E-Mail
Impersonators
How
to identify "spoofed" e-mail.
By Bill Barnes
After my wife cast her ballot on the morning of Election Day, 1996,
she arrived at work to find an email from none other than the President
of the United States (president@whitehouse.gov.). He thanked her for her
vote and promised to address her hot-button issues of education and
woman's rights. She was a little disturbed, but as it turned out the
sanctity of her secret ballot hadn't been compromised. Someone (her
husband) had merely sent her a spoofed email.
Email is considered "spoofed" when the email address in the
"From" field is not that of the sender. As Slate learned so
publicly last week, believing what you read in spoofed email can cause
huge embarrassment, so if you receive an email from George W. Bush or a
man purporting to be an executive of a European carmaker, trust us: It
might not be on the level. The bad news is that it's not very hard to
spoof email, but the good news is that it can usually be detected. To
detect spoofed email (and boy, do Slate's editors wish I'd written this
piece last month!) you need to understand how email is sent on the
Internet.
First, your email program (e.g., Outlook, Eudora, Hotmail) sends mail
to an SMTP (Simple Mail Transport Protocol) server, a computer that
understands how to relay your email from SMTP server to SMTP server
across the Internet, until it arrives at it's penultimate destination,
the recipient's mailbox. The mailbox stores this email until finally
it's fetched by an email program so it's recipient can read it.
Like a well-paid courier, SMTP just passes along what it was given. I
tell Outlook my e-mail address, but neither it nor the SMTP server
provided by my Internet service provider has any way to verify that it's
true. Just this minute, I changed my Outlook settings to say that my
name is Mork, e-mail address mork@ork.planet, and Outlook happily sent
more mail to my wife, who is tiring of my little shenanigans. ISPs
smarter than mine configure their mail servers to be more restrictive
about the e-mail they'll accept, attempting to verify the veracity of
the sender's address, but a determined spoofer usually knows how insert
e-mail further along the transmission chain.
Every e-mail contains a hidden component known as a
"header" that details its transmission history. By viewing the
header and doing a little detective work you can usually spot the
telltale signs of spoofed e-mail. Investigating suspicious e-mail is a
relatively technical process. To do so, check the headers:
- In Outlook, select View/Options.
- In Outlook Express, select Properties/Details.
- In Pine, type H.
- In Eudora, click on the "Blah Blah Blah"
button (I love that).
- In Hotmail go to Options/Mail Display Settings/Message
Headers and select "Full."
- In Netscape, select View/Headers/All.
- In Yahoo! Mail select "Full Headers."
- See the help file of e-mail programs not mentioned
here and look up "headers."
At first glance headers looks like gobbledygook, but in time … no,
it will always look like gobbledygook. You just have to tough it out.
The first thing to check is the "From" field, which will
look like one of these:
From: George W. Bush (president@whitehouse.gov)
From: president@whitehouse.gov (George W. Bush)
From: George W. Bush
Look for a discontinuity between the friendly name and the e-mail
name. If the friendly name is "George W. Bush" but the e-mail
address is fred@spammers.com, or if the e-mail name is missing entirely,
the e-mail may be spoofed. But a sophisticated spoofer won't make this
simple mistake.
Next, look at the "Received" fields. Each time the mail
gets relayed through an SMTP server, a new "Received" field is
added, and you read them bottom-to-top. The bottom one might look like
this:
Received: from
Whitehouse([555.666.777.888]) by WhitehouseMail
(MailProgram v9.7) with SMTP id 1-2-3-4-5WhitehouseMail@Whitehouse for
<Michael Jackson>;
Mon, 11 Mar 2002
05:05:05
+0000
This is supposed to detail the original sending of the mail from the
sender's mail program to their ISP's (or company's) SMTP server,
although it can be forged. If the mail purports to be from
whitehouse.gov but you see names like "spammer.com" you have
reason to be suspicious. It also pays to look up the sender's IP
address, the four numbers separated by dots in the "Received"
line. For argument's sake, let's say that the sender's IP address is
555.666.777.888. At Windows command prompt (Start, Programs,
Accessories, Command Prompt) type:
Nslookup 555.666.777.888
This will likely tell you the name of their SMTP server. Another tool
you can use is …
Tracert 555.666.777.888
… which shows the network route from your computer to the IP
address indicated. Look for suspicious server names or clues to
geographical locations (e.g., SFO for
San Francisco
). Again, you're looking for discontinuities. (Don't be surprised if the
spoofer does some Internet magic to make the IP address useless to you,
though.)
You can continue with this sort of detective work up through the
different "Received" fields. If you are lucky you can track
down the e-mail address and ISP of the true sender and at least get them
kicked off their ISP. If, for example, the e-mail comes from the ISP
provider Nastybrowndog.com, send e-mail with your complaint to
abuse@nastybrowndog.com or postmaster@nastybrowndog.com.
Sometimes the simplest way to unmask spoofed email is by responding
to it - in Slates case of the phantom auto executive, the email address
in question wasn't even real! If the spoofed address doesn't exist, it
may bounce back undeliverable. But if the spoof email address does
exist, such as president@whitehouse.gov, don't be surprised if your
generates an automated return message along the lines of "Thanks
for writing".
You may ask why the designers of e-mail didn't prevent spoofing from
the beginning. One answer is that many software developers have Utopian
streaks from watching too much Star Trek. They assume that everyone will
do the right thing. They also like keeping things simple, and identity
authentication would really complicate matters. Besides, standards for
authenticating identity on the Internet didn't exist back then and for
the most part still don't. Finally, and most important, spoofing e-mail
is incredibly useful! Because of spoofing:
- I can send e-mail from my ISP that contains my
"custom" return address—
bill@barnacle.org
—instead of the one provided by my ISP.
- I can read my home e-mail on the road using a
Web-based e-mail account but prefer to respond "from"
bill@barnacle.org
.
- My administrative assistant can send mail
"from" me confirming a meeting. OK, I don't have an
administrative assistant. But when I do, I'll be glad he can spoof
me.
Given today's e-mail infrastructure, there's not much that can be
done to prevent spoofing. Companies and organizations can tighten up
their mail servers as detailed here. If you are in a situation where the
authenticity of the sender must be established and it is someone you are
already in communication with, you can agree to use PGP or other
encryption programs when exchanging e-mail. Encryption protects messages
from tampering and positively identify the sender. A promising sign is
the emergence of programs that attempt to filter or tag spoofed e-mails,
but these have yet to be widely embraced by ISPs (although the
government—with good reason—is pursuing them avidly).
Until then, be wary if you get mail from the president offering to
drop by your neighborhood and personally feel your pain. It might just
be me.
Bill Barnes, Slate's founding program manager, draws and co-writes
the daily comic strip Overdue. |
