E-mail spoofing

E-mail spoofing is a term used to describe fraudulent e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the "From", "Return-Path" and "Reply-To" fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. It is often associated with website spoofing which mimics an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization's activities. The result is that, although the e-mail appears to come from the e-mail indicated in the "From" field (found in the e-mail headers) it actually comes from another e-mail address, probably the same one indicated in the "Reply To" field; if the initial e-mail is replied to, the delivery will be sent to the "Reply To" e-mail, that is, to the spammer's e-mail.

Methods

As many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.

The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the "From" field of e-mails that they send, so that these e-mails appear to have been sent by the third party. For example:

: "User1" is sent an infected e-mail and then the e-mail is opened, triggering propagation: The worm finds the addresses of "User2" and "User3" within the address book of "User1": From the computer of "User1", the worm sends an infected e-mail to "User2", but the e-mail appears to have been sent from "User3"

This can be particularly problematic in a corporate setting, where e-mail is sent to organisations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:

:"User2" doesn't receive the message, but instead gets a message telling him that a virus sent to them has been blocked. "User3" receives a message telling him that a virus sent by them has been blocked. This creates confusion for both "User2" and "User3", while "User1" remains unaware of the actual infection.

Newer variants of these worms have built on this technique by randomising all or part of the e-mail address. A worm can employ various methods to achieve this, including:

*Random letter generation
*Built-in wordlists
*Amalgamating addresses found in address books, for example:
**"User1" triggers an e-mail address spoofing worm, and the worm finds the addresses "user2@efgh.com", "user3@ijkl.com" and "user4@mnop.com" within the users Outlook address book
**The worm sends an infected message to "user2@efgh.com", but the e-mail appears to have been sent from "user3@mnop.com"

ee also

* E-mail authentication
* Computer virus
* Computer worm
* Hoax
* Chain e-mail
* Joe job - deliberate spoofing in order to tarnish someones reputation

External links

* [http://www.cert.org/tech_tips/email_spoofing.html CERT Tech Tip - Spoofed/Forged Emails]