Email spoofing is a technique used to send email messages with a sender email address other than the real one. It is usually used in spam emails or to convey attacks by making the victim believe they are receiving emails from a trusted person. Although you may think that forging the sender of an email message is complicated, in reality it is very simple.
In this article, we will explain how email spoofing works and how to defend yourself to prevent others from receiving email messages from your address without actually being sent by you.
To understand why it is possible to falsify the sender of an email message in a very simple way, it is first necessary to remember that the protocols that govern the functioning of emails were born more than 30 years ago. In those days the problems of spam or scams on the Internet did not exist, indeed the Internet was a place restricted only to university researchers. In fact, the SMTP protocol, the one that defines the exchange of email messages between servers, does not provide for any method of verifying that the sender email address, declared by the sender, is actually mine.
Basically when I send an email I can specify any address as sender, even not mine.
To make a comparison … it’s like when you send a package via a courier or a letter to the post office. Under “Sender” you can write what you want, no one will ask you for a document to verify it. And when you think about it, this makes sense because if you have to ship, the only thing that matters is the recipient’s address.
Also specifying a correct sender is only useful if you are interested in being notified if the shipment was not successful. this is why in the event of an email spoofing attack, the “fake” sender receives non-delivery notices of emails that he has never sent (so-called bounce messages or mailer-daemon).
We then figured out how it is possible for someone to send emails on your behalf without authorization.
Those who send spam emails are always on the lookout for email addresses of possible victims, and the victim is much more likely to read the email if the sender is someone they know. Usually this information (sender and recipient who know each other) is recovered from viruses that have previously infected the victims’ PCs and stolen the address book of the email program (for example, all contacts in Outlook).
At this point the scammers take a random email address from the Address Book and use it as the sender to send emails to all other contacts present.
This explains why emails in our name are received both from people we know and from people who don’t know us.
If these email messages also contain pieces of real conversations, it is likely that they were stolen from some PC infected with a recent version of the Emotet malware.
As mentioned, the SMTP protocol does not provide a mechanism to prevent someone from sending emails in our name, but over the years some mechanisms have been added to prevent messages with a false sender from reaching their destination:
The idea is to add some information to the DNS of your domain that indicates to the recipient server whether that email message was actually sent by the sender’s servers or not.
The first precaution to activate on your own domain DNS, to protect company emails, is an SPF record. Basically, an SPF record contains the IP addresses of the SMTP servers who are authorized to send emails on your behalf. The SPF record is provided by your email provider and must be entered in the DNS of your domain.
An SPF record looks like this:
v=spf1 include:spf.qboxmail.com mx a -all
The “include:” part changes from provider to provider. What you have to pay attention to is that the final part contains “-all”. Many vendors in fact indicate an SPF record that ends with “~all” but it is not sufficient to protect themselves.
Therefore, it is important to verify that your SPF record ends with -all and contains exactly the correct IP information for your SMTP servers. Your email service provider will be able to tell you what to enter.
The second technical step to take is to make sure your emails are signed through DKIM. The DKIM signature by itself does not help to prevent someone from sending emails on your behalf but allows you to identify, thanks to the digital signature it contains, if a message has actually been sent by your provider’s SMTP servers. Having a DKIM signature on all emails sent can be very useful in case of analysis following a cyber incident as it allows you to establish if the message was actually sent by you and that it has not been modified after your sending.
To have a DKIM signature on your emails you need to request it from your supplier, today almost all email providers provide this service already included.
The third step you can take is to declare a DMARC policy for your domain. Basically DMARC indicates what the recipient of your email messages must do if the SPF record and the DKIM signature do not correspond to what you indicated in the DNS of your domain, for example you can indicate that the messages are rejected or put in quarantine. The DMARC specifications also allow you to receive reports, in XML format, if someone is sending spam or scam emails on your behalf. Being a recently created security measure, DMARC is not yet very widespread among email service providers. But it’s always good to go and insert a DMARC record in your domain’s DNS.
A DMARC policy to put in DNS looks like this:
v=DMARC1; p=quarantine; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com
Although these measures do not prevent others from sending emails with your email address sender, they are certainly a deterrent, in fact between a domain without these security measures and one with active SPF, DKIM and DMARC, scammers prefer to use the one without or with less. protections.
Finally, there are some tips that are always valid:
If you want more information or technical support to secure your emails and your company from possible risks, you can contact Qboxmail, we will be at your disposal to give you all the necessary support.