email forgery issues/questions

email forgery issues/questions

Post by rb » Tue, 16 Jul 2002 03:46:27



I'm an individual pc user with about average knowledge of computer
techniques and tools.

I'm trying to find out if there is any practical way for the little guys to
be able to defend once they've come under an email forging attack?

I know there is a moderate amount of discussion going on concerning how to
prevent this vis-a-vis commercial networks, systems administrators, and
network technical people,but I see no fixes for pc users who come under
attack.  It should be noted, however, that the systems guys probably mostly
have their own pcs at home, and/or family who does.......and, those pcs too
may be coming under attack soon.

Using Spamcop or related type services to parse headers may well only get us
a fake spammer ISP or server who hosts spammers.  So, we track the guy down,
but then can't do anything to prevent him/her continuing the forging
activity, short of bringing a law suit against him/her IF we can even get a
valid, genuine identiy and location.

Right now, the only defense for the little guy that I see is simply to
change ISPs and get a new email address, which, of course, can be a bit of a
pain, in many cases.

To know how to fix something, we must first thoroughly understand the
problem.  So, I'd appreciate answers to the following questions which bring
technical issues down to my user level, and may benefit others in coming up
with a fix:

Q:  how do the guys forging my email address get it to begin with?
A:  My guess is through packet sniffers.  Is this the case, though?

Q:  are there ways that they can hide behind spammer friendly servers, or
even spoof their servers into thinking it's actually someone else sending
out spam mail?
A:  Seems like it.

Q:  seems like my email address alone isn't enough to trick my ISP mail
server into accepting mail with my email addy on it that comes in from
outside the ISP net.
If this is so, what data bits does a successful email address forger need?
A:  ???

Q:  If the question above is basically yes, then how does the forger get
these data bits?
A:  is it via packet sniffing, again?

Q:  Is there anything I'm doing that I shouldn't be doing, or that I'm not
doing that I should be doing which singles out my email address for a
foger/spammer to grab onto?
A:  ??????

Comments/thoughts/ideas welcomed.

 
 
 

email forgery issues/questions

Post by Todd Knar » Tue, 16 Jul 2002 03:56:40



Quote:> I'm trying to find out if there is any practical way for the little guys to
> be able to defend once they've come under an email forging attack?

Yes: use PGP or S/MIME and sign every single e-mail message you send with
a key that can be verified.

Note that in forgery it's not your PC that's under attack. The forger
needs no access to your PC, your SMTP server or your ISP. All he needs
is access to some SMTP server somewhere that doesn't enforce origin
address rules on mail bound for domains the server doesn't handle.

Quote:> Q:  how do the guys forging my email address get it to begin with?
> A:  My guess is through packet sniffers.  Is this the case, though?

It's wrong. They forge them by taking any list of e-mail addresses they
have, selecting one and putting it as the "From" field in the outgoing
e-mail, then adding matching Received and other headers to match.

Quote:> Q:  seems like my email address alone isn't enough to trick my ISP mail
> server into accepting mail with my email addy on it that comes in from
> outside the ISP net.
> If this is so, what data bits does a successful email address forger need?
> A:  ???

The usual match criteria is the source IP address of the connection. If
it's from within the ISP's network, it's considered an outgoing e-mail.
If it's from outside the ISP's network, it's considered an incoming e-mail.
Unauthenticated relaying should be disabled if the e-mail is incoming.

That won't stop the spammer from sending _you_ e-mail, but it'll prevent
him from relaying e-mail appearing to come from you through your ISP's
SMTP servers.

--
Safety hint, dude ... never, ever get up to go to the john at night unless
you can actually feel your body.
                                -- Sonya Marie Gildencrantz

 
 
 

email forgery issues/questions

Post by davi.. » Tue, 16 Jul 2002 22:15:48



>To know how to fix something, we must first thoroughly understand the
>problem.  So, I'd appreciate answers to the following questions which bring
>technical issues down to my user level, and may benefit others in coming up
>with a fix:

>Q:  how do the guys forging my email address get it to begin with?
>A:  My guess is through packet sniffers.  Is this the case, though?

No.
The most common source is probably trawling through Usenet posts for the
email addresses of the posters. However there are also lots of other places
to gather email addresses. A good article describing some of the ways spammers
obtain addresses is http://www.private.org.il/harvest.html

Quote:>Q:  are there ways that they can hide behind spammer friendly servers, or
>even spoof their servers into thinking it's actually someone else sending
>out spam mail?
>A:  Seems like it.

