In spoofing attacks, hackers can send emails which appear to have been sent from a familiar address. This can be done with zero code through free spoofing sites. More complexly, yet still a minimal amount of work, the sender ‘From’ field can be faked with just a few lines of PHP code or even a single line of Unix command line code. Unfortunately, mail protocols are still extremely trusting compared to the rest of the web, allowing spoofers to simply change the From address with easy to use free software. The main defenses in spoofing attempts are to double check email headers and properly configure your dns records — particularly SPF, DKIM and DMARC.
What are SPF records?
SPF stands for Sender Policy Framework and is essentially a list of approved mail server IP addresses specified in the TXT record of the domain owner’s DNS.
How does SPF work?
It’s meant to combat against mail sender forgery by comparing the IP of the server sending the message with the trusted servers listed in the SPF record.
When an email is sent using SMTP, there are two pieces of information provided by the initial senders system (from the person who’s sending the email). Weirdly, as is per standard and default of email protocol, no checks are done to verify that the sending system (sender’s mail servers) are authorized to send on behalf of the address listed in MAIL-FROM or RCPT-TO.
As a response to this potential security threat, many mail providers run checks on DNS records to verify that the domain SPF records match the domain. Remember, it’s the Sender Policy Framework.
MAIL-FROM: – Presented as “Return-Path:” Usually not visible to end users and is not checked by default for authorization matching the sender and mail-server. Lame.
RCPT-TO: This also not visible to end usrs but might be in the headers as part of “Received:” header.
Once the receiving mail server decides it doesn’t have a problem with either of these items (mostly in terms of bouncing, not security), the sending mail system is then able to send the familiar header items that you see in the email interface:
The problem is that the protocol for sending mail (on a fundamental level — not particular to Gmail, Outlook, etc) requires no check with DNS. Thus, legitimate mail providers like Gmail run a DNS record check to see if the SPF records authorize the sender’s origin.
SPF TXT Records and Relevant Mechanisms
The following mechanisms define what IP addresses are allowed to send mail from the domain:
A mail server will compare the IP address of the sender against the IP addresses defined in the mechanisms. If the IP address matches one of the mechanisms in the SPF record then authentication will pass.
SPF alone is not enough.
How do I Protect Myself from Email Spoofing?
Unfortunately email is an area of the web that is still highly based in trust — not authentication methods. SSL/TLS system is rarely used despite its ability to encrypt server-to-server email traffic. Additional authentication methods include configuring/checking DKIM or DMARC and Sender ID, though none of these alone will ensure that your domain and email addresses are not spoofed.
The most effective way to protect against spoofing is to use these counter measures and watch out for suspicious email content such as unusual grammar, indentation or sentence phrasing.
These errors are often a result of templated messages used in a script by a spoofer. So if you receive a communication that has some of these errors or oddities be weary. Sometime email providers will flag a message as something like “Cannot authenticate sender”, even in cases where it actually was sent by that person.
Here’s one scenario of what might be happening:
Imagine the original sender of the email is using a different email client (think interface) than the email server that their messages “live” on. Huh? Yeah, let me clarify.
Say you have an email or webmail service through GoDaddy. That’s where all the data of your emails “live”. Imagine the GoDaddy email interface is not as user friendly as say Gmail (not hard to imagine, am I right?). Well, you can view + send emails via your GoDaddy mail server from Gmail using methods like POP and IMAP (which we discuss elsewhere). This let’s you use the prettier interface of Gmail without needing to migrate all your emails, among other tasks. When you send an email with this setup but no changes to SPF, the email then gets flagged by the email provider because it goes to check SPF records and sees no authorization for Gmail (mail.google.com). Adding an SPF record will usually resolve the issue.
There are nuance of what exactly is happening depending how/what you setup. But just know that Gmail is essentially sending on behalf of the other mail server and that this where configuring methods like SPF DKIM become important.
Attention to Details
Analyzing the original header info will let you see more about the email, including the originating domain/IP that it was sent from.
In gmail, click the Breadcrumb icon (3 vertical dots) > Show Original. Here you can comb through the original header for more information.
It’s also important to watch out for domains or email addresses which are near similarities of other reputable companies or sites. ex. www.wells.fargo.com is not www.wellsfargo.com
- Email sender addresses will sometimes be spoofed by changing one or two letters in either the local-part (before the @ symbol) or domain name.
- The URL of a webpage: similar to email addresses, can be slightly changed to trick a visitor not looking closely.
If you’d like to learn more about how to check email headers, you can read more here.
Lastly, don’t click on unfamiliar links or download unfamiliar/unexpected attachments. If you are unsure, and perhaps have reason to believe the unfamiliar mail is legitimate, send a reply to the sender to ask for a confirmation. Replies to spoofed email
Spoofing is sometimes obvious but as techniques become more advanced, it requires more scrutiny by email recipients. Best of luck my friends.