Verifying if an email has been spoofed

[nosh]

A friend of a friend has been getting stalked for a while. Recently she and a friend both received the same email from each others addresses that neither of them has sent. She's going to call me up and I'll give her the usual drill about changing her pw from a new PC, hard to guess pw q&a, anti-keyloggers, etc but I suspect that their accounts may not have been hacked at all and the mails may just be spoofed to creep her out. They both still have access to their accounts and from the malicious track-record of the person stalking her, it seems highly unlikely he/she would allow this esp. after disclosing that the accounts have been "compromised". I myself have seen a few spam mails slip through the cracks to my inbox because they appear to be sent from the same address receiving them. Is there any way to tell an authentic mail from a spoofed one? Both parties use gmail.

[mediaguycouk]

I don't think you can spoof a gmail address from gmail (it comes out as [email protected] on behalf of [email protected]) so you should be able to look at the headers for this (if it is real).

If it comes from another server then it is likely fake.

Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240])   by mailgate2.iss.soton.ac.uk (8.13.8/8.13.4) with ESMTP id [snip]

[nosh]

Ok. I had a suspicion that every part of the header might be possible to spoof. Thanks for clarifying.

[mediaguycouk]

It is, but by that point it would be your ISP or someone on your own computer spoofing it.

[housetier]

If you make a habit of digitally signing your emails, spoofs are easier to detect.

[tomos]

If you make a habit of digitally signing your emails, spoofs are easier to detect.

-housetier (April 24, 2008, 04:39 AM)

any recommendations for how & where or a site that might be helpful in that direction?
had a look found a few summaries that were helpful for general understanding
e.g.

The process for creating, obtaining, and using keys is fairly straightforward:

   1. Generate a key using software such as PGP, which stands for Pretty Good Privacy, or GnuPG, which stands for GNU Privacy Guard.

   2. Increase the authenticity of your key by having your key signed by co-workers or other associates who also have keys. In the process of signing your key, they will confirm that the fingerprint on the key you sent them belongs to you. By doing this, they verify your identity and indicate trust in your key.

   3. Upload your signed key to a public key ring so that if someone gets a message with your signature, they can verify the digital signature.

   4. Digitally sign your outgoing email messages. Most email clients have a feature to easily add your digital signature to your message.

-http://www.us-cert.gov/cas/tips/ST04-018.html

but something with a bit more detail would be helpful (public key ring )

I'm wondering:-

1) is it associated with a particular email address
2) could it cause any problems in terms of people accessing emails (from me .. if i were to use it )

[Ehtyar]

I was searching the forum for topics about signing/verification of email and I came across this post, unanswered. I have recently set up my primary email addresses with GPG, so here's my advice. By a mile, using Thunderbird with its Enigmail extension is the simplest and least painstaking way of implementing email signing. I cannot offer advice outside these two applications, though i should be able to answer any basic questions you have. Perhaps the quickest way to get started with Thunderbird and Enigmail would be to follow their Quick Start Guide. I didn't use it, but it seems to be very clear-cut and complete.

Hope this helps, Ehtyar.

[J-Mac]

Be careful, though, using Thunderbird with a program named Freenigma. I had downloaded and installed Freenigma as a Firefox extension but it somehow corrupted my Thunderbird installation, and even a clean uninstall and reinstall of T-Bird didn't help.  It was finally solved when I reinstalled Windows XP.

Several of my email messages were "overwritten" as invitations to sign up for Freenigma. I wrote them about it and they insisted that was not possible, and that it was just that Thunderbird is notorious for such corruption. But I haven't heard of any other rampant corruptions of T-Bird. It was a real pain while it was slowly ruining my messages.

Jim

[Renegade]

I abandoned Thunderbird because of email corruption. I'm inclined to believe the devs that you spoke with. TB really isn't "prime time" yet as the issues it has are critical still. Email corruption happens quite easily in TB. One of the bugs is with malformed headers that causes this kind of thing.

[tomos]

I was searching the forum for topics about signing/verification of email and I came across this post, unanswered. I have recently set up my primary email addresses with GPG, so here's my advice. By a mile, using Thunderbird with its Enigmail extension is the simplest and least painstaking way of implementing email signing. I cannot offer advice outside these two applications, though i should be able to answer any basic questions you have. Perhaps the quickest way to get started with Thunderbird and Enigmail would be to follow their Quick Start Guide. I didn't use it, but it seems to be very clear-cut and complete.

