Email Identity Theft
If you're in business, your email address is going to be forged. Perhaps for phishing, but more likely by spammers. What can you do? (An updated version of one our most popular articles)
Quite often we receive a number of bounce messages indicating that
a spammer has been forging one of our email addresses in
the "From:" field of outgoing email. Worse still, a client of ours
had his website shutdown by his hosting provider because somebody forged email
which appeared to be coming from one of his accounts.
Spammers use forged email addresses because they do not want to
receive complaints (or complaints to their ISP). They just want your money.
Unfortunately email forgery is simple and commonplace.
Email viruses and worms also forge email addresses. Generally an
address is chosen from the infected machine's address book and used as the "From" address
for outgoing email. Doing so has two advantages: (1) it makes it more difficult to determine
the real source of the virus (it's someone who has both your email and that of the forged
sender in their address book); (2) by posing as a trusted contact it is more likely that
the email recipient will open an attachment and thus propagate the virus. Addresses have also
been chosen using search engines, and by examining the DNS whois database.
As a company that wants to be visible, there's not much you can't prevent this.
You can't conceal your email addresses and only reveal them to trustworthy
indviduals. Your clients and suppliers need to be able to contact you. However, you
can take some precautions and react sensibly when it happens.
Before The Event
- Use domain registrar and DNS service suppliers which are unrelated to
your web hosting company. Web hosting companies have been known to shoot
first and ask questions later. If your web hosting company locks you out
of your account and is unresponsive, you need to be able to change web
hosting companies fast. If they also control your DNS service, you can't
change where your domain name points to. Think like a spammer or
international criminal. Use unrelated companies, possibly crossing
jurisdictional boundaries, so that no one company can confound your
Consider keeping a second hot backup copy of your website running on a second server
with a second hosting provider. If the first web hosting company fails,
you can switch your DNS records to point to the second company quickly.
You can also switch to the second server if the first fails for any other
Even if you can afford to do this, keep backups and be prepared to
switch web hosting providers at a moment's notice.
Limit the lifetimes (TTL or Time To Live settings) of your DNS records. While cached
copies of your DNS records exist, visitors will be directed to the wrong site. The TTL setting
limits the amount of time the DNS information should be cached. When
a client had his account disabled for unfounded allegations of sending spam, his hosting
provider locked him out of his account and showed advertising for one of his competitors! You
don't want this to happen.
Use a hosting provider which gives you a non-shared IP address. If another
organization with the same IP address is blocked for any reason, (association with spam,
views unfavorable to a foreign government, etc.), that blocking may affect you too.
(A non-shared IP address is also required if you need to run the https protocol.)
If you have sufficient control of your company's DNS records, then you should
create SPF (Sender Policy Framework)
records for your domain. These specify which host computers are allowed
to send mail on your behalf, allowing more sophisticated mail handling
programs to to detect and eliminate most forged email.
Obfuscate any email addresses which must appear on web pages. It's not a perfect
solution, but it does eliminate some of the less competent email harvesting
programs out there. The
Email Address Obfuscator
may be of some (limited) help here.
After The Event
So the worst has happened. What should you do? You should:
Notify your web hosting provider or ISP: you don't want your website
disconnected because of complaints from people who didn't realize
that the From address was forged. Make sure any email sent to your
web hosting provider is very clear and concise: some overworked abuse
desks have been known to confuse such explanations with abuse reports
and disable the web site as a result.
Put a note on the front page of your site so that any annoyed
spam recipient going to your website will understand
what has happened and that you weren't responsible.
Collect evidence (printed and electronic copies of
complete emails, including all headers) in case it
becomes necessary to either pursue the spammer through the
courts or to convince a skeptical inquirer that you
didn't send the email.
An Example Case
Sometimes it's interesting to follow the trail:
One of the spam email messages being forged with our address
referred the recipient to a website which claimed to be
MortgagePlus Financial, a mortgage broker.
Visitors to this site were asked to fill in an application
form revealing personal details... but you have to wonder
somewhat about a company whose domain name was the memorable
it appeared to be a US mortgage broker, it used a uk domain,
was hosted in Hong Kong, and its DNS records
reported ownership by Fanraz Industries of Budapest, Hungary.
And nowhere was there a single phone number, email
address, or postal address on the entire website.
If you tried the very similar domain
c1011.hudjheuhfnnvgxvbchnfhfujryyfgbch.co.uk the company was
now QuickMortgages, another company keen on receiving
your financial information...
If you were foolish enough to fill in the form with your credit information,
what might it have been used for?
Some further detective work at
SPEWS (Spam Prevention Early
suggested that the trail to the actual spammer was even more convoluted, involving
an address translating proxy in Hong Kong re-routing packets to a US site. See
for more information.
And Finally, if you receive spam...
The simplest thing to do is just delete it. Replying is
pointless as either (a) the From address is forged, or (b)
the From address will be used to harvest a list of
working email addresses which the spammer can use
to optimize his or her operations.
Try to avoid loading such email in an HTML capable email
client which automatically loads images. Spammers often
encode your email address in the URL used to retrieve images.
By examining their server logs, they can determine if you
received the email, and whether you read it.
For the same reason, don't click on any links in the email.
If you want to do some detective work,
have your IT people look at SamSpade.org, which has
a collection of online tools for deciphering URLs and tracing
website ownership. But be careful! It's all too easy to point the
finger at the wrong person. Spammers try to cover their tracks,
and more than one of the email headers will typically be forged. Indeed,
one of our clients recently encountered problems because a spammer included
a link to their domain (as well as to other random web sites) in their
email which confused an automated spam reporting system.
Never buy anything from a spammer. You don't
really think your credit information is safe with somebody
who forges emails for a living, do you?
Michael Z. Bell
Click here to let me know what you think of this article.
Want to know when the latest new article is available? Subscribe to the Risky Thinking Newsletter
up to date. It's free for people working in business continuity, disaster recovery, or risk management.
[ Back To Top ]
Note. Where trademarks are mentioned, they belong to their respective owners.
© Albion Research Ltd. 2014