Email Identity Theft

If you're in business, your email address is going to be forged. Perhaps for phishing, but more likely by spammers. What can you do? (An updated version of one our most popular articles)

Quite often we receive a number of bounce messages indicating that a spammer has been forging one of our email addresses in the "From:" field of outgoing email. Worse still, a client of ours had his website shutdown by his hosting provider because somebody forged email which appeared to be coming from one of his accounts. Spammers use forged email addresses because they do not want to receive complaints (or complaints to their ISP). They just want your money. Unfortunately email forgery is simple and commonplace.

Email viruses and worms also forge email addresses. Generally an address is chosen from the infected machine's address book and used as the "From" address for outgoing email. Doing so has two advantages: (1) it makes it more difficult to determine the real source of the virus (it's someone who has both your email and that of the forged sender in their address book); (2) by posing as a trusted contact it is more likely that the email recipient will open an attachment and thus propagate the virus. Addresses have also been chosen using search engines, and by examining the DNS whois database.

As a company that wants to be visible, there's not much you can't prevent this. You can't conceal your email addresses and only reveal them to trustworthy indviduals. Your clients and suppliers need to be able to contact you. However, you can take some precautions and react sensibly when it happens.

Before The Event

  1. Use domain registrar and DNS service suppliers which are unrelated to your web hosting company. Web hosting companies have been known to shoot first and ask questions later. If your web hosting company locks you out of your account and is unresponsive, you need to be able to change web hosting companies fast. If they also control your DNS service, you can't change where your domain name points to. Think like a spammer or international criminal. Use unrelated companies, possibly crossing jurisdictional boundaries, so that no one company can confound your operations.
  2. Consider keeping a second hot backup copy of your website running on a second server with a second hosting provider. If the first web hosting company fails, you can switch your DNS records to point to the second company quickly. You can also switch to the second server if the first fails for any other reason.
  3. Even if you can afford to do this, keep backups and be prepared to switch web hosting providers at a moment's notice.
  4. Limit the lifetimes (TTL or Time To Live settings) of your DNS records. While cached copies of your DNS records exist, visitors will be directed to the wrong site. The TTL setting limits the amount of time the DNS information should be cached. When a client had his account disabled for unfounded allegations of sending spam, his hosting provider locked him out of his account and showed advertising for one of his competitors! You don't want this to happen.
  5. Use a hosting provider which gives you a non-shared IP address. If another organization with the same IP address is blocked for any reason, (association with spam, views unfavorable to a foreign government, etc.), that blocking may affect you too. (A non-shared IP address is also required if you need to run the https protocol.)
  6. If you have sufficient control of your company's DNS records, then you should create SPF (Sender Policy Framework) records for your domain. These specify which host computers are allowed to send mail on your behalf, allowing more sophisticated mail handling programs to to detect and eliminate most forged email.
  7. Obfuscate any email addresses which must appear on web pages. It's not a perfect solution, but it does eliminate some of the less competent email harvesting programs out there. The Email Address Obfuscator may be of some (limited) help here.

After The Event

So the worst has happened. What should you do? You should:

  1. Notify your web hosting provider or ISP: you don't want your website disconnected because of complaints from people who didn't realize that the From address was forged. Make sure any email sent to your web hosting provider is very clear and concise: some overworked abuse desks have been known to confuse such explanations with abuse reports and disable the web site as a result.
  2. Put a note on the front page of your site so that any annoyed spam recipient going to your website will understand what has happened and that you weren't responsible.
  3. Collect evidence (printed and electronic copies of complete emails, including all headers) in case it becomes necessary to either pursue the spammer through the courts or to convince a skeptical inquirer that you didn't send the email.

An Example Case

Sometimes it's interesting to follow the trail:

One of the spam email messages being forged with our address referred the recipient to a website which claimed to be MortgagePlus Financial, a mortgage broker.

Visitors to this site were asked to fill in an application form revealing personal details... but you have to wonder somewhat about a company whose domain name was the memorable c1010.hudjheuhfnnvgxvbchnfhfujryyfgbch.co.uk. Although it appeared to be a US mortgage broker, it used a uk domain, was hosted in Hong Kong, and its DNS records reported ownership by Fanraz Industries of Budapest, Hungary. And nowhere was there a single phone number, email address, or postal address on the entire website.

If you tried the very similar domain c1011.hudjheuhfnnvgxvbchnfhfujryyfgbch.co.uk the company was now QuickMortgages, another company keen on receiving your financial information...

If you were foolish enough to fill in the form with your credit information, what might it have been used for?

Some further detective work at SPEWS (Spam Prevention Early Warning System) suggested that the trail to the actual spammer was even more convoluted, involving an address translating proxy in Hong Kong re-routing packets to a US site. See Case S2040 for more information.

And Finally, if you receive spam...

  1. The simplest thing to do is just delete it. Replying is pointless as either (a) the From address is forged, or (b) the From address will be used to harvest a list of working email addresses which the spammer can use to optimize his or her operations.
  2. Try to avoid loading such email in an HTML capable email client which automatically loads images. Spammers often encode your email address in the URL used to retrieve images. By examining their server logs, they can determine if you received the email, and whether you read it.
  3. For the same reason, don't click on any links in the email.
  4. If you want to do some detective work, have your IT people look at SamSpade.org, which has a collection of online tools for deciphering URLs and tracing website ownership. But be careful! It's all too easy to point the finger at the wrong person. Spammers try to cover their tracks, and more than one of the email headers will typically be forged. Indeed, one of our clients recently encountered problems because a spammer included a link to their domain (as well as to other random web sites) in their email which confused an automated spam reporting system.

And Finally...

Never buy anything from a spammer. You don't really think your credit information is safe with somebody who forges emails for a living, do you?

Michael Z. Bell
3 February 2006

To get notified when new articles appear, subscribe to the Risky Thinking Newsletter. It's low volume: we don't send out an issue unless there is something interesting to say. You can also subscribe to our RSS Feed

Recently published articles can also be found here.

Agree or disagree? I'd like to hear your thoughts. Please initially use the contact form to get in touch.