While email spoofing allows hackers and spammers to conceal their identities (thereby duping hundreds, if not thousands, of recipients at a given time), it was used legitimately in the early days of the Internet. One common use case involved connecting to an organization’s “open relay” SMTP server, so that messages could be transferred from a guest user’s email address. The influx of SPAM, however, contributed to the fading of this practice, leaving just a handful of legitimate cases for email spoofing. Ticketing systems and scenarios involving the automatic forwarding of email messages often require spoofing to be implemented.
Email spoofing is a simple and reliable method among hackers, given the lack of authentication among email protocols and modern malware (like Klez and Sober) that search for email addresses on infected machines. And, if you consider the volume of emails an individual receives on a daily basis—at personal and professional email addresses—it becomes easier to exploit the fault tolerance of a system, as the likelihood of inspecting every email received is drastically reduced. The consequences of email spoofing include the divulging of information to malware and data theft, where sensitive information is used detrimentally.
Because the majority of email clients display the To, From, Subject, and “timestamp” fields, an email header, when spoofed, will often conceal address and routing information to prevent cluttering the screen and potentially confusing the user. In fact, the address information is rarely checked at any stage of the transmission process, and does not even have to be a valid email address. Preventative options include requiring or restricting email addresses by certain domains, or, if the receiving node is an internal mail server, to require source email addresses to contain the domain of the organization.
Other rules, like digital signatures and mail server authentication, have also risen as real countermeasures to the epidemic of email spoofing. These include the DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC), authenticator and validator, respectively; as well as the Sender Policy Framework (SPF) and Sender ID implementations. Even the SSL/TLS cryptographic protocols can be used to encrypt email traffic, though this approach is rarely used.
Because the IP address of the sending machine cannot be forged, a common mistake regarding the curbing of email spoofing is to associate that IP address, found in the “Received” lines of the email header, with the actual perpetrator. Malware is typically involved in the spoofing process, which means the IP address likely belongs to an unsuspecting third-party that has been compromised. The other aforementioned countermeasures, however, coupled with timely risk alerts and enhanced user awareness, can be used to effectively combat email spoofing.