Spoof emails - how do they work?

[Fluke]

A friend has just forwarded an email he received apparently from me but was from an unknown source, it was the usual short message in an American accent, something about photos, inviting the recipient to click on the link. We all receive them, mostly they go to junk, but we don't always know that it goes the other way, that you're the apparent sender of such spam/spoof emails.

Does anyone know how this actually works? have my contacts been hacked, or is it the recipients contacts, or if neither how has the spammer put me and the contact together? I'm just curious to know how it works. Is there anything that can be done to stop your name being linked to such emails?

Thanks.

[Mike4]

A friend has just forwarded an email he received apparently from me but was from an unknown source, it was the usual short message in an American accent, something about photos, inviting the recipient to click on the link. We all receive them, mostly they go to junk, but we don't always know that it goes the other way, that you're the apparent sender of such spam/spoof emails.

Does anyone know how this actually works? have my contacts been hacked, or is it the recipients contacts, or if neither how has the spammer put me and the contact together? I'm just curious to know how it works. Is there anything that can be done to stop your name being linked to such emails?

Thanks.

I've had the occasional very angry email from one random or another demanding I stop sending them spam. Probably half a dozen such emails over the last 20 years.

I suspect spammers put <mail>@<any old domain they happen to notice> in the 'from' field, and once in a while they happen to notice my domain. Or <random string>@gmail.com where the random string happens to be <my address>@gmail.com.

But yours looks to me as though your contacts list must have been hacked. Or a real mail from you to this person was intercepted and the to and from addresses grabbed as it winged its way to them. Email is not generally encrypted, AIUI.

[servodude]

A friend has just forwarded an email he received apparently from me but was from an unknown source, it was the usual short message in an American accent, something about photos, inviting the recipient to click on the link. We all receive them, mostly they go to junk, but we don't always know that it goes the other way, that you're the apparent sender of such spam/spoof emails.

Does anyone know how this actually works? have my contacts been hacked, or is it the recipients contacts, or if neither how has the spammer put me and the contact together? I'm just curious to know how it works. Is there anything that can be done to stop your name being linked to such emails?

Thanks.

I've had the occasional very angry email from one random or another demanding I stop sending them spam. Probably half a dozen such emails over the last 20 years.

I suspect spammers put <mail>@<any old domain they happen to notice> in the 'from' field, and once in a while they happen to notice my domain. Or <random string>@gmail.com where the random string happens to be <my address>@gmail.com.

But yours looks to me as though your contacts list must have been hacked. Or a real mail from you to this person was intercepted and the to and from addresses grabbed as it winged its way to them. Email is not generally encrypted, AIUI.

Or equally likely THEIR contacts/inbox.

[Mike4]

A friend has just forwarded an email he received apparently from me but was from an unknown source, it was the usual short message in an American accent, something about photos, inviting the recipient to click on the link. We all receive them, mostly they go to junk, but we don't always know that it goes the other way, that you're the apparent sender of such spam/spoof emails.

Does anyone know how this actually works? have my contacts been hacked, or is it the recipients contacts, or if neither how has the spammer put me and the contact together? I'm just curious to know how it works. Is there anything that can be done to stop your name being linked to such emails?

Thanks.

I've had the occasional very angry email from one random or another demanding I stop sending them spam. Probably half a dozen such emails over the last 20 years.

I suspect spammers put <mail>@<any old domain they happen to notice> in the 'from' field, and once in a while they happen to notice my domain. Or <random string>@gmail.com where the random string happens to be <my address>@gmail.com.

But yours looks to me as though your contacts list must have been hacked. Or a real mail from you to this person was intercepted and the to and from addresses grabbed as it winged its way to them. Email is not generally encrypted, AIUI.

Or equally likely THEIR contacts/inbox.

Good point. Could be either way around.

[Urbandreamer]

Is there anything that can be done to stop your name being linked to such emails?

Sadly there is nothing that can be done to prevent that, anymore than there is a way to stop anyone sending a paper letter claiming to be you. Though both are of course illegal.

There are a number of reasons why we have never had a significant problem with large amounts of letters claiming to be from people other than who sent them, but one sticks out. It costs to send a letter!

There was actually suggested as a method to reduce spam, add a cost to sending email.
It was called HashCash https://en.wikipedia.org/wiki/Hashcash
The trouble was that Email was an established thing at the time with widely used protocols. The idea didn't take off with email.

I'm aware that some don't follow links so HashCash used "proof of work" by the sender. The recipient's software could cheaply check that the sender had paid that cost.

[UncleEbenezer]

They've figured out that mail "from" someone you know is less likely to be junked than general spam: hence the value of impersonating a contact. That could be from any number of sources: someone's address book is one, but also if they've got their hands on, for example, messages or conversations that connect you.

Arguably a nastier version is when it's untargeted: the oldfashioned "joe job" was a big spam run "from" your address. This could generate a million bounces, rejection notices, "p*** off spammer" notices from mail systems to your address, which is (for administrators rather than end-users) why you should never accept a message then bounce it.

