Memorise

Email spoofing

The goal of email spoofing is to trick the user into thinking an email is from a known and trusted source. Spoofing is done through the manipulation of email elements that are visible to the recipient, primarily the “Body From” field.

A spoofed email can be partial or full:

  • Partial Spoof: A partial spoof occurs when only the “Body From” is masked, with the Envelope Sender being set to something else. This spoof type can be managed with Domain-based Message Authentication, Reporting & Conformance (DMARC), which is an email authentication, policy, and reporting protocol.
  • Full Spoof: A full spoof occurs when both the “Body From” and Envelope Sender are spoofed. This spoof type can be managed with Sender Policy Framework (SPF). SPF is an email-validation system designed to detect email spoofing by providing a mechanism to allow mail exchangers to check that incoming mail comes from an authorized host.

However, there are certain technical circumstances where the use of either SPF or DMARC is not possible. This may be due to the number of valid sources extending beyond the capacity of SPF, a technical constraint, or your own DMARC infrastructure. This leaves you exposed to spoofing.

Table: Unknown, untrusted spoof examples

Bad Partial Spoof (unknown or malicious source):Bad Full Spoof (unknown or malicious source):
X-Originating-IP: [123.89.123.12]
X-Env-Sender: badguy@malicious.com
From: <name_1@yourdomain.com>
To: <name_2@yourdomain.com>
X-Originating-IP: [89.123.89.123]
X-Env-Sender: email@yourdomain.com
From: <name_1@yourdomain.com>
To: <name_2@yourdomain.com>

In both spoof examples, the IP addresses are unknown sources, which are not allowed to spoof you). The Body From is masked to look like your domain; the Envelope Sender may or may not be masked to match your domain.

Table: Known, trusted spoof examples

Good Partial Spoof (valid or approved source):Good Full Spoof (valid or approved source):
X-Originating-IP: [13.12.223.123]
X-Env-Sender: business@partner.com
From: <name_1@yourdomain.com>
To: <name_2@yourdomain.com>
X-Originating-IP: [89.123.89.123]
X-Env-Sender: businesspartner@yourdomain.com
From: <name_1@yourdomain.com>
To: <name_2@yourdomain.com>

Spoofed email does not necessarily mean that the email you receive is spam or bad; it can be legitimate and important to you. Today’s businesses rely heavily on legitimate spoofing for their business to function. Common email marketing services like MailChimp, Amazon SES, and Zoho Campaigns are typical mail service providers for sending newsletters.

Table: Ghost spoof examples

Bad Ghost Spoof (unknown or malicious source):Good Ghost Spoof (valid or approved source):
X-Originating-IP: [123.80.123.80]
X-Env-Sender: badguy@malicious.com
From: “name_1@yourdomain.com” <badguy@malicious.com>
To: <name_2@yourdomain.com>
X-Originating-IP: [23.70.123.83]
X-Env-Sender: business@partner.com
From: “name_1@yourdomain.com” <business@partner.com>
To: <name_2@yourdomain.com>

A third type of spoof—which we refer to as a ghost spoof— is not technically spoofing, but it does exploit an element of the Body From. This element is the Display Name field.

A ghost spoof deals with an open text field that is not controlled in any way. Your email client will only show the display when one exists, especially if the display name matches the internal naming scheme. Your users would see the text inside the ” “, but not the Body From email. This varies between email clients.


Categorised as: Exchange, Firewall, Microsoft, Outlook, Password


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.