What is Email Spoofing 

Email spoofing is the creation of email messages with a forged sender address.

The original transmission protocols used for email do not have built-in authentication methods: this deficiency allows spam and phishing emails to use spoofing to mislead the recipient. More recent countermeasures have made such spoofing from internet sources more difficult but have not eliminated it; few internal networks have defenses against a spoof email from a colleague’s compromised computer on that network. Individuals and businesses deceived by spoof emails may suffer significant financial losses; businesses risk compound losses since email spoofing is one of the primary routes to embed ransomware.

When a Simple Mail Transfer Protocol (SMTP) email is sent, the initial connection provides two pieces of address information:

• MAIL FROM: – generally presented to the recipient as the Return-path: header but not normally visible to the end-user, and by default, no checks are done that the sending system is authorized to send on behalf of that address.
• RCPT TO: – specifies which email address the email is delivered to, is not normally visible to the end-user but may be present in the headers as part of the “Received:” header.

Together these are sometimes referred to as the “envelope” addressing – an analogy to a traditional paper envelope. Unless the receiving mail server signals that it has problems with either of these items, the sending system sends the “DATA” command, and typically sends several header items, including:

• From: Joe Q Doe <joeqdoe@example.com> – the address visible to the recipient; but again, by default, no checks are done that the sending system is authorized to send on behalf of that address.
• Reply-to: Jane Roe <Jane.Roe@example.mil> – similarly not checked and sometimes:
• Sender: Jin Jo <jin.jo@example.jp> – also not checked

The result is that the email recipient sees the email as having come from the address in the From header. They may sometimes be able to find the MAIL FROM address, and if they reply to the email it will go to either the address presented in the From: or Reply-to: header, but none of these addresses are typically reliable, so automated bounce messages may generate backscatter.

Although email spoofing is effective in forging the email address, the IP address of the computer sending the mail can generally be identified from the “Received:” lines in the email header. In malicious cases, however, this is likely to be the computer of an innocent third party infected by malware that is sending the email without the owner’s knowledge.

Malicious use of spoofing

Phishing and business email compromise (see below) scams generally involve an element of email spoofing.

Email spoofing has been responsible for public incidents with serious business and financial consequences. This was the case in an October 2013 email to a news agency that was spoofed to look like it was from the Swedish company Fingerprint Cards. The email stated that Samsung offered to purchase the company. The news spread and the stock exchange rate surged by 50%.

Malware such as Klez and Sober among many more modern examples often search for email addresses within the computer they have infected, and they use those addresses both as targets for email, but also to create credible forged From fields in the emails that they send. This is to ensure that the emails are more likely to be opened. For example:

1. Alice is sent an infected email which she opens, running the worm code.
2. The worm code searches Alice’s email address book and finds the addresses of Bob and Charlie.
3. From Alice’s computer, the worm sends an infected email to Bob but is forged to appear as if it was sent by Charlie.

In this case, even if Bob’s system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice’s computer. Meanwhile, Alice may remain unaware that her computer has been infected, and Charlie does not know anything about it at all unless he receives an error message from Bob.

How does email spoofing differ from spam and email phishing?

The main difference between spam and a spoofed message is that spammers don’t edit email headers to pretend the email was sent from someone else. Both phishing and spoofing emails aim to trick someone to believe the message was sent from a legitimate sender. However, the main phishers’ intent is to compromise users’ personal and financial information, while spoofing emails is just one of the ways they use to do so.

How Libraesva can help?

Anti-Spoofing Protection

Libraesva ESG adopts standard authentication protocols such as SPF, DKIM, and DMARC, that can actively stop domain spoofing. With an additional proprietary feature, we can prevent spoofing for any configured domain when the sender is originating from outside.

Whaling Protection Engine

Libraesva designed a specific engine in order to intercept these attacks. The required configuration is minimal: the names and the legit email addresses of the company executives. And we got you covered.

Adaptive Trust Engine

The innovative ATE technology of Libraesva can place an inline warning at the top of the message body when a message is from an external source and the sender is the first time he is writing to you.

Phishing & Malware Protection

Libraesva proprietary Sandbox engines protect you from links and dangerous documents, keeping you safe from phishing and malware.