There are some spam friendly sites see http://www.spamhaus.org
However often the spammer will obtain a free trial account at one of the
ISPs. A number of ISPs just give out free trial CDs.
They will also send their mail out through intermediate Open-relay systems.
It's fairly common for a spammer to have their account closed down because of
complaints in the morning and be up and running at another ISP (or maybe even
the same ISP with a different account) in the afternoon.

Spammers habitually forge addresses, add in additional forged received
headerlines etc in order to confuse the recipient as to where the mail has come
from. Forging the from address has the additional benefit that they do not get
the non-delivery reports bounced back to them if the address list they have is
out of date.

SMTP is exactly what it says - SIMPLE MAIL TRANSFER PROTOCOL.
It has no facilities builtin to check that your from address is valid.
Most PC mailers make forging really easy since they let you set the from

then no further check is done. Hence you can easily send mail which appears

Mailers on multiuser systems in contrast are often configured so that although
you can change the from address the mail software automatically adds in a
sender address which corresponds to the account being used on the multiuser
system. However the spammer can always bypass this and write his own piece of
code (or even type in the commands manually) which will connect to a mail
server and send out the mail. The protocol and all the commands necessary are
well described in RFCs.

Getting an ISP to force its customers to use from addresses within its own
domain causes other problems. Organisations setup measures so that their
mail servers are not open-relays. However this means that their employees who
are using some other ISP from home cannot use their organisations mailserver to
send out mail to the rest of the world - since as far as the mailserver is
concerned they are sending from outside to outside ie relaying.
The simplest solution to this is to tell the employee to configure their home
system to send mail out through their ISPs mailhub. However the employee
generally wants replies to go back to their works mail account. Hence they
require the ability to set their from address to their works account but still
to send out through their ISPs mailhub.

Quote:>Q:  seems like my email address alone isn't enough to trick my ISP mail
>server into accepting mail with my email addy on it that comes in from
>outside the ISP net.
>If this is so, what data bits does a successful email address forger need?
>A:  ???

He just needs your email address. He just sends his mail messages out to
everybody with your email address as the from address. Any bounces or
complaints are then sent to you. The original messages (rather than the bounces
or complaints) usually won't have passed anywhere near your ISPs systems.

If he tries to send mail using your ISP (irrespective of what from address
he has specified) then if he does it from an internet address which doesn't
correspond to your ISP and is sending to non-local users then he should hit
the anti-relaying protection your ISP has configured on their mailhub.
However that protection has nothing whatsoever to do with whether he has
forged your mail address or not.

Spammers love systems which haven't had this protection implemented - open
relays.

Quote:>Q:  If the question above is basically yes, then how does the forger get
>these data bits?
>A:  is it via packet sniffing, again?

I doubt if any mail forger resorts to packet sniffing.

Quote:>Q:  Is there anything I'm doing that I shouldn't be doing, or that I'm not
>doing that I should be doing which singles out my email address for a
>foger/spammer to grab onto?
>A:  ??????

See article mentioned above.

David Webb
VMS and Unix team leader
CCSS
Middlesex University

Quote:

>Comments/thoughts/ideas welcomed.

 
 
 

1. E-Mail Forgery in Netscape

: Has anyone dealt with the possibility of e-mail forgery in Netscape? If
: you change your e-mail name and address to someone else's, the system
: will accept it and send the message. We are very concerned about this and
: would like feedback from anyone regarding solutions, opinions, tips or
: whatever.

If you're worried about that, then your attitude should be that ALL
email that wasn't authenticated using strong cryptographic methods are
potential forgeries.  As far as I know, the only way to be relatively
confident that email isn't forged is to know that the sender and
recipient are on single user machines with local digital
signature/encryption capability, and that the authentication mechanism
is relatively resistant to eavesdropping, spoofing, hijacking, etc.  Any
email that doesn't include a digital signature that the recipient can
authenticate, and any email from a multi-user or network server
machine could be a forgery.

--

2. MacWorkstation request

3. email address security issue

4. HELP: Any NN algorithm to identify time-delay of a dynamic system

5. web based email privacy issues

6. Can I connect 2 monitors to A4000?

7. QUERY - newsgroups re email issues?

8. Help! Please....

9. Mozilla droppings in Email : Bandwidth , security and other issues.

10. security issues for browser-based email

11. mail forgery from outlook2000 client

12. FAQ: Better living through forgery (Updated!)

13. alt.sex forgery allegation