skip to primary navigationskip to content
 

Email forgery

How spammers and virus writers try to trick people

(note: this was copied directly from the old wiki and was last properly updated in July 2006)

1. How email is sent

 

Email is sent between computers using a protocol called SMTP. This stands for Simple Mail Transfer Protocol. It is a set of standard commands and responses which provide a mechanism to transmit, receive and redirect email.

SMTP is an old protocol, it was first defined in November 1981 by a man called Jonathan Postel. There have been minor improvements to the system, but the need for compatibility has prevented any drastic changes.

A minimal SMTP session is shown below. Bold indicates text sent by the sending software, italic indicates text sent by the receiving software.

220 mail.example.com ESMTP MailServer Xyz Mon, 01 Mar 2004 11:51:27 +0000
HELO i.am.example.com
250 mail.example.com Hello user at host.example.com [10.0.0.1]
MAIL FROM: user@example.com
250 <user@example.com> is syntactically correct
RCPT TO: user@example.com
250 <user@example.com> is syntactically correct
DATA
354 Enter message, ending with "." on a line by itself
From: user@example.com
To: user@example.com
Subject: Example message

Hi.

bye.
.

250 OK id=1Axm4F-0007Am-00
Quit
221 mail.example.com closing connection

This ends up in a mail box in something like the following format, items added by the email server are shown in bold

From user@example.com Mon Mar 01 11:59:24 2004
Envelope-to: user@example.com
Received: from i.am.example.com
([10.0.0.1] helo=i.am.example.com ident=user)
by mail.example.com with smtp (MailServer Xyz)
id 1Axm4F-0007Am-00
for <user@example.com>; Mon, 01 Mar 2004 11:51:41 +0000
Message-Id: <E1Axm4F-0007Am-00@mail.example.com>

From: user@example.com
To: user@example.com
Subject: Example message
Date: Mon, 01 Mar 2004 11:51:41 +0000

Hi.

bye.

This mail message can now be accessed, either directly with programs like Pine, or indirectly via POP3 or IMAP which most graphical email programs use.

2. How viruses & spammers fake addresses

The problem is that the email server believes almost everything it's told. So, in the above example one could connect from almost anywhere and pretend to be user@example.com, and the mail server would happily record this in the email.

When one of these malicious programs infects a computer it attempts to gather a list of email addresses to use. Some do this by querying the system address book, some just open every file on the hard disk that they can, looking for something that looks like an email address.

Once this is done, they tend to pick addresses at random, and attempt to send themselves to one address, whilst appearing to come from another. As the email server believes everything it's told it will happily accept and pass on faked emails, so it can appear that you've sent items that you didn't send.

3. How to trace emails

So, if you can't trust the "From" field in an email, how do you know where it came from? There is some help in the fields that the email server adds when it receives a mail. Specificially:

 Received: from localhost
([10.0.0.1] helo=i.am.example.com ident=user)
by mail.example.com with smtp (MailServer Xyz)
id 1Axm4F-0007Am-00
for <user@example.com>; Mon, 01 Mar 2004 11:51:41 +0000

Every time an email passes through an email server the server should add a "Received" field. It should also be added before any other received fields already existing within the mail. This means that the first server that gets the mail will be the last one shown.

One problem is that it is feasable for the virus to add one or more fake "Received" fields to its message, so you should not trust these completely. I am not aware of any which actually do this, but it is quite possible that there are some.

4. What can be done

SPF: Sender Policy Framework

SPF is an extention to DNS (the system which maps names to numerical internet addresses) which lists who is allowed to send mail that claims to originate from a domain. In some cases this would reduce spam, viruses and other email forgery. However, it restricts the second part of the address (anything after the @), not the first field. This means that any infected computer within example.com would be able to pretend to be any user@example.com, but not any user at example.org

S/MIME: Secure Multimedia Internet Mail Extentions

S/MIME is based on SSL, a kind of encryption which is used on many internet services, including secure webpages. It uses what is known as "asymettric" encryption to allow both encrypting and signing messages without having to reveal a secret (known as a "private key"). Documents can be verified by using a "public key" which can be freely distributed. The keys or certificates have to be obtained from a central authority which is globally recognised. The authority will take steps to confirm the identity of the person requesting a key. All this costs money, so a fee is charged. Support for these certificates is built into many email programs, here is a more complete overview.

GPG: Gnu Privacy Guard

GPG is an implimentation of PGP, an alternative "assymetric" encryption system. The primary difference from S/MIME is that there is no need for a central authority to issue keys. This means that it is free to get a key certificate, but proving that a key corresponds to a person has not been done for you. The software is not as easy to use, because it was designed for computer literate users by computer literate users. GPG is not usually built into common Windows and Mac email programs, but it's a lot more popular in UNIX/Linux email programs. Mac Mail GPG plugin