Email spoofing
The goal of email spoofing is to trick the user into thinking an email is from a known and trusted source. Spoofing is done through the manipulation of email elements that are visible to the recipient, primarily the “Body From” field.
A spoofed email can be partial or full:
- Partial Spoof: A partial spoof occurs when only the “Body From” is masked, with the Envelope Sender being set to something else. This spoof type can be managed with Domain-based Message Authentication, Reporting & Conformance (DMARC), which is an email authentication, policy, and reporting protocol.
- Full Spoof: A full spoof occurs when both the “Body From” and Envelope Sender are spoofed. This spoof type can be managed with Sender Policy Framework (SPF). SPF is an email-validation system designed to detect email spoofing by providing a mechanism to allow mail exchangers to check that incoming mail comes from an authorized host.
However, there are certain technical circumstances where the use of either SPF or DMARC is not possible. This may be due to the number of valid sources extending beyond the capacity of SPF, a technical constraint, or your own DMARC infrastructure. This leaves you exposed to spoofing.
Table: Unknown, untrusted spoof examples
| Bad Partial Spoof (unknown or malicious source): | Bad Full Spoof (unknown or malicious source): |
|---|---|
| X-Originating-IP: [123.89.123.12] X-Env-Sender: badguy@malicious.com From: <name_1@yourdomain.com> To: <name_2@yourdomain.com> | X-Originating-IP: [89.123.89.123] X-Env-Sender: email@yourdomain.com From: <name_1@yourdomain.com> To: <name_2@yourdomain.com> |
In both spoof examples, the IP addresses are unknown sources, which are not allowed to spoof you). The Body From is masked to look like your domain; the Envelope Sender may or may not be masked to match your domain.
Table: Known, trusted spoof examples
| Good Partial Spoof (valid or approved source): | Good Full Spoof (valid or approved source): |
|---|---|
| X-Originating-IP: [13.12.223.123] X-Env-Sender: business@partner.com From: <name_1@yourdomain.com> To: <name_2@yourdomain.com> | X-Originating-IP: [89.123.89.123] X-Env-Sender: businesspartner@yourdomain.com From: <name_1@yourdomain.com> To: <name_2@yourdomain.com> |
Spoofed email does not necessarily mean that the email you receive is spam or bad; it can be legitimate and important to you. Today’s businesses rely heavily on legitimate spoofing for their business to function. Common email marketing services like MailChimp, Amazon SES, and Zoho Campaigns are typical mail service providers for sending newsletters.
Table: Ghost spoof examples
| Bad Ghost Spoof (unknown or malicious source): | Good Ghost Spoof (valid or approved source): |
|---|---|
| X-Originating-IP: [123.80.123.80] X-Env-Sender: badguy@malicious.com From: “name_1@yourdomain.com” <badguy@malicious.com> To: <name_2@yourdomain.com> | X-Originating-IP: [23.70.123.83] X-Env-Sender: business@partner.com From: “name_1@yourdomain.com” <business@partner.com> To: <name_2@yourdomain.com> |
A third type of spoof—which we refer to as a ghost spoof— is not technically spoofing, but it does exploit an element of the Body From. This element is the Display Name field.
A ghost spoof deals with an open text field that is not controlled in any way. Your email client will only show the display when one exists, especially if the display name matches the internal naming scheme. Your users would see the text inside the ” “, but not the Body From email. This varies between email clients.
Categorised as: Exchange, Firewall, Microsoft, Outlook, Password
Leave a Reply
You must be logged in to post a comment.