Email Spoofing

Overview

Description

Email spoofing is a method of forging email header to change the sender's email address so that receiver sees it as sent by different sender than actual.

In the above example, it looks like mail sent from Dean of IIT Goa (dean@iitgoa.ac.in), but it's not. It is an example of spoofed mail.

There are few online services available(like this) to send such spoofed mail, or one can use PHP / Python mail function with a modified email header.

Mail Servers decides given mail is Spam or not based on various factors like the content of the mail, email address, and a few others.

The main criteria are validating email id from which email came is the same mail id?

To validate, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) DNS records are used.

(I won't go into depth how it works)

Example

let's consider the scenario, We have three websites to test.

IIT B SPF v=spf1 a:smtp6.iitb.ac.in a:smtp7.iitb.ac.in a:smtp8.iitb.ac.in a:smtp9.iitb.ac.in a:smtp10.iitb.ac.in a:smtpd6.iitb.ac.in a:smtpd7.iitb.ac.in a:smtpd8.iitb.ac.in a:smtpd9.iitb.ac.in a:smtpd10.iitb.ac.in ~all

IIT H SPF v=spf1 ip4:199.79.62.144 ip4:209.85.220.41 ip4:209.85.220.65 ip4:74.125.83.44 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:_spf.google.com ~all

IIT B DMARC v=DMARC1; p=quarantine; pct=100; rua=mailto:webmaster@iith.ac.in

Now, Send Spoof mail from all of these domains, and let's see, How Gmail reacts to this. (Check full email header)

Impact

• The attacker can launch phishing campaign with fake mail id like support@yourorgnization.com
• An attacker can use fake mails id's and make social engineering attacks.

Prevention

• Add SPF record starts with "v=spf1" in DNS Zone File
• Add DMARC record in DNS Zone File.

Tools

• SPF Check
• DMARC Check

refer: https://www.smartertools.com/blog/2019/04/09-understanding-spf-dkim-dmarc