FAQ: Spoof email

Article:TECH82284  |  Created: 2004-01-27  |  Updated: 2013-10-26  |  Article URL http://www.symantec.com/docs/TECH82284
Article Type
Technical Solution


Issue



This page answers frequently asked questions (FAQ) about spoofed email.

Also see the following Wikipedia article about email spoofing: E-mail spoofing.


Solution



The following sections are in a Question (Q:) and Answer (A:) style.

Q: What is spoofed email?
A: Spoofed or forged email uses a false or invalid email header to describe from whom it came.

Q: How does email spoofing work?
A: Email spoofing uses standard email (SMTP) functions. Spoofed email uses the fact that FROM and MAIL FROM email headers are largely arbitrary text.

    Since email programs can use any text in the "MAIL FROM" part of an SMTP email, it is very easy to forge the "from" address on a given email.


Q: Can you show me how email spoofing works?
A: The following steps depict email spoofing.

    In this example, these two machines represent the source and destination of spoofed mail.
    1. A mail spoofer connects (either directly or indirectly) to the victim mail server and begins to deliver mail normally. Once accepted by the Victim Mail Server, the mail spoofer provides a false (or possibly blank ) MAIL FROM command to the mail server. In the example, MAIL FROM: indicates a fake address and domain.

    2. The Victim Mail Server accepts the false MAIL FROM command and continues to accept delivery. At this point the mail spoofer provides a destination address (or addresses) and proceeds to the DATA portion of the email transaction. In the example, the mail spoofer sends email with a fake address and domain, which is accepted by the Victim Mail Server. The acceptance is due to the previous acceptance of the mail spoofer.


      In the DATA portion of the email transaction, the spoofer provides false FROM: information (which will be displayed in the email client of our victim).
    3. The spoofer may at this point continue with mail delivery as normal, delivering any number of negative payloads to the victim(s).

Q: Who uses email spoofing?
A: Mail spoofing, when performed for malicious reasons, is used mostly by spammers as a method of delivering malicious payloads (viruses, worms, etc.) to unsuspecting victims. The following is a graphical example of this process.


Q: What can be done to prevent email spoofing?
A: Mail spoofing operates upon the basic functions of SMTP as defined by RFCs 821, 822, 2821, and 2822. These RFCs define how mail and mail servers should behave. In order to prevent the reception of spoofed email, the mail server administrators will have to engage the manufacturers of their mail servers in order to find out how to prevent reception of spoofed email.



Legacy ID



2004052710202154


Article URL http://www.symantec.com/docs/TECH82284


Terms of use for this information are found in Legal Notices