What is Email Spoofing?

What is Email Spoofing?

Table of contents

  1. Why is email spoofing possible?
  2. What are the reasons for email spoofing?
  3. How to stop email spoofing
  4. How to use Sender Policy Framework (SPF)
  5. How to use Domain Key Identified Mail (DKIM)
  6. How to use Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
  7. How does email spoofing work?
  8. How UpGuard can improve your organization’s email security

1. Why is email spoofing possible?

2. What are the reasons for email spoofing?

  • To hide the email sender’s true identity: This can also be achieved by registering an anonymous email address, but it is generally used as part of another cyber attack or scam.
  • Avoid spam blacklists: Spammers will use spoof email addresses to avoid spam filters. This risk is mitigated by the fact you can blacklist specific IP address or ISPs.
  • Pretend to be a trusted person: Scammers use email spoofing to pretend to be a friend or colleague asking you to lend them money.
  • Pretend to be a trusted organization: Spoofed emails from financial institutions can lead to phishing pages designed to gain access to bank accounts and credit card numbers.
  • To tarnish the reputation of the sender: Email spoofing can be used to tarnish the reputation of an organization or person.
  • To commit identity theft: The attacker can request access to personally identifiable information (PII)by pretending to be using the victim’s email account.
  • To spread malware: By spoofing the email address, the recipient is more likely to open the email and any attachment that could contain a type of malware like ransomware such as WannaCry. This is why anti-malware software and network security are an important part of any cyber security strategy.
  • As part of a man-in-the-middle attack: Cyber criminals may use email spoofing as part of a sophisticated man-in-the-middle attack designed to capture sensitive information or trade secrets from your organization.
  • To gain access to your sensitive information from third-party vendors: Email security must be part of your vendor risk management and third-party risk management framework. If your vendors have access to customer data, it’s as important for them to prevent email spoofing as it is for you. Email spoofing is a third-party risk and fourth-party risk.

3. How to stop email spoofing

  • Sender Policy Framework (SPF): SPF checks whether a certain IP address is authorized to send email from a given domain name. SPF can lead to false positives and requires the receiving server to check an SPF record and validate the sender. Implementing SPF requires publishing new DNS records.
  • Domain Key Identified Mail (DKIM): DKIM uses a pair of cryptographic keys that sign outgoing messages and validate incoming messages. However, DKIM is only used to sign specific pieces of a message, allowing messages to be forwarded without breaking the validity of the signature. This is known as a replay attack. Like SPF, DKIM requires publishing new DNS records.
  • Domain-Based Message Authentication, Reporting, and Conformance (DMARC): DMARC gives the sender the option to let the receiver know it is protected by SPF or DKIM and what to do when mail fails authentication. As with SPF and DKIM, DMARC relies on DNS records.
  • Sender ID: Sender ID is an anti-spoofing proposal from the MARID IETF working group that tried to join SPF and Caller ID. It is heavily based on SPF with a few improvements namely verifying message headers that indicate the claimed sender, rather than just the MAIL FROM: address.
  • SSL/TLS: In practice, the SSL/TLS system can be used to encrypt server-to-server email traffic and enforce authentication but in practice is seldom used.

4. How to use Sender Policy Framework (SPF)

5. How to use Domain Key Identified Mail (DKIM)

6. How to use Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

  1. None:No special treatment for failed emails
  2. Quarantine:Treat as suspicious, e.g. send to spam
  3. Reject:Reject emails at the server before it gets to the email client.

7. How does email spoofing work?

  1. MAIL FROM: Presented to the recipient as the Return-path: header but not normally visible to the end user. By default, no checks are performed to authorized the authenticity of the address.
  2. RCPT TO: Specifies which email address the email is delivered to and is not normally visible to the end user but may be present in the headers as part of the Received: header.
  • FROM: Jane Doe <janedoe@example.com>, email programs show this to the recipient, but no default checks are done that the sending system is authorized to send from the address.
  • REPLY-TO:Jane Doe <janedoe@example.net>, also has no default checks.

8. How UpGuard can improve your organization’s email security

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
UpGuard

UpGuard

1.3K Followers

https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.