From the desk of: Sam C. Chan

Advisory: Spoofed Email

March 7, 2003     (See also: February 14, 2006 Addendum below)

Please be advised of an increasingly common phenomenon known as "spoofed email." Simply put, it's email sent with forged return address.

How is that possible?

Simple. The return address and name are provided by the sender, typically at the time of setting up the email program. For example, you can setup your Microsoft Outlook display "George Bush" (or whoever) and enter the email address of "nobody@neverland.xyz" or wherever you want the reply email to be sent.

What does this mean?

1. Don't trust inbound email identity. You could receive an email seemingly coming from me, instructing you to download & install something. If such a message is out-of-context (as opposed to expected, following our prior discussions), you should be suspicious. Verify the authenticity by phone/IM, or even just a fresh email from you to me (do not reply).

2. Beware of potential discrepancies between displayed identity and actual reply address. Joe, the intern can pose as Mary, your boss and send you an email question. Your reply is actually sent back to Joe's outside anonymous email address with the confidential answer!

3. The old rule of "don't open attachments from strangers" is no longer sufficient. You will certainly receive many harmful email apparently from someone you know, even they didn't actually send them. In fact, we've been stressing this since 1999!

4. You will be receiving numerous "bounce" notices from legitimate ISPs around the world, announcing the email you sent was undeliverable (or contains a virus). You never sent them, but spammers were using your address, causing you to be blamed.

5. A variation on this theme, is to pose as you and send a message to thousands of non-existent accounts at some ISP or corporate domain. You'll end up receiving thousands of bounce notices. This tactic is known as "mail bombing." Your mailbox will explode with junk and exceeds quotas, causing legitimate email to be rejected.

What can you do?

Obviously, you can't stop them from spoofing. However, having the awareness allows you to react accordingly. If you're concerned about this, there're encryption techniques that can be deployed to safeguard your email in the following areas:

  • Authenticity
  • Confidentiality
  • Integrity
  • Irrefutability

How did spammers obtain and hijack your address?

  • Your system was compromised by worm or spyware, which scan victim's hard drive for address books and other valuable information.
  • Your friends/associates' systems were compromised, you're in their address books.
  • Your email addresses are posted on public web sites, or public record databases.
  • You signed up for a "free" service, and the vendor has no revenue stream other than to sell your address, or engage in spamming themselves to trick you into buying something.
  • Your friends fell for spyware lure: Click here to earn a free iPod (or Applebee dinner)... Step 1: Provide 25 email addresses from friends...
  • You're on your friends' twice-a-week jokes open mailing list (not "bcc"), for those 12th generation forwards, with 6 copies scattered within the broken text, quote marks and cascaded indentation. Spammers downstream from you can harvest those addresses.

 

ADDENDUM

February 14, 2006 

Specifically, how could you tell if an email "from me" is legitimate?

Some of you complained that the original memo didn't explicitly address the issue of how to tell if something is really from me. I shall elaborate...

Use common sense. Be vigilant. Look for these tell-tale signs:

  • out-of-context, generic and vague nature of the message
  • style inconsistencies
  • dire tone
  • source of email
  • recipients of email
  • inappropriate (technically, not morally/socially) attachments

It should be plenty obvious enough, if the message warns about a serious matter affecting you specifically, and yet it doesn't even address you directly.

I only write in one of two distinct modes: informal or formal, but never uneducated nor pretentious. I'm a competent and prolific writer, fluent in formal corporate speaks. However, I am against double-speaks and meaningless buzzwords. Fake "official" notices are laden with red flags indicating blatant attempts to imitate formal, authoritative speaks.

"... this one's really nasty... forward to everyone you know..."    Com'on, folks! Mr. Nice-n-Steady sneering at every nonsense warning for 25 years, is all of a sudden excited about this latest "incurable" threat? I'd love to know what I could have possibly taken!

I'm a 25-year email veteran with steady email addresses throughout, and official domains since March 13, 2000. It's quite unlikely I'll start writing you from xyz@nowhere.py or stranger@hotmail.com. Of course, a correct email address does not guarantee authenticity. A bad one is a sure sign that it's fake.

I never email "to" or "cc" bulk recipients. The only exception is for small group discussion, with the relevant parties to a given matter. Since 1998 I have been lecturing on the fundamental concept that misusing "to" or "cc" when "bcc" is called for is considered inappropriate, irresponsible and incompetent.

For years, I have painstakingly pointed out why it's inappropriate to send files via email attachments, other than simple documents. Many other proper alternatives exist for consumers and businesses alike. Consider any email with a "bug fix program" or "cool screen saver" attached to be malicious, and certainly not originated from yours truly.

To verify authenticity of email purportedly from me:

  • Go through the analysis above.
  • Notify your Designated In-house Facilitator/Administrator (DIFA). This is exactly the primary purpose of the DIFA, to act as frontline support and coordinator.
  • If you're the DIFA, check the Bravo Memos site for any latest advisories, as well as Bravo Security Portal, for any posted bulletins there.
  • If you're still not certain, contact me directly (email, IM, phone, SMS).
  • When in doubt, verify.

See also:

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us