E-Mail Spoofing: Not For Faint of Heart
It was October 2, 2008 – the night of the one English debate scheduled here in Canada between our political leaders in our federal election campaign. It was, not coincidentally, also the night of the Vice-Presidential debate in the US which pitted the solid and stern Joe Biden against the folksy patronizing “charm” of Sarah Palin. The US debate held much more promise for drama than our five earnest and exceedingly polite political leaders.
Three of my fellow political junkies joined me at my place and offered to make home-made pizza to sustain us through a few hours of channel-hopping between these debates. It was an offer I couldn’t refuse!
We were glued to the set, providing our own commentary as things unfolded. At approximately the mid-point in the debates, about 10:00 p.m. EDT, my Blackberry started vibrating. And vibrating, And vibrating. I glanced at it and was horrified to see that hundreds – eventually thousands – of “bounce-back” error messages were being delivered to my e-mail in-box. You know the kind of message you get when you send an e-mail and have mistyped the address? You get a “Mailer-Daemon: Error” or “Unknown Recipient” or “Undeliverable” or some such. A bounce back.
What does it mean when hundreds or thousands of these bounce-backs appear in your e-mail in-box? It means that your e-mail address has just been spoofed. In other words, an e-mail spammer or their designated web-bot has somehow either catalogued your e-mail address from some source (your website, or someone’s address book online) or has simply randomly generated an address that matches yours. They then insert your address into their “Sender:” or “Reply-To:” fields in a spam message and then, to your consternation, they hit “send”. YOU get the bounce-backs – they don’t.
Your e-mail address also may get tagged by spam filters as being possible spam – not a good outcome if you rely on e-mails and have technologically savvy clients with whom you would like to reliably communicate.
There is also the matter of the thousands upon thousands of e-mails that come pouring into your in-box, effectively obliterating your ability to identify and respond to your REAL e-mails. At one point, in the middle of this spoofing storm, I was watching the e-mails pour into my web mail in-box and attempted to highlight masses of them and delete. I could not highlight and delete fast enough to keep up. I managed to delete over 1,000 messages from my mail server before bed, but by the time I shut my machine down, there were over 1,200 messages … and counting. When I got up in the morning, my in-box intake had slowed and there were a mere 6,177 messages. The flow had slowed to a trickle. Somewhere in there, I found out later, were two notes from students of mine and three personal messages of some importance.
I have three things to say about e-mail spoofing:
- An Ounce Of Prevention Is Worth … About Eight Ounces Of Cure: The standard admonishment for keeping your e-mail out of the hands of malevolent spammers is to suggest keeping your “real” e-mail address offline. Don’t use your most important e-mail address to sign up for distribution lists, or to enter online contests, or to interact with discussion boards, blogs, forums or wikis. Get a separate web-based e-mail address for these purposes (i.e. hotmail/gmail/yahoo or similar) and keep your corporate or “real” personal address for “real” correspondence.
- Folder Filters. Here is one way you can “cope” with the coming onslaught of totally useless bounce-backs that may be headed your way. Note the subject line of most of these undeliverable message alerts. They contain unique words like:
- Undeliverable
- Daemon
- Unknown recipient
- Delivered
… and so on. Set up your e-mail software with filters that recognize these words in the subject line and direct all incoming messages labelled as such into the appropriate folders. This can be set up either within your desktop e-mail progam (i.e. Outlook) or at your mail server. I would recommend that you set this up at the server level to keep this virtual riff-raff as far away from your own equipment as possible. I would also recommend you do this NOW and not wait until your in-box is groaning from the weight of incoming bounce-backs.
- Create and Activate a Sender Policy Framework (SPF). What!? Another three-letter acronym? Yes – sorry. This one also takes a bit of fiddling to set up, but the end results are quite worth the effort. This link will explain the technical details, giving a blow-by-blow on how to set this up for either a corporate-owned domain or something like a gmail account.
I do endorse this as a strategy, but I also know there are times when you might want to use your corporate domain name online for marketing purposes. I also know that spammers are getting very clever about acquiring e-mail addresses from web-based address books, facebook, and other sources. To be honest, if you have been out in the virtual world with your main e-mail address at any point in the last 10 years, that e-mail address is likely on a list somewhere. If you haven’t been spoofed yet, you are living on borrowed time. Brace yourself.
What is a Sender Policy Framework? It is a tiny piece of programming that the owner of a domain name can, more or less, attach to the information about their domain name that is distributed to Domain Name Servers. Think of Domain Name Servers as giant digital phone books that are continuously self-replicating and updating at key points all across the Internet. If you own a domain name, say something like lizworks.com, your local DNS knows exactly where all the relevant files for that domain name are kept, and will automatically direct your browser there. Most domain owners also use their domain to direct their e-mail – and here is where the fun begins. Through an SPF, you can identify all the computers (by domain name) that are authorized to send e-mail FROM your domain. Let’s say you send mail from cogeco.ca at home, from your corporate domain name at work, and occasionally from gmail when you are traveling. You can set up an SPF that says to the DNS, “Look, if the e-mail you received from my domain came from one of these three places, it is legit. If it did NOT get sent from one of these three places, it did NOT come from me!” For specific details on how to implement this, please visit OpenSPF.org.
This is not a perfect solution and, certainly, companies with thousands of employees would find a simple policy like this to be restrictive. However, the more we can all adopt this sort of policy, the harder we are making it for the spammers to take advantage of our valuable virtual assets.
My two experiences with e-mail spoofing have shown me that it really is like a storm. My address was used for, I’m guessing, a single giant spam “send” and then the spammer moved on to the next name on their list. The bounce-backs do wind down, usually over a matter of days. However, untold damage was done in terms of my e-mail address now being listed – perhaps on the basis of more than one instance – as a potential spam source. Don’t let this happen to you – take a close look at the SPF approach and implement it if you can. Truly an ounce of prevention worth many pounds of cure.
Posted in Managing Technology, TechnologyTags: coping with an e-mail spoof, e-mail, e-mail spoofing, openspf.org, preventing e-mail spoofing, Sender Policy Framework, SPF, spoof
