What is email spoofing?

E-mail spoofing is a term used to describe (usually fraudulent) e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. The result is that, although the e-mail appears to come from the address indicated in the From field (found in the e-mail headers) it actually comes from another source.

Spoofing does not mean that your computer is infected by "worm, virus, spambot, zombies, etc." and sending out messages from your address book. It could be that "someone or your friend" machine (containing your email address in their address book) is infected or hijacked and sending out messages with your email as well as others, randomly taken from the infected machine address book.

Occasionally (especially if the spam requires a reply from the recipient, such as the '419' scams), the source of the spam e-mail is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial e-mail is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.

Spoofing Methods

Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.

The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party. For example:

User1 is sent an infected e-mail and then the e-mail is opened, triggering propagation

The worm finds the addresses of User2 and User3 within the address book of User1

From the computer of User1, the worm sends an infected e-mail to User2, but the e-mail appears to have been sent from User3

This can be particularly problematic in a corporate setting, where e-mail is sent to organisations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:

User2 doesn't receive the message, but instead gets a message telling him that a virus sent to them has been blocked. User3 receives a message telling him that a virus sent by them has been blocked. This creates confusion for both User2 and User3, while User1 remains unaware of the actual infection.

Newer variants of these worms have built on this technique by randomising all or part of the e-mail address. A worm can employ various methods to achieve this, including: Random letter generation

• Built-in wordlists
• Amalgamating addresses found in address books, for example:

o User1 triggers an e-mail address spoofing worm, and the worm finds the addresses This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. within the users e-mail address book

o The worm sends an infected message to This email address is being protected from spambots. You need JavaScript enabled to view it. , but the e-mail appears to have been sent from This email address is being protected from spambots. You need JavaScript enabled to view it.

Solution

Unfortunately there is not much we can do about e-mail spoofing as it’s achieved by changing the reply to e-mail address in a mail client. This makes it seem like the e-mail is coming from an address that it’s really now.

According to the FBI, spoofing is generally not illegal because no hacking is required, unless it involves a direct threat of violence or death and by using such tactic, know as email spoofing--they exploit the simplicity of Internet SMTP (simple mail transport protocol RFC 821). Email can be spoofed by tweaking the settings on standard email client like; Eudora, Outlook Express, etc.