Email Spoofing – why it’s still around and how to spot it

By | January 25, 2017

In the previous post, we discussed one mechanism for authenticating the sender of emails. As spoofing is still a wide-spread problem, why hasn’t SPF solved the problem? Let’s look again at Email Headers, a standard set of information that is transferred with every email.

 

In the usual display of most email clients, we see a subset of the header.

 

This time, we want to look at the full header – this is achieved in different ways, depending on your email client. In Outlook Mail, hunt around for “View Message Source”. In Squirrel Mail, the option is easier to find: “View Full Header.”

Good Sender

Let’s look at an email from Amazon, I’ve eliminated some of the lines for easier reading, and bolded the important lines for our purposes.

Received: from VE1EUR02HT210.eop-EUR02.prod.protection.outlook.com
smtp.mailfrom=bounces.amazon.com; hotmail.com;
dkim=pass (signature was verified)
Received-SPF: Pass (protection.outlook.com: domain of bounces.amazon.com designates 54.240.15.125 as permitted sender)
Date: Wed, 18 Jan 2017 20:04:13 +0000
From: “Amazon.com” <store-news@amazon.com>
To: redacted

Now you’ll see that email messages actually contain two sender addresses. The “MailFrom” address, and the “From” address. Only the second, the “From” address, is displayed by an email client. The first is there, but hidden from plain view.

Crucially, SPF only checks this hidden “MailFrom” address. Legitimate senders will often want to modify the displayed From address, as discussed in the previous blog post.

Notice in my example that the receiver did its due diligence on the SPF record. The sending server’s I.P. address is 54.240.15.125. The receiver grabbed the domain from the “mailfrom” and checked its list of authorized servers: “the domain of bounces.amazon.com designates 54.240.15.125 as permitted sender

Bad Sender?

Now I’m going to show you another mail header for an email I received to my Outlook mail address (I’ve changed some details for privacy).
The receiver gets the domain from the “MailFrom” address and goes looking for its SPF record listing the authorized senders.  In this case, the host (lbntechnology.com) hasn’t set up any SPF record (“lbntechnology.com does not designate permitted sender hosts”).

Received: from VE1EUR01HT052.eop-EUR01.prod.protection.outlook.com
smtp.mailfrom=lbntechnology.com; hotmail.com;
dkim=none (message not signed)
Received-SPF: None (protection.outlook.com: lbntechnology.com does not designate permitted sender hosts)
Date: Wed, 25 Jan 2017 21:59:14 +0000
From: Casey <casey@lbntechnology.com>
To: redacted

Remember, Microsoft were early adopters of SPF. Does Outlook reject this message? No, it flags in the header that it hasn’t got a “pass”, but merrily displays it to me. Only if I look at the message source do I see that the SPF verification could not take place. There was no spoofing attempt here, just an administrator of a domain that doesn’t bother setting up SPF records.

So, in this case, Outlook is allowing domains that don’t “sign up” to SPF to bypass rejection. Knowing this, spoofers will tend to look for domains that do not publish SPF records. It’s perfectly possible to increase the severity of spam filters to reject non-compliant domains – this is known as a Hard-Fail. The problem is that huge amounts of otherwise-legitimate emails would be bounced.

Fatal Flaw

This is the fundamental blocker for SPF or any other authentication protocol. Without global take-up of the protocol, mail providers are reluctant to reject emails that don’t bother with authentication at all.

The good news is that although we can be fooled by the displayed FROM address, we now know a way of checking the sender’s domain.

Guarding Against Spoofing

 

Using your email client, take the trouble of viewing the message source and looking for the “mailfrom” details.

It appears near the beginning of the output, before all the extensive gobbledygook that comes afterwards.

With a bit of experience, your eye will jump straight to the line.

 

Watch Out – Homoglyphs About!

One extra hurdle from savvy scammers is the use of “mailfrom” domains that resemble the real thing. So you’re diligently looking for paypal.com, and the actual text is “paypa1.com” i.e. the same except for one similar looking character.

In this case, the scammer has registered the paypa1 domain, and is merrily sending spoof emails from their mail server.
This is known as a homoglyph attack – where the text looks the same to the casual eye. One precautionary measure is to copy the text from the message source and paste it into a document with a larger font. Yes, you’re probably not going to do that with every email – but if you’re selling an item for $1,000 then the extra few seconds are worth the hassle.

 

Leave a Reply

Your email address will not be published. Required fields are marked *