No one likes to see spam in their Inbox, especially when it comes from themselves! Users often get confused and even worry that their identity has been stolen. The main cause for this is that they have whitelisted their own email address to bypass scanning for outbound traffic. Users do not realize (or understand) that spammers can spoof their email address and send spam that appears to be from themselves.
There are two parts of an email message that contain address information: the header and the envelope. In the envelope, you will see the sender’s email address (can also be forged) but the envelope is not shown when you view the email through your mail client. The mail client only shows the header information. This is where the spammer can get creative and enter any From or To email address they like, so this is where and how the recipient’s email address appears as the From address. This is a pretty sneaky way to get past spam filters when people whitelist their own email addresses.
Sample Header:
The red portion shows envelope information versus the blue text where the header info can be manipulated to show what you wish.
Example:
220 a.com ESMTP Receiver Version 5.0.905.0 Ready Helo domain.com 250 OK mail from: <test@test.com> 250 test@test.com OK rcpt to: <user2@a.com> data 354 Ready for data subject: test email from: test@test.com to: user2@a.com |
This is the body:
. 250 Message received OK [id=B0000114609@domain.com] quit 221 a.com closing |
Here are a few recommendations for administrators to help reduce spoofed spam:
The best practice is to educate your users: send them an email explaining how and what can cause spam to pass.
Create an SPF record for your domain. This will only be useful if the server that relays the spam message is actually doing an SPF check. More information about how to set this up is available here: www.openspf.org
Check your server for whitelisted addresses: Remove all entries that include your own (local) domain names or email addresses
Setup DKIM, which adds a signature to the header of outgoing emails to show that they actually (and legitimately) originate from that server. More information is available here: http://www.dkim.org/
Leave a Comment