Security Blogs


Email Spoofing


In the context of information security, and especially network security, a spoofing attack is an attack in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage.

Email Spoofing:

Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate or familiar source.

For example, a spoofed email may pretend to be from a well-known shopping website, asking the recipient to provide sensitive data such as a password or credit card number. Alternatively, a spoofed email may include a link that installs malware on the recipient’s device if clicked.

How does Email Spoofing work?

Anatomy of an email spoofing attack

Email Spoofing is achieved due to misconfigurations of the SMTP (Simple Mail Transfer Protocol) server. The SMTP server allows for the Sender Policy Framework (SPF) and the Domain-based Message Authentication, Reporting, and Conformance (DMARC) to be set up properly and securely. Some variables of the SPF and DMARC are as follows:

Sender Policy Framework (SPF) variables:
Variable Name Description
+ Pass A pass result means the client is authorized to inject mail with the given identity.
? Neutral A neutral result indicates that although a policy for the identity was discovered, there is no definite assertion (positive or negative) about the client.
~ Soft fail A soft fail result ought to be treated as somewhere between “fail” and “neutral/none”.
Hard fail A hard fail, or simply fail result is an explicit statement that the client is not authorized to use the domain in the given identity.
Domain-based Message Authentication, Reporting and Conformance (DMARC) variables:

DMARC requires domain owners to set a policy (p) tag in their DMARC record. This policy tells recipients how they should react to an email that appears to come from that domain based on the message from header, but does not pass DMARC alignment.

Policy Description
None The Domain Owner requests no specific action be taken regarding delivery of messages.
Quarantine The Domain Owner wishes to have email that fails the DMARC mechanism check be treated by Mail Receivers as suspicious. Depending on the capabilities of the Mail Receiver, this can mean place into spam folder, scrutinize with additional intensity, and/or flag as suspicious.
Reject The Domain Owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check. Rejection SHOULD occur during the SMTP transaction.

Protection against Email Spoofing:

  • Use end-point security to protect against viruses and malwares.
  • Do not click on links in the email, or share any personal information through email.
  • Turn spam filters on.
  • Open, read and check email headers for signs of spoofing.
  • Conduct Reverse IP lookups to verify the actual sender.
  • Properly set up DMARC and SPF records.

Leave a Reply

Your email address will not be published. Required fields are marked *