Advisory:
Spoofed Email
March 7, 2003 (See also:
February 14, 2006 Addendum below)
Please be advised of an increasingly common phenomenon known as
"spoofed email." Simply put, it's email sent with forged return address.
How is that possible?
Simple. The return address and name are provided by the sender, typically at the
time of setting up the email program. For example, you can setup your
Microsoft Outlook display "George Bush" (or whoever) and enter the email address of "nobody@neverland.xyz"
or wherever you want the reply email to be sent.
What does this mean?
1. Don't trust inbound email identity. You could receive an email
seemingly coming from me, instructing you to download & install something. If such a message is out-of-context (as opposed to
expected, following our prior discussions), you should be suspicious. Verify the authenticity by phone/IM, or
even just a fresh email from you to me (do not reply).
2. Beware of potential discrepancies between displayed identity and
actual reply address. Joe, the intern can pose as Mary, your boss and
send you an email question. Your reply is actually sent back to Joe's
outside anonymous email address with the confidential answer!
3. The old rule of "don't open attachments from
strangers" is no longer
sufficient. You will certainly receive many harmful email apparently
from someone you know, even they didn't actually send them. In fact,
we've been stressing this since 1999!
4. You will be receiving numerous "bounce" notices from
legitimate ISPs
around the world, announcing the email you sent was undeliverable (or
contains a virus). You never sent them, but spammers were
using your
address, causing you to be blamed.
5. A variation on this theme, is to pose as you and send a message to
thousands of non-existent accounts at some ISP or corporate domain.
You'll end up receiving thousands of bounce notices. This tactic is
known as "mail bombing." Your
mailbox will explode with junk and exceeds quotas, causing legitimate
email to be rejected.
What can you do?
Obviously, you can't stop them from spoofing. However, having the awareness allows you to
react accordingly.
If you're concerned about this, there're encryption techniques
that can be deployed to safeguard your email in the following areas:
- Authenticity
- Confidentiality
- Integrity
- Irrefutability
How did spammers obtain and hijack your address?
- Your system was compromised by worm or spyware, which scan
victim's hard drive for address books and other valuable
information.
- Your friends/associates' systems were compromised, you're in
their address books.
- Your email addresses are posted on public web sites, or public
record databases.
- You signed up for a "free" service, and the vendor has no
revenue stream other than to sell your address, or engage in
spamming themselves to trick you into buying something.
- Your friends fell for spyware lure: Click here to earn a free
iPod (or Applebee dinner)... Step 1: Provide 25 email
addresses from friends...
- You're on your friends' twice-a-week jokes open mailing list
(not "bcc"), for those 12th generation forwards, with 6 copies
scattered within the broken text, quote marks and cascaded
indentation.
Spammers downstream from you can harvest those
addresses.
ADDENDUM
February 14, 2006
Specifically, how could you tell if an
email "from me" is legitimate?
Some of you complained that the original memo didn't explicitly
address the issue of how to tell if something is really from
me. I shall elaborate...
Use common sense. Be vigilant. Look for these tell-tale signs:
- out-of-context, generic and vague nature of the message
- style
inconsistencies
- dire tone
- source of email
- recipients of email
- inappropriate (technically, not morally/socially) attachments
It should be plenty obvious enough, if the message warns about a
serious matter affecting you specifically, and yet it doesn't
even address you directly.
I only write in one of two distinct modes: informal or
formal, but never uneducated nor pretentious. I'm a
competent and prolific writer, fluent in formal
corporate speaks. However, I am against double-speaks and
meaningless buzzwords. Fake "official" notices
are laden with red flags indicating blatant attempts to imitate formal, authoritative
speaks.
"... this one's really nasty... forward to everyone you know..." Com'on,
folks! Mr. Nice-n-Steady sneering at every nonsense warning for 25
years, is all of a sudden excited about this latest "incurable" threat? I'd love to know what I could have
possibly taken!
I'm a 25-year email veteran with steady email addresses throughout,
and official domains since March 13, 2000. It's quite unlikely I'll
start writing you from xyz@nowhere.py
or stranger@hotmail.com. Of course, a correct email address does not
guarantee authenticity. A bad one is a sure sign that it's fake.
I never email "to" or "cc" bulk recipients. The only
exception is for small group discussion, with the relevant parties to a
given matter. Since 1998 I have been lecturing on the
fundamental concept that misusing "to" or "cc" when "bcc" is
called for is considered inappropriate, irresponsible and incompetent.
For years, I have painstakingly pointed out why it's inappropriate
to send files via email attachments, other than simple documents.
Many other proper
alternatives exist for consumers and businesses alike. Consider any
email with a "bug fix program"
or "cool screen saver" attached to be
malicious, and certainly not originated from yours truly.
To verify authenticity of email purportedly from me:
- Go through the analysis above.
- Notify your Designated In-house Facilitator/Administrator (DIFA).
This is exactly the primary purpose of the DIFA, to act as
frontline support and coordinator.
- If you're the DIFA, check the Bravo Memos site for any
latest advisories, as well as Bravo Security Portal, for any posted
bulletins there.
- If you're still not certain, contact me directly (email,
IM, phone, SMS).
- When in doubt, verify.
See also:
|