E-Mail Impersonators: Identifying “spoofed” E-mail

After Mrs Tan voted on Election Day, she returned home to find an e-mail from none other than the Prime Minister of Singapore (prime_minister@gov.sg). He thanked her for her vote and promised to address her concerns of education and rising cost of living. She was a little disturbed, but as it turned out the sanctity of her secret ballot hadn’t been compromised. Someone (her husband) had merely sent her a spoofed e-mail.

E-mail is considered “spoofed” when the e-mail address in the “From” field is not that of the actual sender. Believing what you read in spoofed e-mail can cause huge embarrassment. So if you receive an e-mail from Mr Lee Hsien Loong or a man purporting to be an executive of a European carmaker offering you a free car, it might not be on the level. The bad news is that it’s not very hard to spoof e-mail. The good news is that it can usually be detected – if you know what to look for.

To detect spoofed e-mail you need to understand how e-mail messages are sent on the Internet.

  • First, your e-mail program (e.g. Outlook, Eudora, Hotmail) sends the message to an SMTP (Simple Mail Transport Protocol) server, a computer that understands how to relay your message.
  • Then, the message is relayed from SMTP server to SMTP server across the Internet.
  • When the message arrives at its penultimate destination, the e-mail is stored in the recipient’s mailbox at a POP3 (Post Office Protocol 3) server. The POP3 server is a type of e-mail server that provides a temporary mailbox to leave messages so they can be picked up by the recipient’s e-mail program.
  • Finally the message is fetched by an e-mail program (e.g. Outlook, Eudora, Hotmail), so the recipient can read it.

Like a well-paid courier, SMTP just passes along what it was given. If Mr Tan tells Outlook that his e-mail address is prime_minister@gov.sg, neither Outlook nor the SMTP server provided by the Internet service providers (ISPs) have any way to verify that this is true. If the Outlook settings are changed to say that the e-mail address is clown@circus.org, Outlook happily sends this email to Mrs Tan. Some ISPs configure their e-mail servers to be more restrictive about the e-mail they’ll accept, attempting to verify the veracity of the sender’s address, but a determined spoofer usually knows how insert e-mail further along the transmission chain.

However, every e-mail message contains details of its transmission history in a hidden component known as a “header”. By viewing the header and doing a little detective work you can usually spot the telltale signs of spoofed e-mail.

Investigating suspicious e-mail messages is a relatively technical process. You start by checking the headers. Use your e-mail program to view the header information of the e-mail message. Email headers looks like gobbledygook. You just have to learn to read it.

Looking at the header, the first thing to check is the “From” field, which will look like one of these:

From: Lee Hsien Loong (prime_minister@gov.sg)
From: prime_minister@gov.sg (Lee Hsien Loong)
From: Lee Hsien Loong

Look for a discontinuity between the friendly name and the e-mail name. If the friendly name is “Lee Hsien Loong” but the e-mail address is spammer@spoof.com, or if the e-mail name is missing entirely, the e-mail message may be spoofed. But a sophisticated spoofer won’t make this simple mistake.

Next, look at the “Received” fields. Each time the message gets relayed through an SMTP server, a new “Received” field is added, and you read them bottom-to-top. The bottom one might look like this:

Received: from PMOffice ([111.333.555.777]) by PMOfficeMail (MailProgram v9.7) with SMTP id 1-2-3-4-5 PMOfficeMail PMOfficeMail@PMOffice for ; Fri, 8 Aug 2008 08:08:08 +0800

Supposedly, this details the original sending of the message from the sender’s e-mail program to their ISP’s (or company’s) SMTP server. However it can be forged. If the message purports to be from “gov.sg” but you see names like “spoof.com” you should be suspicious. Also look up the sender’s IP address, i.e. ‘111.333.555.777’ in the “Received” line. At Windows command prompt type:

Nslookup 111.333.555.777

This will likely tell you the name of their SMTP server. Another tool to use is:

Tracert 111.333.555.777

This lists the network route from your computer to the IP address indicated. Look for suspicious server names or clues to geographical locations. Again, you’re looking for discontinuities. However, again don’t be surprised if the IP address is useless since a spoofer can do some Internet magic to make it useless.

You can continue with this sort of detective work up through the different “Received” fields. If you are lucky you can track down the e-mail address and ISP of the true sender and get the spoofer kicked off their ISP. Most ISPs have a dedicated e-mail address for abuses or complaints.

Sometimes the simplest way to unmask spoofed e-mail is by responding to it. If the spoofed address doesn’t exist, it may bounce back undeliverable. But if the spoof e-mail address does exist, such as prime_minister@gov.sg, don’t be surprised if your message generates an automated returned message along the lines of “thanks for writing.” Remember not to use your e-mail to do this. Use a temporary e-mail created with one of the free e-mail service providers.

Why didn’t the designers of e-mail spoofing from the beginning? The Simple Mail Transfer Protocol was designed in the early 1980′s. Then the Internet was the purview of academia and government agencies, and as such, there was no cause to consider security. It provided for no formal verification of sender. It was assumed that everyone will do the right thing. Developers also wanted to keep things simple and identity authentication complicate matters. Besides, standards for authenticating identity on the Internet didn’t exist back then and for the most part still don’t. Finally, spoofing e-mail has legitimate uses. For instance, you have an account, yourname@isp.net, but you want all replies to go to yourname@myserver.com. You can spoof yourself so that all the mail sent from the isp.net account looks like it came from your myserver.com account. If anyone replies to your email, the reply would be sent to yourname@myserver.com. This is also helpful if you temporarily use a Web-based email account but want the replies to go to your regular email address.

Given today’s e-mail infrastructure, there’s not much that can be done to prevent spoofing. Companies and organizations can tighten up their mail servers. This just makes it a little more difficult for spoofers, not impossible. If you are in a situation where the authenticity of the sender must be established and it is someone you are already in communication with, you can agree to use PGP or other encryption programs when exchanging e-mail messages. Encryption protects messages from tampering and positively identify the sender. A promising sign is the emergence of programs that attempt to authenticate, filter or tag e-mails, but these have yet to be widely embraced by ISPs (although the US and other governments – with good reason – are pursuing them avidly).

Until then, be wary if you get the unexpected mail from the Prime Minister of Singapore offering to drop by your neighborhood and personally ‘feel your pain’.