[James]

It's relatively easy to make an email come from another address and send it through a poorly set up mailserver.
Some years back, Yahoo Mail got hacked, giving a database of real email addresses and all their contacts.
Easy then for spammers to send an email from joe.bloggs@yahoo.com to someone they already know. The unwary receiver is more likely to click on a compromised link in an email from a friend.

[Breelander]

...Easy then for spammers to send an email from joe.bloggs@yahoo.com to someone they already know. The unwary receiver is more likely to click on a compromised link in an email from a friend.

Actually the one thing spammers cannot spoof is the email address it's sent from. But they can easily hide that by spoofing the full displayed name of the sender.

I've lost count of the spam mail I've had from 'names' I know, only to look closely at the mail header to see clearly that it wasn't really from them.

eg: Displayed name: 'From: Joseph Bloggs (joe.bloggs@yahoo.com)'
actual sender found in the mail header: joe.bloggs-1234@spam-mail.xx

[mc2fool]

...Easy then for spammers to send an email from joe.bloggs@yahoo.com to someone they already know. The unwary receiver is more likely to click on a compromised link in an email from a friend.

Actually the one thing spammers cannot spoof is the email address it's sent from.

Oh yes they can. You can specify any address you like in the SMTP MAIL FROM command.

Of course, the outgoing mail server may stop you but if the spammers own it or, as James said, they are routing through a poorly set up mail server, then it'll happily go on it's way with a total fake email address that it's sent from.

Then, of course, there are means at the receiving email server to catch that, but they are not totally foolproof ... although very good chance that anything appearing to come from a major provider will get caught (SPF, DKIM and all that...).

[UncleEbenezer]

...Easy then for spammers to send an email from joe.bloggs@yahoo.com to someone they already know. The unwary receiver is more likely to click on a compromised link in an email from a friend.

Actually the one thing spammers cannot spoof is the email address it's sent from.

Oh yes they can. You can specify any address you like in the SMTP MAIL FROM command.

Indeed. The one thing that cannot be spoofed is "Received" headers. And that only once it reaches a server you can trust.

Then, of course, there are means at the receiving email server to catch that, but they are not totally foolproof ... although very good chance that anything appearing to come from a major provider will get caught (SPF, DKIM and all that...).

Bear in mind that with big providers (gmail, etc), the spammer only has to subscribe to the same provider to generate genuine headers from them. They may have defences against old-fashioned mass spam, but that still leaves its more modern, more targeted variants.

The contents of a message can of course be encrypted and/or cryptographically signed. And indeed should be, where integrity and security are critical.

[mc2fool]

...Easy then for spammers to send an email from joe.bloggs@yahoo.com to someone they already know. The unwary receiver is more likely to click on a compromised link in an email from a friend.

Actually the one thing spammers cannot spoof is the email address it's sent from.

Oh yes they can. You can specify any address you like in the SMTP MAIL FROM command.

Indeed. The one thing that cannot be spoofed is "Received" headers. And that only once it reaches a server you can trust.

Then, of course, there are means at the receiving email server to catch that, but they are not totally foolproof ... although very good chance that anything appearing to come from a major provider will get caught (SPF, DKIM and all that...).

Bear in mind that with big providers (gmail, etc), the spammer only has to subscribe to the same provider to generate genuine headers from them. They may have defences against old-fashioned mass spam, but that still leaves its more modern, more targeted variants.

Yes, but in that case they can't spoof the actual email address it's sent from, nor (I believe, at least with some) the visible "From" address either.

[formoverfunction]

Why not simply move your email, and hopefully friends, to an encrypted mail provider like Proton where the chances of having your address spoofed fall considerably. https://en.wikipedia.org/wiki/ProtonMail
I believe Proton allows you to "white list" and only receive mail in your inbox from addresses on that list. So you'll get encrypted mail between you and your friends and no more random spam. If you go full in and pay it's also possible to have VPN, encrypted calendar and 500 gb of storage with them and 15 alias email addresses alongside ProtonBridge that encrypts/de encrypts mail on your local client.

[servodude]

...Easy then for spammers to send an email from joe.bloggs@yahoo.com to someone they already know. The unwary receiver is more likely to click on a compromised link in an email from a friend.

Actually the one thing spammers cannot spoof is the email address it's sent from.

Oh yes they can. You can specify any address you like in the SMTP MAIL FROM command.

Indeed. The one thing that cannot be spoofed is "Received" headers. And that only once it reaches a server you can trust.

Then, of course, there are means at the receiving email server to catch that, but they are not totally foolproof ... although very good chance that anything appearing to come from a major provider will get caught (SPF, DKIM and all that...).

Bear in mind that with big providers (gmail, etc), the spammer only has to subscribe to the same provider to generate genuine headers from them. They may have defences against old-fashioned mass spam, but that still leaves its more modern, more targeted variants.

