which is easy to install and use. When everything’s set up, all the spammer has to do is compose a message, put in the “from” and “to” email addresses and then click send. Once the email reaches the recipient, they’ll get an email address that looks like it came from the address that was typed in.
If you view the email’s source code, you may find that the message failed the soft SPF check. Even so, it came through to the inbox. The source code, if you notice, also includes the originating IP address of the sender, which can be used to trace the message back to the sender.
When you receive a phishing or spoof email, the spammer wants you to click on the link, an image or open an attachment included in the email, rather than paying attention to the message’s source code.
As you can see, spoofing and spamming are very easy to do. So, what can you do?
Protect Yourself & Your Inbox
How do you protect yourself from phishing & spoofed email addresses? Here are some steps you can take to protect you and your inbox from fake messages:
1). Turn up spam filters & use a tool such as Priority Inbox: setting spam filters higher makes them stronger and may stop spoofing and phishing messages from getting through. Another tool that can help is Gmail’s Priority Inbox or Apple’s VIP, which allow the mail server to determine which email senders are most important to you. However, be sure to understand that if one of these important people is spoofed, then the message will still make it to your inbox.
2). Learn to read message headers & trace IP addresses: if you’re suspicious about a message that’s made it to your inbox, open the headers of the email up, along with the header of a previous email from the same person. If the IP addresses match, then it’s likely the email is genuine.
3). Do not click on links or download attachments: if an email looks like it’s fake, then do not click the links, images or download attachments. If the email looks like it came from your credit card company, utility company, etc. never click the links. Instead, to directly to the organization’s website and login to see if they’re trying to contact you. You can also call the company directly and ask if the email you received was sent from them or not. In addition, keep your device’s antimalware up to date.
4). File your site’s DMARC records: this is another way to protect your business from spammers and phishers who would try to use your domain to send fake email messages.
By following these rules, you’ll keep your inbox and company safe from phishing, spoofing and more. In addition, it’s a good idea to stay up to date on what spammers are doing and then watch for these types of messages in your inbox. It pays to stay alert at all times to every message that makes it to your box. You’re the first line of defense when it comes to the fight against spam and phishing attacks.
6th February 2020
31st January 2020
27th January 2020