topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday October 14, 2024, 5:57 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Verifying if an email has been spoofed  (Read 18701 times)

nosh

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,441
    • View Profile
    • Donate to Member
Verifying if an email has been spoofed
« on: April 14, 2008, 06:42 AM »
A friend of a friend has been getting stalked for a while. Recently she and a friend both received the same email from each others addresses that neither of them has sent. She's going to call me up and I'll give her the usual drill about changing her pw from a new PC, hard to guess pw q&a, anti-keyloggers, etc but I suspect that their accounts may not have been hacked at all and the mails may just be spoofed to creep her out. They both still have access to their accounts and from the malicious track-record of the person stalking her, it seems highly unlikely he/she would allow this esp. after disclosing that the accounts have been "compromised". I myself have seen a few spam mails slip through the cracks to my inbox because they appear to be sent from the same address receiving them. Is there any way to tell an authentic mail from a spoofed one? Both parties use gmail.

mediaguycouk

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 247
    • View Profile
    • Mediaguy
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #1 on: April 14, 2008, 07:02 AM »
I don't think you can spoof a gmail address from gmail (it comes out as [email protected] on behalf of [email protected]) so you should be able to look at the headers for this (if it is real).

If it comes from another server then it is likely fake.

Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240])   by mailgate2.iss.soton.ac.uk (8.13.8/8.13.4) with ESMTP id [snip]
Learning C# - Graham Robinson

nosh

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,441
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #2 on: April 14, 2008, 07:33 AM »
Ok. I had a suspicion that every part of the header might be possible to spoof. Thanks for clarifying.

mediaguycouk

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 247
    • View Profile
    • Mediaguy
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #3 on: April 14, 2008, 09:36 AM »
It is, but by that point it would be your ISP or someone on your own computer spoofing it.
Learning C# - Graham Robinson

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #4 on: April 24, 2008, 04:39 AM »
If you make a habit of digitally signing your emails, spoofs are easier to detect.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,963
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #5 on: April 24, 2008, 08:29 AM »
If you make a habit of digitally signing your emails, spoofs are easier to detect.

any recommendations for how & where or a site that might be helpful in that direction?
had a look found a few summaries that were helpful for general understanding
e.g.
The process for creating, obtaining, and using keys is fairly straightforward:

   1. Generate a key using software such as PGP, which stands for Pretty Good Privacy, or GnuPG, which stands for GNU Privacy Guard.

   2. Increase the authenticity of your key by having your key signed by co-workers or other associates who also have keys. In the process of signing your key, they will confirm that the fingerprint on the key you sent them belongs to you. By doing this, they verify your identity and indicate trust in your key.

   3. Upload your signed key to a public key ring so that if someone gets a message with your signature, they can verify the digital signature.

   4. Digitally sign your outgoing email messages. Most email clients have a feature to easily add your digital signature to your message.
-http://www.us-cert.gov/cas/tips/ST04-018.html

but something with a bit more detail would be helpful (public key ring :-\)

I'm wondering:-

1) is it associated with a particular email address
2) could it cause any problems in terms of people accessing emails (from me .. if i were to use it :))
Tom

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #6 on: May 01, 2008, 05:07 PM »
I was searching the forum for topics about signing/verification of email and I came across this post, unanswered. I have recently set up my primary email addresses with GPG, so here's my advice. By a mile, using Thunderbird with its Enigmail extension is the simplest and least painstaking way of implementing email signing. I cannot offer advice outside these two applications, though i should be able to answer any basic questions you have. Perhaps the quickest way to get started with Thunderbird and Enigmail would be to follow their Quick Start Guide. I didn't use it, but it seems to be very clear-cut and complete.

Hope this helps, Ehtyar.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #7 on: May 03, 2008, 01:30 AM »
Be careful, though, using Thunderbird with a program named Freenigma. I had downloaded and installed Freenigma as a Firefox extension but it somehow corrupted my Thunderbird installation, and even a clean uninstall and reinstall of T-Bird didn't help.  It was finally solved when I reinstalled Windows XP.

Several of my email messages were "overwritten" as invitations to sign up for Freenigma. I wrote them about it and they insisted that was not possible, and that it was just that Thunderbird is notorious for such corruption. But I haven't heard of any other rampant corruptions of T-Bird. It was a real pain while it was slowly ruining my messages.

Jim

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #8 on: May 03, 2008, 09:02 PM »
I abandoned Thunderbird because of email corruption. I'm inclined to believe the devs that you spoke with. TB really isn't "prime time" yet as the issues it has are critical still. Email corruption happens quite easily in TB. One of the bugs is with malformed headers that causes this kind of thing.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,963
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #9 on: May 07, 2008, 01:00 PM »
I was searching the forum for topics about signing/verification of email and I came across this post, unanswered. I have recently set up my primary email addresses with GPG, so here's my advice. By a mile, using Thunderbird with its Enigmail extension is the simplest and least painstaking way of implementing email signing. I cannot offer advice outside these two applications, though i should be able to answer any basic questions you have. Perhaps the quickest way to get started with Thunderbird and Enigmail would be to follow their Quick Start Guide. I didn't use it, but it seems to be very clear-cut and complete.

