What is email Spoofing:
“FROM” header of email is flawed by design and it is very easy to acquire a mail server and send out the emails by spoofing the FROM address. This poses a significant threat to the organization because if a person is able to impersonate an organization then there might be possibility that the hacker can send phishing email to the users asking them to reset their password and then can steal theirs credentials. The email spoofing can lead to these things
- By using Social engineering like sending phishing emails, users credentials can be stolen
- They can route legit users towards malicious sites.
- They can spread malwares or ransomware in the form of attachments.
If legit user does not know how to inspect email’s headers like whether the email has passed from the checks such as SPF, DMARC, and DKIM he may get trapped into the phishing campaign. If the sender address has been spoofed there is no way for a organization to stop the email from being delivered. There are couple of ways users can take to identify the spoofed email.
- By checking sender ‘s email address sometimes they manipulate the domains and hence can easily be caught like instead of support.google.com they user googlesupporthelp.com as the email sending domain.
- By hovering the mouse on the attachment, we can see the domain we can easily identify whether the domain looks legit or not.
- By checking body of the email, if there are any links which is leading to some phishing sites.
Spoofed email can lead to financial loss to the users because mostly in a phishing attempt username and password of the users can be stolen which can be used to do financial transactions in case of bank credentials.
For email spoofing, the main aim of the attacker is to compromise SMTP (Simple mail transfer protocol) server. So that the attacker can actually send the spoofed email from the server. Since the email server was legit, the email will look legit to the users.
It is not always the case that SMTP servers get compromised. In some cases hackers can use an individual’s email address also. If an attacker uses an individual’s email for spoofing, individual users probably get undelivered email notifications in his email box. So after identification legit users have to scan his system or must check the virus because there is any possibility of virus.
How Sender Policy Framework/SPF help in eliminating the email spoofing:
SPF plays a very important role in eliminating the email spoofing. But before that we have to know what is SPF?
What is SPF:
SPF or Sender Policy Framework is an authentication protocol. SPF focus on FROM header and to be specific on the “domain” that is found FROM header. In email header it can be visible with so many name such as “Return-path” ,”Mail-From”, ”Bounce address”, “Envelope from”. SPF record contains the domains name of the websites which the organization is permitting to sent the email on their behalf. Such as my domain is ‘securitybyng.ninja’ and I am permitting google to sent email on my behalf then the SPF record of mine must contains the google.com. If the domain in the “from” header is not present in SPF, SPF falls back and SPF check will fail.
How it help in eliminating email spoofing:
- First it verifies whether the sender’s IP address exists in the MX record.
- If the domain or IP does not present in the MX record then it checks the domain in the SPF record.
- If the domain is present in the SPF record then email is coming from the legit sources.
- If the IP address or domain is not present in the SPF record then SPF fails Simply:
If mail originating IP address or domain is listed in SPF record then SPF check passes.
If mail originating IP address or domain name is not listed in the SPF record then SPF fails.
How Domain Key Identified Mail/DKIM helps in eliminating email spoofing:
DKIM provides a way to verify that the organization that is delivering the email has the right to do so. So when sending a email with DKIM the server actually signs the email with the private key of the organization. The public key is published in the TXT record of the domain that can be used to verify the email’s signature.
- If verification is successful then DKIM Pass.
- If verification fails then DKIM FAILS
So it provides email server to verify the authenticity of the email.
How Domain based Message Authentication reporting & conformance/DMARC help in eliminating email spoofing:
DMARC also plays a significant role in eliminating email spoofing
What is DMARC:
In this email server will check whether the SPF or DKIM checks have been passed then it check the domain present in “return-Path” or “From” header. The whitelisted domain are listed in the “d” parameter of the DMARC record as shown below.
- If both SPF or DKIM checks have been failed = DMARC Fail
If the DMARC has been failed then there are three situation the how the mail will be delivered to the user.
- Report-only mode (=none): Email will be accepted by server and sent straight to the inbox of the user. Email delivery servers may use other filtering criteria on the email such as checking the IP address of the originating server and if that IP is blacklisted then marking the mail as spam.
- Quarantine mode (quarantine): Email will be quarantined and will be delivered to the Spam folder of the user’s mailbox.
- Reject mode (reject): Destination Server reject the email and it will not be delivered to the user.
So how we can protect our domain from email spoofing.
- Organizations have to provide training to the employee on timely basis so that employees can detect the phishing emails..
- Organizations should have to use their filtering mechanism to block the spoofed email with malicious attachments
- Email that are originating from third party sources should have to contain a disclaimer when delivered in the organizations mailbox.
- Organizations can implement “Identity based protections” that can help in identification of spam, malwares and after identification they automatically remove those attachments from mails.
Organizations can also use standard email authentication protocol that can help organizations to eliminate email spoofing. For that, organizations can publish SPF, DKIM and DMARC records.