124

I read that you can write anything into the From: field of an e-mail.

If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?

Jonas Stein
  • 218
  • 2
  • 11
JFB
  • 1,685
  • 3
  • 13
  • 11
  • 48
    You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process. – schroeder Mar 05 '19 at 16:48
  • 4
    @schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic. – reed Mar 06 '19 at 11:54
  • 2
    @reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'. – hiburn8 Mar 06 '19 at 17:51
  • The soft-fail is the equivalent of saying 'Our email /should/ come from X,Y and Z, so if it doesn't then maybe its not us... but it might be'. – hiburn8 Mar 06 '19 at 17:53
  • 5
    One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything. – Pacopaco Mar 07 '19 at 09:10
  • 1
    @Pacopaco that's where the reply to field come into play – Antzi Mar 08 '19 at 06:59
  • @Antzi Email with a reply-to that don't come from a mailing list are rare these days. Email clients can warn the user "do you really want to reply to X" which is an unusual message that is likely to bring unwanted attention. – curiousguy Mar 09 '19 at 03:38
  • @curiousguy don't get me started on reply-to - I have an old hotmail address that I use for anything that may end up in my receiving spam. It seems to have been picked up recently by apple account scammers (sending emails that my (non-existant) account is compromised) **Outlook.live** puts the content of the reply-to (in this case support@apple.com) where the from address usually goes, so to an average joe, it looks more legit because of how the client displays it. Who the **** came up with that design? – Baldrickk Apr 01 '19 at 11:09

5 Answers5

187

While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.

To explain in short what these technologies do:

  • SPF
    Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM). dig txt amazon.com shows that a SPF policy exists.
  • DKIM
    The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from the DKIM-Signature fields in the mail header.
  • DMARC
    Aligns the From field in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches. dig txt _dmarc.amazon.com shows that Amazon has a DMARC record with a policy of quarantine.

Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.

gerrit
  • 1,829
  • 1
  • 17
  • 26
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur. – hiburn8 Mar 06 '19 at 17:45
  • 11
    @hiburn8: This is about spoofing the `From` field in the mail header. SPF does not even look at the `From` field of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing the `From` field of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field. – Steffen Ullrich Mar 06 '19 at 18:00
  • 1
    Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1 – hiburn8 Mar 07 '19 at 12:50
23

To complement Steffen Ullrich's answer, note that:

  • Historically, it was indeed possible to spoof anything you wanted, no one checked, everybody trusted everybody.
  • However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
  • To work, those require both the sender and the receiver to implement those methods.
  • Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
  • However, there are still both e-mail systems not checking either and domains without the appropriate setup.

So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less than others, and it has a larger chance of being handled as spam.

Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.

But most definitely, if you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.

Alexei
  • 2,183
  • 3
  • 9
  • 23
jcaron
  • 3,365
  • 2
  • 15
  • 22
  • Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present. – thomasrutter Mar 08 '19 at 03:40
17
  • The phisher may be hoping to get any replies to send to that address.
  • They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.

Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.

ShapeOfMatter
  • 523
  • 2
  • 12
3

It might be worth noting the difference between theory and practice. SMTP (Simple Mail Transfer Protocol), which is the basis of e-mail, doesn't really prevent spoofing. I think that's where this quote comes from.

However while SMTP is part of e-mail as is now, its not he only thing in the pipeline. While I am sure there are some completely vanilla implementation of this in the wild, the vast majority of people will be using one of the few "big" stacks, which come with a lot of extras to stop this kind of behaviour.

As the goal of spamming is to reach as many (and sadly most gullible) people as possible: the cost of having the majority of cases filtered out in order to get the credibility of a real address is not good. This is particularly true if the scam involves effort of the part of the scammer to proceed as the sort of person skeptical enough to notice "service@amaz0n.com" looks wrong is likely a target you want to weed out early.

ANone
  • 230
  • 1
  • 4
  • I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: https://security.stackexchange.com/questions/96121/why-do-phishing-emails-have-spelling-and-grammar-mistakes – drjpizzle Mar 06 '19 at 17:19
-2

James Veitch sheds some light to it in this TED Talk

He starts his talk by telling about some phishing scam e-mail he received, the one about a south african liutenant asking for help wit diamonds. The whole story is ridiculous and, for most of us, completelly unbelievable. But

"[...] if you think about it, this is actually rather clever. Because by making the scams ridiculous, ideally for the scammer, the only people who are going to reply are the most gullible people."

If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try... If you notice the different domain, you are paying attention, and probably is a waste of scammer's time to try to trick you.

  • 2
    I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would. – SomeGuy Mar 08 '19 at 17:11
  • 3
    You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed". – schroeder Mar 08 '19 at 17:47