Email Spoofing – faking the Sender

By | January 25, 2017

The previous blog post explained how the scam of fake PayPal notifications played out from the point of view of the victim, the Seller of goods on a online marketplace.
The seller receives an email, which is faked as “sent” from a legitimate looking address such as “service@paypal.com”.

This is the email header of a PayPal notification as displayed in my Outlook Mail:

 

 

Here is the same header displayed in SquirrelMail:

 

 

 

Outlook displays a fancy logo beside the FROM address, while the more basic SquirrelMail doesn’t mess around. Either of these emails could be spoof PayPal emails, it’s impossible to tell from what you see in the standard email display.

This post examines how scammers go about faking PayPal notification. I’m going to go into the underlying technical details, for those who are interested. Unfortunately, I have no fear that I am “revealing” to wannnabe scammers how to go about their business. To run the scam, you don’t need to know how to set up a system that sends spoofed emails. There are many websites out there that will give the lightweight scammers a simple interface to send a few emails a day to eBay or Amazon sellers. They enter a few details into a web page: the “fake sender”, the recipient, and the body of the message – and away they go.

Want to try it?

Search for “free online email spoofer” and you’ll get a ton of websites offering to do the nasty deed. Click on one of them and you’ll probably pick up a virus, and serve you right. Lie down with dogs, and all that.

Try enough of the sites, and you’ll find one that just insists that you watch a load of dodgy adverts in order to use their service.

So, behind these websites, there is a mechanism that allows email “sender” details to be spoofed. I mean, when you’re using a website called “www.dodgygeezer.ru”, that domain shouldn’t be allowed to send emails purportedly from TheDonald@whitehouse.gov, right? (Rhetorical question, folks, the answer is no, it should not). So how do they do it?

The larger-scale scammer has access to an email server, otherwise known as an SMTP server. They may have hacked an otherwise legitimate server, but it’s perfectly possible to pay twenty bucks a month to a web hosting provider for a virtual server on which they can install the SMTP mail software of their choice.

By the way, it takes not much more than a day to set up an SMTP server from scratch and configure it properly. Most of that time is waiting for the new details to be recognized across the world wide web. Installing and configuring the software itself takes under an hour.

Now, some mailing software insist on defaulting the Sender details to one or more accounts registered at a specific domain (e.g. service@dodgygeezer.ru). This is usually the domain associated with the web server provided by the hosting provider as part of the package. But some perfectly legitimate mailing software freely allows the entry of any “FROM” address – mickeymouse@disney.com is no problem at all.

Why is this legitimate?

Well, many businesses like to help their customers by segmenting their email output. Instead of every email coming from “service@goodbiz.com”, depending on the reason for the email, it may be modified to come from “returns@goodbiz.com” or “helpdesk@goodbiz.com” or “customersurvey@goodbiz.com”. These email accounts may not actually exist – when the recipients hit reply, the messages all return to the same generic recipient, allowing internal software to parse and route the message as appropriate (carefully losing the complaints).

So, the folk at goodbiz.com are faking email addresses from their own domain. They are not trying to dupe their customers, and the software they use facilitates their customer interaction model.

But surely it’s reasonable for the internet-using public to expect that goodbiz.com should not be allowed to send emails with the sender specified as @disney.com or @paypal.com. The mailing software may allow it, but isn’t it possible for these emails to be intercepted as illegitimate?

But surely it’s reasonable for the internet-using public to expect that goodbiz.com should not be allowed to send emails with the sender specified as @disney.com or @paypal.com. The mailing software may allow it, but isn’t it possible for these emails to be intercepted as illegitimate? 

Intercepted by which slavering guard dog, you ask?

By the hosting provider. They maintain all network traffic sent from the servers they lease to the public. They “see” all those mail headers, they see the “SEND” details and they know the domain from which the email is originating.

Wait, our friends at GoodBiz have an objection. They follow good principles of system safety, and run their mail software from a different server than their website. Not only that, but GoodBiz has a subsidiary company called SmallBiz which shares its parent’s mail server. And the SmallBiz help desk want to send emails from the main GoodBiz support account.

Okay, our fraud interception policy needs to be extended in two ways.

Firstly, we must allow website owners to nominate other servers that they lease to be part of a family of servers that are associated with their domain.

Secondly, we must allow website owners to nominate other domains that they own that are allowed piggyback on the SEND details of a specific domain that is part of the family.

In other words, the domain owner must specify which Senders are Permitted to send From mail servers registered to their domain. We’ll call it SPF for short (Senders Permitted From).
This allows either the hosting provider or the receiver to look at the email header, and make a call to the domain asking if the SEND details are on the Permitted List.

Wow, this is radical new thinking, brought to you here first on this blog!

 

Actually, no.

Let’s go back to the middle ages (in internet time).

Way back in 2003, Singaporean entrepeneur Wong Meng Weng devised this strategy, originally called Sender Permitted From. As others got involved, the name changed to Sender Policy Framework. Weng and others put great effort into evangelizing this framework to fight spam.

Crucially, Microsoft were working on something similar, and broadly accepted the approach. In 2005, they rolled out an implementation of SPF into their mailing software.

So why, in 2017, are eBay and Amazon sellers receiving spoof emails from paypal.com?

Next blog post coming soon.

Leave a Reply

Your email address will not be published. Required fields are marked *