We often get Phishing emails containing dubious sender addresses, sometimes even forging the email address of some widely well-known person. Sometimes we even get suspicious email sent from email address of someone closely known to us. But, how do attackers make this possible ?
Email Spoofing is the technique of sending an illegitimate email from a forged sender address. In the spoofed email, the From field shows the email address which was forged to send the email. Attackers often use this technique for malicious purposes like Phishing or spreading malware.
How is Email Spoofing done
There are a number of ways Email Spoofing can be done. One can send emails from a different sender address in an SMTP Server. SMTP Server usually gives the user this option.
But, attackers mainly use malicious software to send spoofed emails. They first infect a computer with a malware. And then, the malware searches for email addresses in the infected computer. After collecting a number of email addresses, spoofed emails are sent using a malware forging legitimate email addresses found in the infected computer.
For example, an attacker may first infect the computer of Alice and collect email addresses of Bob and Charlie from Alice's computer. Now, the attacker can use the malware to send an email to Charlie forging Bob's email address. If Bob is known to Charlie, it would be more probable that Charlie would open the email, thinking the email has actually come from Bob.
Purpose of Email Spoofing
In earlier days, usage of legitimate spoofed emails was common. For example, an email address may automatically forward emails to another email address, which may accept emails only from the email forwarder. Users can legitimately spoof email addresses in this case for convenience.
But, attackers spoof email addresses for mainly Phishing or spreading malware. If the sender of the email seems an authentic one, the probability that the email will be opened by the victim increases much. And after that, the victim may click on malware-laden attachment or any other malicious link of some attacker controlled website. And, the computer may get infected by malware.
Sometimes, the user may even end up getting tricked by a Phishing email from a forged sender email address and become a victim of cyber crime.
Identifying actual source of Emails
Even though an attacker can forge the sender field of an email, the email header will contain the IP address of the attacker. So, from the “Received:” lines in the email header one can identify the actual source of the spoofed email.
An effective countermeasure of Email Spoofing is to use SSL/TLS in the mail transfer software to enforce authentication. SPF or Sender Policy Framework, DKIM or DomainKeys Identified Mail, DMARC or Domain-based Message Authentication, Reporting and Conformance also can be used as effective methods of detecting and preventing Email Spoofing.