Webhead

E-Mail Impersonators

How to identify “spoofed” e-mail.

Editor’s note: To read the complete explanation of how Slate was duped by an e-mail spoofer, see this “Press Box” column.

After my wife cast her ballot on the morning of Election Day 1996, she arrived at work to find an e-mail from none other than the president of the United States (president@whitehouse.gov). He thanked her for her vote and promised to address her hot-button issues of education and women’s rights. She was a little disturbed, but as it turned out the sanctity of her secret ballot hadn’t been compromised. Someone (her husband) had merely sent her a spoofed e-mail.

E-mail is considered “spoofed” when the e-mail address in the “From” field is not that of the sender. As Slate learned so publicly last week, believing what you read in spoofed e-mail can cause huge embarrassment, so if you receive an e-mail from George W. Bush or a man purporting to be an executive of a European carmaker, trust us: It might not be on the level. The bad news is that it’s not very hard to spoof e-mail, but the good news is that it can usually be detected. To detect spoofed e-mail (and boy, do Slate’s editors wish I’d written this piece last month!) you need to understand how e-mail is sent on the Internet.

  1. First, your e-mail program (e.g., Outlook, Eudora, Hotmail) sends mail to an SMTP (Simple Mail Transport Protocol) server, a computer that understands how to relay your e-mail
  2. from SMTP server to SMTP server across the Internet, until
  3. it arrives at its penultimate destination, the recipient’s mailbox. The mailbox stores this e-mail until
  4. finally it’s fetched by an e-mail program, so its recipient can read it.

Like a well-paid courier, SMTP just passes along what it was given. I tell Outlook my e-mail address, but neither it nor the SMTP server provided by my Internet service provider has any way to verify that it’s true. Just this minute, I changed my Outlook settings to say that my name is Mork, e-mail address mork@ork.planet, and Outlook happily sent more mail to my wife, who is tiring of my little shenanigans. ISPs smarter than mine configure their mail servers to be more restrictive about the e-mail they’ll accept, attempting to verify the veracity of the sender’s address, but a determined spoofer usually knows how insert e-mail further along the transmission chain.

Every e-mail contains a hidden component known as a “header” that details its transmission history. By viewing the header and doing a little detective work you can usually spot the telltale signs of spoofed e-mail. Investigating suspicious e-mail is a relatively technical process. To do so, check the headers:

  • In Outlook, select View/Options.
  • In Outlook Express, select Properties/Details.
  • In Pine, type H.
  • In Eudora, click on the “Blah Blah Blah” button (I love that).
  • In Hotmail go to Options/Mail Display Settings/Message Headers and select “Full.”
  • In Netscape, select View/Headers/All.
  • In Yahoo! Mail select “Full Headers.”
  • See the help file of e-mail programs not mentioned here and look up “headers.”

At first glance headers looks like gobbledygook, but in time … no, it will always look like gobbledygook. You just have to tough it out.

The first thing to check is the From field, which will look like one of these:

From: George W. Bush (president@whitehouse.govFrom: president@whitehouse.gov (George W. Bush)From: George W. Bush

Look for a discontinuity between the friendly name and the e-mail name. If the friendly name is “George W. Bush” but the e-mail address is fred@spammers.com, or if the e-mail name is missing entirely, the e-mail may be spoofed. But a sophisticated spoofer won’t make this simple mistake.

Next, look at the Received fields. Each time the mail gets relayed through an SMTP server, a new Received field is added, and you read them bottom-to-top. The bottom one might look like this:

Received: from Whitehouse([555.666.777.888]) by WhitehouseMail

(MailProgram v9.7) with SMTP id 1-2-3-4-5WhitehouseMail@Whitehouse 
for ; Mon, 11 Mar 2002 05:05:05 +0000

This is supposed to detail the original sending of the mail from the sender’s mail program to their ISP’s (or company’s) SMTP server, although it can be forged. If the mail purports to be from whitehouse.gov but you see names like “spammer.com” you have reason to be suspicious. It also pays to look up the sender’s IP address, the four numbers separated by dots in the Received line. For argument’s sake, let’s say that the sender’s IP address is 555.666.777.888.  At Windows command prompt (Start, Programs, Accessories, Command Prompt) type:

Nslookup 555.666.777.888

This will likely tell you the name of their SMTP server. Another tool you can use is …

Tracert 555.666.777.888

… which shows the network route from your computer to the IP address indicated. Look for suspicious server names or clues to geographical locations (e.g., SFO for San Francisco). Again, you’re looking for discontinuities. (Don’t be surprised if the spoofer does some Internet magic to make the IP address useless to you, though.)

You can continue with this sort of detective work up through the different Received fields. If you are lucky you can track down the e-mail address and ISP of the true sender and at least get them kicked off their ISP. If, for example, the e-mail comes from the ISP provider Nastybrowndog.com, send e-mail with your complaint to abuse@nastybrowndog.com or postmaster@nastybrowndog.com.

Sometimes the simplest way to unmask spoofed e-mail is by responding to it—in Slate’s case of the phantom auto executive, the e-mail address in question wasn’t even real! If the spoofed address doesn’t exist, it may bounce back undeliverable. But if the spoof e-mail address does exist, such as president@whitehouse.gov, don’t be surprised if your message generates an automated returned message along the lines of “thanks for writing.”

You may ask why the designers of e-mail didn’t prevent spoofing from the beginning. One answer is that many software developers have Utopian streaks from watching too much Star Trek. They assume that everyone will do the right thing. They also like keeping things simple, and identity authentication would really complicate matters. Besides, standards for authenticating identity on the Internet didn’t exist back then and for the most part still don’t. Finally, and most important, spoofing e-mail is incredibly useful! Because of spoofing:

  • I can send e-mail from my ISP that contains my “custom” return address—bill@barnacle.org—instead of the one provided by my ISP.
  • I can read my home e-mail on the road using a Web-based e-mail account but prefer to respond “from” bill@barnacle.org.
  • My administrative assistant can send mail “from” me confirming a meeting. OK, I don’t have an administrative assistant. But when I do, I’ll be glad he can spoof me.

Given today’s e-mail infrastructure, there’s not much that can be done to prevent spoofing. Companies and organizations can tighten up their mail servers as detailed here. If you are in a situation where the authenticity of the sender must be established and it is someone you are already in communication with, you can agree to use PGP or other encryption programs when exchanging e-mail. Encryption protects messages from tampering and positively identify the sender. A promising sign is the emergence of programs that attempt to filter or tag spoofed e-mails, but these have yet to be widely embraced by ISPs (although the government—with good reason—is pursuing them avidly).

Until then, be wary if you get mail from the president offering to drop by your neighborhood and personally feel your pain. It might just be me.