The Secrets behind Spoofing and Spamming
Written by Jeff Orloff on March 28, 2011
If you have never received word from your ISP that mail coming from your domain has the pattern of spam you are lucky. Those of you who have had the unpleasant experience of having your domain blacklisted because of spam can understand the frustration of having to deal with cleaning up this problem and rebuilding your company’s reputation with the various Internet Service Providers.
Blacklists are a great thing because they know who many of the spammers are so when an ISP wants to block the purveyors of worthless emails they simply rely on these lists to block any messages sent from these domains. In theory, this should solve the problem. In reality, blacklists cause many legitimate businesses to find their emails lost in limbo because for some reason their company’s domain made it to the blacklist.
Most legitimate businesses never think that they have to worry about having their addresses blacklisted because quite simply, they don’t send spam. Unfortunately, you don’t have to actively be engaged in a spam campaign for your email server to be a participant in someone else’s spamming activities.
Through an attack known as email spoofing, spam can be made to appear as if it originated from an email address in your company. The more technical term for this type of attack is Sender Address Forgery. However, regardless of what you choose to call it having your email addresses associated with spam not only disrupts your business as DNS blacklists prevent legitimate emails from passing through, but it also can harm your company’s good name.
Spoofing in Action
Effectively stopping spammers from spoofing was a difficult thing to prevent when open relays were common because the default configuration allowed anyone to send email through an SMTP server so it would now have a different, or spoofed, IP address from the server that originated the message. However since most relays have been closed this no longer works as effectively. However spoofing has not slowed down, it has simply evolved and adapted.
Spoofing an email address works one of two ways, either the header of the email is altered to make spam look legitimate or the email account itself is compromised by the spammer to send junk email messages from an otherwise safe email account.
Stopping the Spammers
If your email account, or someone in your company’s, has been hijacked by spammers there are two things you need to do immediately:
- Run a malware scan on your computer.
- Change your password to a strong password.
Run the malware scan first because odds are your email credentials were stolen by spyware such as a keystroke logger. Changing the password prior to this will simply give the attacker your new password. Make sure that the computer, or network, is clean and then go ahead with the changes.
A good way to keep an eye out for this type of spoofing is to check your sent mail on a regular basis to see if messages are being sent in alphabetical order to the people on your contact list. Of course, you will probably be alerted to your email account being compromised by someone who was on the receiving end of this spam so you may also have to follow this process up with apologies to the people on your email list who received spam from your email address.
The second method of email address spoofing can be attributed to a fault in SMTP, just like the open relay issue of days past.
Originally, core SMTP does not provide authentication the header can be altered to appear as though an email is coming from a trusted source. Yet even with some improvements to the security of SMTP, spammers are still able to make a message look as if it were sent by someone else.
Stopping this type of spoofing seems more complex than the earlier method mentioned here but it really isn’t all that difficult. To prevent this type of spoofing your company should use publish their Sender Policy Framework’s data. Simply put, this information specifies which mail servers are authorized to send email for your domain. Any destination servers that have SPF checking enabled through a service like GFI’s MailEssentials will then be able consider this to be a identify spoofed address and it will go through further checks to see if the message is in fact spam. However this only works by checking against published SPF information.
Applying the theory of low hanging fruit, spammers will realize that your company’s email addresses do not yield the returns necessary to make their efforts possible and likely move on to an easier, more profitable, target.
Loading ...
Hey, I was wondering if these tips are applicable to web-based mail apps as compared to say, Outlook. I tend to wonder if my email credentials are valid, but I don’t know if I am at risk(or have different risks) for using sites like Gmail for business reasons.
Configuring your perimeter firewall so that only the mail servers are allowed to send SMTP mail out is a very good way of making sure any hijacked computer doesn’t ruin your company’s reputation when on the corporate network. You then can focus attentions on ensuring your mail server is as secure as possible. Very few companies I’ve consulted for actually proactively block outbound traffic at their perimeter, usually allowing their systems to be blacklisted because of a single hijacked computer.
Addendum, most hijacked computers send out SMTP directly. Only a small percentage will send through the corporate mail server which can be prevented by disabling internal relaying.
@John Sinclair – Absolutely use these tips for web based mail clients as well. Gmail, Yahoo, etc. accounts are hijacked all the time because user credentials are obtained through malware infections.
@RSP – Excellent points!