Email spoofing

Receiving a message from your friend joe.average@webmail.com is often evidence enough that it was Joe Average with an account at webmail.com who sent you the email. Unfortunately this may be untrue as sender's credentials can easily be faked on the Internet.


Exercise: send yourself a spoofed email from http://emkei.cz/

email spoofing


Sending a fake email is possible since the SMTP protocol (the technical standards that route email on the Internet) require a valid TO: address but do not really care about where the email is FROM. The sender's name and address can be easily faked. As explained in the video, the only way to find out who had really sent you the emaill address is to inspect the message's headers (in Gmail this is called 'Show Original' and is accessible under the 'More' drop-down menu to the top right-hand corner of the message).


Delivered-To: dmitri@vitaliev.info
Received: by 10.220.151.69 with SMTP id b5csp114879vcw;
Sun, 28 Oct 2012 20:05:50 -0700 (PDT)
Received: by 10.14.216.193 with SMTP id g41mr47392166eep.37.1351479949985;
Sun, 28 Oct 2012 20:05:49 -0700 (PDT)
Return-Path: <joe.average@webmail.com>
Received: from emkei.cz ([2a01:5e0:36:5001::20])
by mx.google.com with ESMTP id z46si13229132eeo.136.2012.10.28.20.05.49;
Sun, 28 Oct 2012 20:05:49 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:5e0:36:5001::20 is neither permitted nor denied by best guess record for domain of joe.average@webmail.com) client-ip=2a01:5e0:36:5001::20;
Authentication-Results: mx.google.com; spf=neutral (google.com: 2a01:5e0:36:5001::20 is neither permitted nor denied by best guess record for domain of joe.average@webmail.com) smtp.mail=joe.average@webmail.com
Received: by emkei.cz (Postfix, from userid 33)
id 8423ED5A2D; Mon, 29 Oct 2012 04:05:48 +0100 (CET)
To: dmitri@vitaliev.info
Subject: long time no see
From: "Joe Average" <joe.average@webmail.com>
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: joe.average@webmail.com
Reply-To: joe.average@webmail.com
Content-Type: text/plain; charset=utf-8
Message-Id: <20121029030548.8423ED5A2D@emkei.cz>
Date: Mon, 29 Oct 2012 04:05:48 +0100 (CET)

Reading the message from the bottom up, look for telling signs of the real server where the message was sent from. You will see right away that this particular email is being sent from the @emkei.cz domain and not webmail.com

There are more sophisticated ways to spoof an email message, whereby the fake domain will not be disclosed. However, the headers will always contain the IP address of the server used to send the message from.

You will need to use the online IP validation and tracing tools mentioned above to verify who owns those addresses and whether the email sender is likely to be using one of those addresses. For example, if you friend is located in the Czech Republic and the sender's IP address is registered in Australia – it could be a hoax, or your friend could be on vacation.