0

Similar question with an amazing answer: How can PayPal spoof emails so easily to say it comes from someone else?

I hope that the title to this question is actually a lie... but, to my knowleage, I can actually very easily send an email using someone else's emal address without their premission.

Let me explain:

  • I was looking for a quick, easy and reliable way of sending math equations over email and came accross this site: Send an email containing math symbols and equations! (Beta)

  • It looked good enough so I decided to send an email to myself to test it.

  • To my surprise, the website only asked for the "Recipient's emai" and for "my email". And that was it! It sent the email and I did not have to authenticate anything.

  • So, this website can send emails with my email address without me ever authorizing it.

  • Sure... at the bottom of the email it says "This mail comes to you from the math mail system of Interactive Mathematics", but I'm assuming this is optional!

The website providing this service didn't do anything wrong and at the end of each email they have the quote:

This mail comes to you from the math mail system of Interactive Mathematics

Sender's IP address: xxx.xxx.xxx.xxx

but I'm assuming they don't have to do this. And that anyone can send an email using someone else's email address.

The point of this question is:

  • to understand how is this possible
  • how is this not a security issue?
  • how can I tell if an email is infact being sent by someone and not some other entity?
Community
  • 1
tpvasconcelos
  • 111
  • 5
  • Yes it is typically possible (some domains declare that they want to send emails from a certain host but not all receivers honor this policy). It is a security issue, especially used dormphishing and targeted social media attacks. The most reliable way tomdetect this are signatures (pgp or smime). Some cooperate mail serves at least mark mails which are received from outside so you can see that they are not from IT Departement or your boss. Snail Mail or fax typically has the same problem. – eckes May 03 '17 at 00:20
  • Well yeah you can put anything in the header. However the header will still give away that the server that sent the email is not the one in the domain of the 'from' field. Gmail typically marks these as spam. (I had a lot of fun in high school forging email headers using the PHP mail() function) – Dmiters May 03 '17 at 00:29

2 Answers2

3

Email is an insecure protocol. It was designed to be open before the internet was commercialised.

Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) that help secure email. SPF specifies the IP addresses that are authorised to send mail on behalf of the domain. DKIM proves the email was sent by the owner using signatures.

The receiving email server has to check SPF and DKIM, and based on that can take actions such as discarding, bouncing, or marking emails as spam.

Tim
  • 245
  • 1
  • 7
0

There are multiple websites using which you can send email using anyone's email. And yes, this is a problem. People use these methods to get sensitive information from users who doesn't have much information. The best way to avoid this is to confirm from the sender whether he sent this email or not.

And you can do a little analysis to confirm that the email came from such websites by analyzing the email header. The email header contains information the website which sent the email. But in day to day life people never checks the email headers. But it's a good practice to check the email headers or to contact the sender if the email needs your sensitive information.

Blaze
  • 41
  • 3