Mar 23, 2011

Virus: Email Spoofing

Email Spoofing

E-mail spoofing is the forgery of an e-mail header so that the message 
appears to have originated from someone or somewhere other than the 
actual source. Distributors of spam often use spoofing in an attempt to 
get recipients to open, and possibly even respond to, their solicitations. 
Spoofing can be used legitimately. Classic examples of senders who 
might prefer to disguise the source of the e-mail include a sender
reporting mistreatment by a spouse to a welfare agency or a 
"whistle-blower" who fears retaliation. However, spoofing anyone other 
than yourself is illegal in some jurisdictions.

 E-mail spoofing is possible because Simple Mail Transfer Protocol (SMTP), the main protocol used in sending
e-mail, does not include an authentication mechanism. Although an SMTP service extension (specified in IETF 
RFC 2554) allows an SMTP client to negotiate a security level with a mail server, this precaution is not often 
taken. If the precaution is not taken, anyone with the requisite knowledge can connect to the server and use 
it to send messages. To send spoofed e-mail, senders insert commands in headers that will alter message 
information. It is possible to send a message that appears to be from anyone, anywhere, saying whatever the
sender wants it to say. Thus, someone could send spoofed e-mail that appears to be from you with a message
that you didn't write.


Because many spammers now use special software to create random sender addresses, even if the user finds
the origin of the e-mail it is unlikely that the e-mail address will be active.

The technique is now used ubiquitously by bulk e-mail software as a means of concealing the origin of the 
propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for 
e-mail addresses within the address book of a mail client, and use those addresses in the From field of 
e-mails that they send, so that these e-mails appear to have been sent by the third party. Newer variants 
of these worms have built on this technique by randomising all or part of the e-mail address. A worm can 
employ various methods to achieve this, including:
  • Random letter generation
  • Built-in wordlists
  • Amalgamating addresses found in address books

Squirrel Mail Spoofing: 
Spammers are also using other methods to spoof and send spam via web based emails. First the spammers 
deploy brute force robots where they attempt to guess a common password.  The spammer’s robot takes 
advantage of common situations like known passwords and will send random query of all possible users and 
passwords for months and even years.

          Using robots the spammer can send hundreds of queries per minute. Once the password of users online 
is guessed the spammer will login via webmail which is usually installed on many servers. SquirrelMail is 
commonly used. They then change the ‘Personal Information’ to spoof their spam. Here the spammer changes 
everything so the reply address is listed but the actual server address is valid. For example if the domain is the spammer will leave this in the emailaddress field because most servers will deny or fail via 
authentication anything that does not have the server domain. However the spammer changes the reply address, 
which often enables them to get replies. The spammers are also time efficient in that they do not want to copy 
and paste the body of the message. So they insert the spam in the SIGNATURE contents.

The spammer can now send email like a regular user. They compose a new email. They insert recipients 
in the BCC field and their spam contents are automatically inserted. This is how email is being spoofed and
spam mails are sent.


Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More