Yes, but in that case they can't spoof the actual email address it's sent from, nor (I believe, at least with some) the visible "From" address either.

Given the hijinks we all used to get up to using telnet to port 25 I wouldn't inherently trust anything that came through email.
I'd look at it the same way I do to the stuff that gets pushed through my letterbox (albeit probably binning it more slowly )

[Infrasonic]

Using encrypted email doesn't stop your addresses being harvested via a compromised email server/relay as the message source headers are still plain text in order for them to be readable by all nodes on the journey.


You can also make your inbox exclusive to contacts and use registered two way aliases (your real address remaining anonymous on replies) with webmail services like Outlook.com (aka Hotmail). That's how I have mine set up. (I've also got 2 Protonmail accounts...).

The downside is you'll have to trawl through the spam folder more often looking for genuine emails you want as any email from a new address will automatically route to spam, even if from an allow listed contact -an issue with large corporations who use a myriad of send addresses.

Using on the fly aliases like the kind provided by Gmail won't work as replies use the real account address in the message source headers, so the compromised server issue remains.

[UncleEbenezer]

Given the hijinks we all used to get up to using telnet to port 25

Of the boss's workstation, of course Or other target. Though that too would show up in the logs, so suited to pranks rather that anything serious that would merit full investigation. Unless perhaps you were the sysop, or knew the sysop to be too lazy and incompetent to read the log and trace it back to you.

[servodude]

Given the hijinks we all used to get up to using telnet to port 25

Of the boss's workstation, of course Or other target. Though that too would show up in the logs, so suited to pranks rather that anything serious that would merit full investigation. Unless perhaps you were the sysop, or knew the sysop to be too lazy and incompetent to read the log and trace it back to you.

In those days sysops fell to us students what had pushed for access to Janet

[didds]

I suspect spammers put <mail>@<any old domain they happen to notice> in the 'from' field, and once in a while they happen to notice my domain. Or <random string>@gmail.com where the random string happens to be <my address>@gmail.com.

fundamentally yes. Whether the <address> is from a guesswork (monkeys at typewriters sledgehammer approach) or addresses gleaned from a sold/hacked list .

The next part is them then using an insecure smtp (email) server that has poor security restrictions on the domains it will relay (send from and to).
Even the "finding" of an insecure smtp server could be done on a sledgehammer approach by just trying basic telnet on port 25 to <random IP> until a connection is found

once those two are ascertained its trivial to send as many emails as they then want

telnet IP 25
ehlo <sending domain>
mail from: <your address>
rcpt to: <recipient's address>
data
subject: <waffle>
<more waffle>
.

Job done.

didds

[Infrasonic]

I suspect spammers put <mail>@<any old domain they happen to notice> in the 'from' field, and once in a while they happen to notice my domain. Or <random string>@gmail.com where the random string happens to be <my address>@gmail.com.

fundamentally yes. Whether the <address> is from a guesswork (monkeys at typewriters sledgehammer approach) or addresses gleaned from a sold/hacked list .

The next part is them then using an insecure smtp (email) server that has poor security restrictions on the domains it will relay (send from and to).
Even the "finding" of an insecure smtp server could be done on a sledgehammer approach by just trying basic telnet on port 25 to <random IP> until a connection is found

once those two are ascertained its trivial to send as many emails as they then want

telnet IP 25
ehlo <sending domain>
mail from: <your address>
rcpt to: <recipient's address>
data
subject: <waffle>
<more waffle>
.

Job done.

didds

The response to this issue was for 'dodgy' SMTP IP addresses to start appearing on public grey/blocklists so that email providers could auto spam folder or block email from those IP addresses.

The problem is if you have your own web or domain mail on a shared server that is issuing spam then you'll get tarred with the same brush and could end up with delivery issues. The big providers (Gmail et al) will run their own internal 'black boxed' lists to slow down the arms race with the spammers.

Microsoft had a purge a few years ago and quite few email domain hosts had black holing issues (they weren't even getting NDR's).
Cue an outcry and MS backed off at its receive end and just started sending anything questionable to the spam folder for the end recipient to filter themselves - effectively a soft fail/quarantine response.

These days spammers are using the big webmail companies to send from to take advantage of the authenticated environment (SPF/DKIM). If they score low on the spam filters with clever wording and formatting they can make it to your inbox if you don't run it exclusive to contacts only. As addresses get taken down they just rotate the same emails to new sent from addresses.

Not all big companies use strict DMARC policies (which would help prevent spoofing of their domain mail) - using other proprietary solutions.
https://dmarc.org/overview/

[didds]

[
The response to this issue was for 'dodgy' SMTP IP addresses to start appearing on public grey/blocklists so that email providers could auto spam folder or block email from those IP addresses.

Indeed Infrasonic - absolutely.

But until the blacklists have caught up etc as you describe, the potential is always there of course.