Hope this helps, Ehtyar.

-Ehtyar (May 01, 2008, 05:07 PM)

thanks Ehtyar - will check that out

[Ehtyar]

thanks Ehtyar - will check that out

-tomos (May 07, 2008, 01:00 PM)

You're most welcome
I'd also like to say I've been using Thunderbird for at least two-three years now, have never compacted my database (I was an ignorant boob) until Googling this database corruption business, and despite my inbox containing almost 10,000 emails have never had a database corruption issue.

Ehtyar.

[J-Mac]

thanks Ehtyar - will check that out

-tomos (May 07, 2008, 01:00 PM)

You're most welcome
I'd also like to say I've been using Thunderbird for at least two-three years now, have never compacted my database (I was an ignorant boob) until Googling this database corruption business, and despite my inbox containing almost 10,000 emails have never had a database corruption issue.

Ehtyar.

-Ehtyar (May 07, 2008, 05:25 PM)

Then watch out!!  You're overdue!!      

[J-Mac]

Actually, I had T-Bird installed early on in its beta and it was a little too raw then.  However as soon as it went to V. 2.x I tried it again and pretty much loved it.  It is now - as far as I can tell - the ONLY desktop email client that supports IMAP mail.

However that corruption involving Freenigma just drove me pretty antsy.  Since then I have reinstalled XP Pro on that box and I di have a fresh copy of T-Bird on it. But I have not gone through importing my 14,000 - 15,000 messages and their 200+ folders.  I hate doing that every time something happens and the only answer is either create a new profile, or uninstall/reinstall!!  For the most part I have been using Fastmail and Gmail online.

Jim

[Carol Haynes]

Use MailStore Home for archiving and keeping you live store in Thunderbird small. MailStore is lightening fast to search and allows you to either keep stuff in the email client or delete it when you archive. If you keep stuff in the client it isn't duplicated in the archive when you sync again.

All versions of MS Outlook support IMAP (as does Outlook Express installed on every Windows machine) so Thunderbird is hardly the only desktop client that supports IMAP!

Actually MailStore Home also supports IMAP directly - so you can keep an archive of IMAP mail with a single click or even use it as an IMAP client!

[J-Mac]

All versions of MS Outlook support IMAP (as does Outlook Express installed on every Windows machine) so Thunderbird is hardly the only desktop client that supports IMAP!

Actually MailStore Home also supports IMAP directly - so you can keep an archive of IMAP mail with a single click or even use it as an IMAP client!

-Carol Haynes (May 08, 2008, 04:01 AM)

Carol - are you using IMAP with Outlook or Outlook Express?  I doubt it.  It claims to support IMAP but in actuality it barely touches it.  Microsoft refuses to fully support IMAP because the MS Exchange format competes directly with the IMAP format.

The support it does provide is pitiful and does not work a good bit of the time.

Jim

[Carol Haynes]

I personally don't use it much - I do have 5 GoogleMail accounts that I occasionally check with IMAP in Outlook and it seems to work fine for me? What am I missing?

[Curt]

I have no understanding of the technical side of this problem, but it seems to me that all this spoofy thingy is possible because we don't care to use Digital Signature (DS)? I tried to use it for private mailing when it was installed on my first computer (that is, the first with Internet access), but almost no-one had their email client set up to handle it. In Denmark we have another version of DS than the ones we all are offered via Microsoft, and we use it for addressing the authorities (we can do all of our taxes via the Internet only), and may use it privately. But no-one cares to use it for normal emailing because there are always someone who cannot open you mail because they have not installed this DS or they don't understand how to use it. And that may cause allow the actual problem.

Or am I completely mistaken?

[mediaguycouk]

I think the bigger problem is that the servers don't trust each other (or fail to distrust bad servers). Once servers know which other servers are legitimate then trusting the home user should be easy.

For example, if yahoo trusted hotmail and ignored any email from hotmail.com that wasn't from the hotmail server you could presume it was spoofed and spam. Hotmail would then do some protection to ensure that you are who you say you are. Comcast could do the same, but ensure that the user was on their network or authenticated somehow.

Making the end user responsible won't work imho, because the recipient has no way of knowing that the email they are being sent should be signed.

[Curt]

... the recipient has no way of knowing that the email they are being sent should be signed.

-mediaguycouk (May 09, 2008, 06:34 AM)

- very good point.


This will be something Bad Big Brother may want to force upon all.