Hope this helps, Ehtyar.

thanks Ehtyar - will check that out
Tom

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #10 on: May 07, 2008, 05:25 PM »
thanks Ehtyar - will check that out
You're most welcome :)
I'd also like to say I've been using Thunderbird for at least two-three years now, have never compacted my database (I was an ignorant boob) until Googling this database corruption business, and despite my inbox containing almost 10,000 emails have never had a database corruption issue.

Ehtyar.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #11 on: May 07, 2008, 10:26 PM »
thanks Ehtyar - will check that out
You're most welcome :)
I'd also like to say I've been using Thunderbird for at least two-three years now, have never compacted my database (I was an ignorant boob) until Googling this database corruption business, and despite my inbox containing almost 10,000 emails have never had a database corruption issue.

Ehtyar.

Then watch out!!  You're overdue!!   :o   :)

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #12 on: May 07, 2008, 10:32 PM »
Actually, I had T-Bird installed early on in its beta and it was a little too raw then.  However as soon as it went to V. 2.x I tried it again and pretty much loved it.  It is now - as far as I can tell - the ONLY desktop email client that supports IMAP mail.

However that corruption involving Freenigma just drove me pretty antsy.  Since then I have reinstalled XP Pro on that box and I di have a fresh copy of T-Bird on it. But I have not gone through importing my 14,000 - 15,000 messages and their 200+ folders.  I hate doing that every time something happens and the only answer is either create a new profile, or uninstall/reinstall!!  For the most part I have been using Fastmail and Gmail online.

Jim

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,068
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #13 on: May 08, 2008, 04:01 AM »
Use MailStore Home for archiving and keeping you live store in Thunderbird small. MailStore is lightening fast to search and allows you to either keep stuff in the email client or delete it when you archive. If you keep stuff in the client it isn't duplicated in the archive when you sync again.

All versions of MS Outlook support IMAP (as does Outlook Express installed on every Windows machine) so Thunderbird is hardly the only desktop client that supports IMAP!

Actually MailStore Home also supports IMAP directly - so you can keep an archive of IMAP mail with a single click or even use it as an IMAP client!
« Last Edit: May 08, 2008, 04:09 AM by Carol Haynes »

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #14 on: May 08, 2008, 06:18 PM »
All versions of MS Outlook support IMAP (as does Outlook Express installed on every Windows machine) so Thunderbird is hardly the only desktop client that supports IMAP!

Actually MailStore Home also supports IMAP directly - so you can keep an archive of IMAP mail with a single click or even use it as an IMAP client!
-Carol Haynes (May 08, 2008, 04:01 AM)

Carol - are you using IMAP with Outlook or Outlook Express?  I doubt it.  It claims to support IMAP but in actuality it barely touches it.  Microsoft refuses to fully support IMAP because the MS Exchange format competes directly with the IMAP format.

The support it does provide is pitiful and does not work a good bit of the time.

Jim

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,068
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #15 on: May 08, 2008, 06:51 PM »
I personally don't use it much - I do have 5 GoogleMail accounts that I occasionally check with IMAP in Outlook and it seems to work fine for me? What am I missing?

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #16 on: May 09, 2008, 04:39 AM »
I have no understanding of the technical side of this problem, but it seems to me that all this spoofy thingy is possible because we don't care to use Digital Signature (DS)? I tried to use it for private mailing when it was installed on my first computer (that is, the first with Internet access), but almost no-one had their email client set up to handle it. In Denmark we have another version of DS than the ones we all are offered via Microsoft, and we use it for addressing the authorities (we can do all of our taxes via the Internet only), and may use it privately. But no-one cares to use it for normal emailing because there are always someone who cannot open you mail because they have not installed this DS or they don't understand how to use it. And that may cause allow the actual problem.

Or am I completely mistaken?

mediaguycouk

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 247
    • View Profile
    • Mediaguy
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #17 on: May 09, 2008, 06:34 AM »
I think the bigger problem is that the servers don't trust each other (or fail to distrust bad servers). Once servers know which other servers are legitimate then trusting the home user should be easy.

For example, if yahoo trusted hotmail and ignored any email from hotmail.com that wasn't from the hotmail server you could presume it was spoofed and spam. Hotmail would then do some protection to ensure that you are who you say you are. Comcast could do the same, but ensure that the user was on their network or authenticated somehow.

Making the end user responsible won't work imho, because the recipient has no way of knowing that the email they are being sent should be signed.
Learning C# - Graham Robinson

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
Re: Verifying if an email has been spoofed
« Reply #18 on: May 09, 2008, 12:26 PM »
... the recipient has no way of knowing that the email they are being sent should be signed.
-mediaguycouk (May 09, 2008, 06:34 AM)

- very good point.


This will be something Bad Big Brother may want to force upon all.