Head blueLogoText.gif NCF HelpWiki
Help | StartPage

Difference between revisions of "Email spoofing"

From Support
Jump to: navigation, search
m (bolded)
(Tracing IP addresses: seems broken)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''Email spoofing''' is the faking of [[email]] addresses to disguise who is sending the email to you. This is often used by people sending [https://en.wikipedia.org/wiki/Email_spam spam] and [https://en.wikipedia.org/wiki/Malware malware] in an attempt to fool you into reading their advertisements or into opening the attachments and infecting your computer, especially [https://en.wikipedia.org/wiki/Ransomware ransomware].
+
'''Email spoofing''' is the faking of [[email]] addresses to disguise who is sending the email to you. This is often used by people sending [https://en.wikipedia.org/wiki/Email_spam spam] and [https://en.wikipedia.org/wiki/Malware malware] in an attempt to fool you into reading their advertisements or into opening the attachments and infecting your computer, especially with [https://en.wikipedia.org/wiki/Ransomware ransomware].
  
 
==Background==
 
==Background==
Line 7: Line 7:
  
 
==So where is it really coming from?==
 
==So where is it really coming from?==
Emails on their own are safe to open, although there attachments may not be.  
+
Emails on their own are safe to open, although their attachments may not be.  
  
 
If you want to find out where the email is really coming from you need to check the email headers ("show original"), as shown here in [[Zimbra]], NCF's webmail interface:
 
If you want to find out where the email is really coming from you need to check the email headers ("show original"), as shown here in [[Zimbra]], NCF's webmail interface:
Line 42: Line 42:
 
     id Hz0g1r0094yo4K101z1GXd; Thu, 17 Sep 2015 01:01:54 +0200
 
     id Hz0g1r0094yo4K101z1GXd; Thu, 17 Sep 2015 01:01:54 +0200
  
The "received" sections show the [https://en.wikipedia.org/wiki/IP_address IP address] which the mail has travelled through and ultimately originates from. The IP addresses in the header are shown '''in bold''' to make them stand out. Because the bottom one is the originator, it can now be traced to see where it comes from.
+
The "received" sections show the [https://en.wikipedia.org/wiki/IP_address IP addresses] which the mail has travelled through and ultimately originates from. The IP addresses in the header are shown '''in bold''' to make them stand out. Because the bottom one is the originator, it can now be traced to see where it comes from.
  
 
==Tracing IP addresses==
 
==Tracing IP addresses==
Line 52: Line 52:
 
* [http://lacnic.net/cgi-bin/lacnic/whois LACNIC] (Latin American and Caribbean)
 
* [http://lacnic.net/cgi-bin/lacnic/whois LACNIC] (Latin American and Caribbean)
 
* [http://www.afrinic.net/ AfriNIC] (Africa)
 
* [http://www.afrinic.net/ AfriNIC] (Africa)
* [http://www.ipligence.com/geolocation/?lang=en&search# IPLigence]
 
 
* [http://www.ip-adress.com/ IP-adress.com] (sic)
 
* [http://www.ip-adress.com/ IP-adress.com] (sic)
 
* [http://www.find-ip-address.org/ Find-IP-address.org]
 
* [http://www.find-ip-address.org/ Find-IP-address.org]

Latest revision as of 17:52, 18 January 2018

Email spoofing is the faking of email addresses to disguise who is sending the email to you. This is often used by people sending spam and malware in an attempt to fool you into reading their advertisements or into opening the attachments and infecting your computer, especially with ransomware.

Background

Because the core protocols for email do not prevent it, it is easy for someone to send you an email using a fake address for the sender. This can be done to fool you into opening the attachments or to try to fool spam filters into letting the email through to you.

A common trick is to use the recipient's email address as the sender's as well, in other words the email will appear to come from you. This is used to fool spam filters as most people don't filter out their own address, but it is a easy-to-recognize indication that you are dealing with a spoofed address.

So where is it really coming from?

Emails on their own are safe to open, although their attachments may not be.

If you want to find out where the email is really coming from you need to check the email headers ("show original"), as shown here in Zimbra, NCF's webmail interface:

Zimbra8 advanced show original.png

Here is an example of a set of email headers from a spoofed email:

Return-Path: youraddress@ncf.ca
Received: from localhost (LHLO mail.ncf.ca) (127.0.0.1) by melkor.ncf.ca
with LMTP; Wed, 16 Sep 2015 19:08:57 -0400 (EDT)
Received: from mail.ncf.ca (localhost [127.0.0.1])
    by mail.ncf.ca (Postfix) with ESMTP id A8607A0547
    for <fn352@ncf.ca>; Wed, 16 Sep 2015 19:08:55 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on melkor.ncf.ca
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=6.0 tests=BAYES_00,FSL_BULK_SIG,
    HTML_IMAGE_ONLY_32,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_DNSWL_NONE,
    RCVD_IN_MSPIKE_H2,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.0
X-Spam-Virus: No
Received: from mx1.ncf.ca (pallando.ncf.ca [134.117.136.70])
    by mail.ncf.ca (Postfix) with ESMTP id 942A5A051C
    for <fn352@ncf.ca>; Wed, 16 Sep 2015 19:08:55 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.9.1 mail.ncf.ca 942A5A051C
Received: from mx1.ncf.ca (localhost [127.0.0.1])
    by mx1.ncf.ca (Postfix) with ESMTP id 73766BEE75
    for <fn352@ncf.ca>; Wed, 16 Sep 2015 19:08:55 -0400 (EDT)
X-Greylist: delayed 420 seconds by postgrey-1.34 at pallando; Wed, 16 Sep 2015 19:08:55 EDT
Received: from smtpg-pc.aruba.it (smtp217-pc.aruba.it [62.149.157.217])
    by mx1.ncf.ca (Postfix) with ESMTP id 0D616BEE7C
    for <fn352@ncf.ca>; Wed, 16 Sep 2015 19:08:54 -0400 (EDT)
Received: from WORLDST-UQ3K9Q0 ([181.26.209.230])
    by smtpcm2-pc.aruba.it with bizsmtp
    id Hz0g1r0094yo4K101z1GXd; Thu, 17 Sep 2015 01:01:54 +0200

The "received" sections show the IP addresses which the mail has travelled through and ultimately originates from. The IP addresses in the header are shown in bold to make them stand out. Because the bottom one is the originator, it can now be traced to see where it comes from.

Tracing IP addresses

Tracing IP addresses is fairly easy using tools like whois on Linux. They can also be traced through the websites of the IP registration authorities:

If an address is not found in one registry, it will probably be in another one.

In the case of the header example above the IP address 181.26.209.230 traces to Telefonica de Argentina in Buenos Aires, Argentina, so you can be sure it did not originate with NCF and that the return address is spoofed.

What next?

Delete it, it is spam, but at least you are now sure that it is.

External links