If we turn to sources like Wikipedia we see that it is defined “Mail Spoofing” like a “spoofing technique generally with malicious or investigative uses”.
Hosting Mautic QuickStart -50% with support in Spanish
24 hours and free training
Send up to 1,000,000 emails/year. Mautic support in Spanish 24 hours, 365 days
“Spoofing attacks can be classified, depending on the technology used. Among them we have IP Spoofing (perhaps the best known), ARP spoofing, DNS spoofing, Web spoofing or email spoofing, although in general any network technology susceptible to identity theft can be included within spoofing”.
In plain words, MailSpoofing is when someone sends you an email where in the field DESDE (sender) is false, so they could tell you that the email was sent to you by, for example, bankia.es or any entity or company they want to impersonate.
Spam distributors often use spoofing in order to get mailboxes opened, and possibly even respond to their requests. Identity theft can be used legitimately, even if it is illegal and the Mail Spoofing It can be considered full-fledged identity theft.
The mail spoofing It is possible because the protocol Simple MailTransfer (SMTP), the main protocol used for sending email, does not include an authentication mechanism.
Although an extension of SMTP service (specified in IETF RFC 2554) allows an SMTP client to negotiate a security level with a mail server, although this precaution is not always taken. If proper precautions are not taken, anyone with the necessary knowledge can connect to the server and use it to send messages. To send a spoofed email, senders insert commands in the headers that alter the information in the message (spoffing).
With this it is possible to send a message that appears to be from anyone, from anywhere, saying whatever the sender wants to say. So someone can send spoofed emails that appear to be from you, with a message you didn’t write, from your @domain.com mail domain.
If you receive an email that was not sent from your email address, there are two possibilities:
- The message is fraudulent, it has been sent by falsifying your address as if you were the sender.
- The actual sender has set your email address as the reply address for replies to be sent to your account.
One way to find out the origin of an email is by reading the headers of the received message so that we can obtain information from that email such as the “date/time of sending”, the “sender” (it will be the spoofed email), the “User -Agent” from where the “supposedly mail” came from (it can also be spoofed) and other data that can be useful in a subsequent analysis for system administrators.
Header example:
Delivered-To: xxxxxxx@gmail.com Received: by 10.103.197.9 with SMTP id z9cs22623mup; Sun, 7 Aug 2014 10:54:05 -0800 (PST) Received: by 10.103.85.4 with SMTP id n4mr3722461mul.128.1265568845523; Sun, 07 Aug 2014 10:54:05 -0800 (PST) Return-Path: Received: from localhost (30.Red-79-158-250.staticIP.rima-tde.net ) by mx.google.com with SMTP id u26si17461538mug.45.2010.02.07.10.54.05; Sun, 07 Aug 2014 10:54:05 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning xxxxxxxxx@hotmail.com does not designate 79.158.250.30 as permitted sender) client-ip=79.158.250.30 ; From: Theliel User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b2pre Thunderbird/3.0.1 MIME-Version: 1.0 Subject: Test Content -Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit …
How to get a complete mail header?, in case it is useful to you.
70% of emails sent are spam
Recent studies carried out by IT Security Company Lab showed that the 70% of all emails sent worldwide are spam. To protect users from these types of malicious messages, most major email providers (Gmail, Hotmail, etc.) are very strict in managing email filters.
font Google/Gmail 2013
How to fight it?
implementing SPFwhich is a protection system applied to email servers to protect them against spoofing of sending addresses.
It is responsible for identifying the SMTP mail servers authorized to send messages from a specific domain through the IP and through the DNS records.
How does it work?
- The sender or sender sends an email.
- The message arrives at the recipient’s incoming mail server, which calls its Sender ID Framework (SIDF).
- The SIDF consults the SPF record of the domain that the sender uses to send the mail and determines whether or not it passes.
- If this mail is not returned, it is passed to the reputation filters so that they classify it accordingly.
- The mail is delivered to the recipient.
Currently there are many companies that do not implement the SPF record on their mail servers or do not validate it and do not verify that the reverse IP address of the sender is really the legitimate mail server that it claims to be.
In web company you can enable SPF() and in order to avoid the mail spoofing.
We can configure the SPF from WePanel, simply activating “Email Authentication”. We access the WePanel of our website, and in the section “Mail”, “Email Authentication“we click:
On the screen shown we can see a section for SPF, with a button to “Activate” in case it is disabled. We click on said button, and after activating it we see a screen where the activation of the SPF record is indicated, in addition to showing it to us:
After activation we click on the button “Backward” and we can see the advanced SPF options.
Note: Subdomains have individualized treatment and are not included in the domain’s SPF records.
In the following video made by Jordi Sala, you can see the management of the advanced SPF options and the use of the “Email Authentication in WePanel.
Have a SPF record Implemented correctly and adapted to your needs, it will allow your identity not to be supplanted and thus the mail servers will know that it is legitimate mail, preventing your mail from being classified as spam.
Help us improve our content by sharing your opinion
Member of the technical support team.
Coordinator of contents in the Blog and in Youtube.
Technical support in CyberProtector. Teacher at University
Facebook Comments
Disqus