Email Address Spoofing: How Scammers Do It & How to Spot It
Email Address Forgery: A Critical Awareness
It is important to understand that email addresses are susceptible to forgery. The display name associated with an email may not accurately reflect the sender's true origin.
Your email client might indicate a message originates from a specific address, however, this information can be misleading. Malicious actors frequently manipulate this aspect of email communication.
How Email Forgery Works
The underlying protocols governing email do not inherently validate the legitimacy of sender addresses. This fundamental flaw is actively exploited by scammers, phishers, and others with harmful intent.
This systemic vulnerability allows malicious individuals to present a false identity, deceiving recipients into believing correspondence is authentic when it is not.
Verifying Email Origins
While email systems don't automatically verify addresses, it is possible to investigate potentially fraudulent emails. Examining the email headers can reveal discrepancies and indicate whether an address has been forged.
Analyzing these headers provides a technical means of uncovering the true source of the message, potentially exposing a deceptive practice.
- Scammers leverage this weakness to appear as trusted entities.
- Phishers use forged addresses to trick users into divulging sensitive information.
- Understanding this vulnerability is crucial for online safety.
Remaining vigilant and scrutinizing email origins is a vital step in protecting yourself from online fraud and malicious activity.
How Email Functions
The “From” field in your email program indicates the sender of a message. However, it’s important to understand that this information isn’t actually verified. Your email client lacks the ability to confirm the true origin of an email.
Every email contains a “From” header, and this header is susceptible to forgery. For instance, malicious actors can easily send emails that falsely appear to originate from addresses like bill@microsoft.com.
Emails with falsified sender addresses frequently mimic communications from banks or other trusted organizations. These deceptive emails often request confidential data, such as credit card details or social security numbers, potentially directing recipients to fraudulent websites disguised as legitimate ones through embedded links.
Understanding Email Address Spoofing
Consider the “From” field in an email as analogous to the return address on physical mail. While most people accurately provide their return address, anyone can write any address in that space. The postal service does not validate the accuracy of the return address.
The original design of SMTP (Simple Mail Transfer Protocol) in the 1980s, intended for academic and governmental use, did not prioritize sender verification. Security concerns were different at that time.
This lack of built-in verification has persisted, creating a vulnerability that malicious actors exploit. Consequently, it’s crucial to be cautious about the information you share in response to unsolicited emails.
- Be skeptical of requests for personal information.
- Verify legitimacy by contacting the organization directly through known channels.
- Avoid clicking on links in suspicious emails.
Modern email security measures, such as SPF, DKIM, and DMARC, are being implemented to combat email spoofing, but they are not universally adopted and are not foolproof.
Understanding Email Headers for Investigation
Examining an email’s headers reveals detailed information about its journey. This data, accessible as the email’s “source” or simply “headers,” differs in location depending on the email client being used.
It's crucial to exercise caution with unsolicited emails; if any doubt exists regarding an email’s legitimacy, it should be considered a potential scam.
Accessing Headers in Gmail
Within Gmail, the complete header information can be viewed by clicking the downward-facing arrow located in the upper-right corner of the email. Selecting “Show original” will then display the email’s raw content.
The following illustrates the header content of a spam email employing a falsified email address. We will detail how to interpret this information effectively.
Delivered-To: [MY EMAIL ADDRESS]
Received: by 10.182.3.66 with SMTP id a2csp104490oba;
Sat, 11 Aug 2012 15:32:15 -0700 (PDT)
Received: by 10.14.212.72 with SMTP id x48mr8232338eeo.40.1344724334578;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Return-Path: <e.vwidxus@yahoo.com>
Received: from 72-255-12-30.client.stsn.net (72-255-12-30.client.stsn.net. [72.255.12.30])
by mx.google.com with ESMTP id c41si1698069eem.38.2012.08.11.15.32.13;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Received-SPF: neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) client-ip=72.255.12.30;
Authentication-Results: mx.google.com; spf=neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) smtp.mail=e.vwidxus@yahoo.com
Received: by vwidxus.net id hnt67m0ce87b for <[MY EMAIL ADDRESS]>; Sun, 12 Aug 2012 10:01:06 -0500 (envelope-from <e.vwidxus@yahoo.com>)
Received: from vwidxus.net by web.vwidxus.net with local (Mailing Server 4.69)
id 34597139-886586-27/./PV3Xa/WiSKhnO+7kCTI+xNiKJsH/rC/
for root@vwidxus.net; Sun, 12 Aug 2012 10:01:06 –0500
…
From: "Canadian Pharmacy" e.vwidxus@yahoo.com
Decoding the Email Header Information
While numerous headers exist, the most pertinent ones typically appear at the beginning of the raw text. To decipher these headers, begin analysis from the bottom – they document the email’s path from its origin to your inbox.
Each server handling the email appends additional headers to the top; consequently, the oldest headers, originating from the email’s initial servers, are positioned at the bottom.
The “From” header indicates the purported sender’s address, but this information is easily manipulated. However, observing that the email was initially received by “vwidxus.net” before reaching Google’s servers is noteworthy. This discrepancy suggests a potential forgery, as one would anticipate the earliest “Received:” header to originate from a Yahoo! server.
Analyzing IP Addresses
The IP addresses included in the headers can also provide valuable clues. Receiving a suspicious email seemingly from an American bank, yet originating from an IP address located in Nigeria or Russia, strongly indicates a forged email address.
In this specific instance, the spammers have access to the email address “e.vwidxus@yahoo.com” for receiving replies. Despite this, they are still falsifying the “From:” field. This is likely because sending large volumes of spam directly through Yahoo!’s servers would quickly lead to detection and account suspension.