3

I hope this question not same as this one: E-mail can be made to appear like it came from a big organization?

I'm not asking how to protect brands and large organizations (Google, Yahoo, etc.), but how can normal users protect themselves.

As far as I know there are worms that can get an email's address books, and there are programming libraries that enables users to craft packets .

By using both (stealing the address and crafting an email packet and send it to the right server), a malicious hacker should be able to send the victim an email that will look like it came from one of his friends (asking for money for example).

So beside the typical way, (calling the one that the hacker claimed to be), is there a technical way to detect such fake messages?

B00TK1D
  • 301
  • 2
  • 12
HSN
  • 1,188
  • 12
  • 23

3 Answers3

5

Your description is not quite accurate, but the outcome is the same: email messages that look authentic enough to fool recipients can be sent. Note that a common way for this to occur is for the attacker to actually gain access to the senders email service - so the fake email would be identical to a real email in every aspect, except for the person composing it.

I'm pretty confident there is no reliable way to detect such messages. You can certainly apply a battery of measurements to account for email frequency, use of language, and other variables, but I don't know of anything good enough to put into widespread use. Also, if anyone had created such a system, they would have released it already and enjoyed their hundreds of millions of dollars in earnings.

The most reliable option is for the recipient to question the sender via a different channel if a suspicious or unusual message is received.

Example 1: I get an email from my friend jane@email.com asking for money. Suspicious, I text her, and she replies that the email is authentic.

Example 2: I get an email from service@fedex.com requesting credit card details to deliver a package that incurred extra costs. I look up the phone number for my local FedEx office and ask them, and they reply that there are no packages for delivery to my address.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
4

For example if you receive a message from yourfriend@gmail.com. There are ways in which an attacker can spoof that address and in your inbox the message looks like it has come from yourfriend@gmail.com.Now, there are at-least 2 possibilities here.

1.The attacker has used a malicious service to make an email look like it has come from yourfriend@gmail.com

2.The attacker has gained access to your friend's account and has emailed you.

In the first case, you can find out if the mail has actually come from a google server or not, by getting the smtp header (Show original in gmail) and then using something like http://whatismyipaddress.com/trace-email. You can paste the email header over there and then find out if the email has actually originated from a google server or from a malicious server that allows spoofing the address.Actually you can use this service for all suspicious looking addresses or suspicious emails coming from addresses that look authentic.

aRun
  • 551
  • 3
  • 10
2

I've explained this in my answer here.

Basically, you look at the headers (there should be some option "view original" in your email provider. For GMail it's "show original message" below the reply arrow). Specifically, the Received: headers of the type Received: from abc.com (IP address) by def.com (IP). These headers are written by the by server, when they get your email from the from server.

Let's assume you use GMail1. The bottommost Received: headers are of the form from something.google.com (IP) by somethingelse.google.com (IP). These will be correct If you want to be certain, do a reverse DNS lookup on the IPs and ensure that they match with the given domain.

Alright. Now, at one point, while going up the header list, you will find a header of the form from abc.com (IP) by something.google.com. You can trust this header as well. Now, check if the from of this header matches the by of the one above it (verify the reverse DNSs as well). Also, check if you really trust the server in the from of this header. If the server is something like nigerianprince.x123.cscabgvj.ng (basically the second-level domain name isn't trusted), it's probably untrustworthy and the rest of the headers above it may have been spoofed by it. If not, the move up one header and repeat till you reach the last one. If you manage to reach the last one without trust issues, the email comes from where it claims to.

1 Note that for most major email providers, GMail can tell if the email is spoofed, and will show a "From billgates@microsoft.com via apple.com" or something when the email doesn't come from where it claims to do so. Note that this has legitimate uses in mailing list, so don't automatically distrust all emails with a via in them. (Distrust them if you distrust the "via" domain)

Community
  • 1
Manishearth
  • 8,237
  • 5
  • 34
  • 56