Email spoofing is a technique used to send emails making the victim believe they are receiving emails from a trusted person. It is usually used in spam emails or to convey attacks. Although you may think that forging a sender’s email address is complicated, it is actually quite simple.
In this article, we will explain how email spoofing works, how to defend yourself, and prevent others from receiving email messages from your address but that you never actually sent.
To understand why it is possible to forge a sender’s email message, it is first necessary to remember that the protocols ruling the functioning of emails were born more than 30 years ago. Back in the days, spam or scams did not exist on the Internet. Internet was, indeed, a place restricted to university researchers only. The SMTP protocol, which defines the way servers exchange email messages, does not provide any method to verify that the sender email address declared in an email is actually yours.
Basically, when you send an email, you can specify any address as sender, even one that is not yours.
Picture this… you are sending a package via courier, or a letter while at the post office. Under “Sender”, you can write what you want, no one will ask you for a document to send something. And when you think about it, this makes sense because if you have to ship, the only thing that matters is the recipient’s address.
Specifying a correct sender is only useful if you are interested in being notified in case the shipment was not successful. This is why, in the event of an email spoofing attack, the “fake” sender receives non-delivery notices of emails that he or she never sent (the so-called bounce messages or mailer-daemon).
Those who send spam emails are always on the lookout for email addresses around possible victims, because the victim is much more likely to read an email if the sender shown is someone they know. Usually, this information (sender and recipient who know each other) is recovered from viruses that previously infected the victims’ PCs and stole their address book (for example, all contacts in Outlook).
At this point, the scammers take a random email address from the Address Book and use it as the sender to send emails to all other contacts.
This explains why emails in our name are received both from people we know and from people who don’t know us.
If these email messages also contain pieces of real conversations, it is likely that they were stolen from some PC infected with a recent version of the Emotet malware.
As mentioned, the SMTP protocol does not provide a mechanism to prevent someone from sending emails in our name. But, over the years, developers have identified tactics to prevent messages with a false sender from reaching their destination:
The idea is to add some information to the DNS of your domain to indicate to the recipient server whether that email message was actually sent by the sender’s servers or not.
To protect company mailboxes, the first precaution to take on your own domain DNS is activating an SPF record. Basically, an SPF record contains the IP addresses of the SMTP servers who are authorized to send emails on your behalf. The SPF record is provided by your email provider and must be entered in the DNS of your domain.
An SPF record looks like this:
v=spf1 include:spf.qboxmail.com mx a -all
The “include:” part changes from provider to provider. What you have to pay attention to is that the final part, which contains “-all”. Many vendors indicate an SPF record that ends with “~all” but this is not sufficient to protect themselves.
Therefore, it is important to verify that your SPF record ends with -all and contains exactly the correct IP information for your SMTP servers. Your email service provider will be able to tell you what to enter.
The second technical step to take is to make sure your emails are signed through DKIM. The DKIM signature by itself does not help to prevent someone from sending emails on your behalf but allows you to identify if a message has actually been sent by your provider’s SMTP servers, thanks to the digital signature it contains. Having a DKIM signature on all emails sent can be very useful in case of analysis following a cyber incident as it allows you to establish if the message was actually sent by you and that it has not been modified after your sending.
To have a DKIM signature on your emails, you need to request it from your supplier. Nowadays, most email providers have this service already included in their mail suite.
The third step you can take is to declare a DMARC policy for your domain. Basically, DMARC indicates what the recipient of your email messages must do if the SPF record and the DKIM signature do not correspond to what you indicated in the DNS of your domain — for example, you can indicate that the messages are rejected or put in quarantine. The DMARC specifications also allow you to receive reports, in XML format, if someone is sending spam or scam emails on your behalf. Being a recently created security measure, DMARC is not yet very widespread among email service providers. But it’s always good to go and insert a DMARC record in your domain’s DNS.
A DMARC policy to put in DNS looks like this:
v=DMARC1; p=quarantine; rua=mailto:dmarcrua@qboxmail.com; ruf=mailto:dmarcruf@qboxmail.com
Although these measures do not prevent others from sending emails with your email address sender, they are certainly a deterrent. In fact, between a domain without these security measures and one with active SPF, DKIM and DMARC, scammers prefer to target the former.
Finally, there are some tips that are always valid:
If you want more information or technical support to secure your emails and your company from possible risks, you can contact Qboxmail. We will be at your disposal to give you all the necessary support.