Hi JP!
Nice to see a friendly face out here!
Since I spend more time than any reasonable person should dealing with
e-mail and headers, I thought I'd give this one a go. Let's break it
down into easily managed bits, OK?
1) How could this have been done?
-----------------------------------
Depending on which e-mail client the prankster uses, it can be done
with anywhere from simply editing the From: field to creating a new
user profile:
"It is easy to spoof email because SMTP (Simple Mail Transfer
Protocol) lacks authentication. If a site has configured the mail
server to allow connections to the SMTP port, anyone can connect to
the SMTP port of a site and (in accordance with that protocol) issue
commands that will send email that appears to be from the address of
the individual's choice; this can be a valid email address or a
fictitious address that is correctly formatted.
2.3. In addition to connecting to the SMTP port of a site, a user can
send spoofed email via other protocols (for instance, by modifying
their web browser interface)."
How to protect from Spoofed/Forged Email
http://secinf.net/misc/How_to_protect_from_SpoofedForged_Email_.html
It's so easy, your hair will curl. Let me show you...
For the purposes of this answer, let's suppose the prankster uses
Eudora, and he wants to pose as the boss. (If you'd like me to
demonstrate with a different client, let me know, and I'll install it
and show you.)
Fire up Eudora, then select Tools --> Personalities-->New. Select
Skip directly to advanced account setup:
http://www.darkfriends.net/princessmoo/extras/jp1.jpg
It will immediately pop a new dialog box up for you to fill in all the
information for your new user profile. Let's call the boss Boss Doe.
All you need to fill in is the information in the Generic Properties
tab, and make sure that you 1) uncheck the "Check mail" box, 2) put
the server *you* send mail through in the SMTP information box and 3)
uncheck the "Authentication allowed" box:
http://www.darkfriends.net/princessmoo/extras/jp2.jpg
Click OK, and you're done. Select that personality as your From:
address, and fire away. I sent it to myself from the fake address:
http://www.darkfriends.net/princessmoo/extras/jp3.jpg
It sure *looks* like Boss Doe sent me a spoof mail, doesn't it? This
brings us to our next part
2) Any way to trace it back to who did it?
------------------------------------------
Maybe.
"The header of the email message often contains a complete history of
the "hops" the message has taken to reach its destination. Information
in the headers (such as the "Received:" and "Message-ID" information),
in conjunction with your mail delivery logs, should help you to
determine how the email reached your system. If your mail reader does
not allow you to review these headers, check the ASCII file that
contains the original message.
NOTE: Some of the header information may be spoofed; and if the abuser
connected directly to the SMTP port on your system, it may not be
possible for you to identify the source of the activity."
How to protect from Spoofed/Forged Email
http://secinf.net/misc/How_to_protect_from_SpoofedForged_Email_.html
If they were dumb enough to send it from their own machine (work or
home), it's traceble through the headers. Let's look at the headers
in that spoof e-mail:
http://www.darkfriends.net/princessmoo/extras/jp4.jpg
By feeding the Prankster's real IP to any WHOIS service, you can
determine what ISP the Prankster uses. If he was dumb enough to do it
from work, then the employer's server is going to come up, making it
easy to track the culprit down by machine ID.
If he was a little smarter and did it from somewhere else (a friend's
house, a public library or university computer), the closest you're
going to get on your own is the ISP.
Of course, the person who was spoofed can also go to court to compell
the ISP to reveal the sender's name - even if the user is on dial up,
the ISP can still go through their logs to determine when a subscriber
was dialed in.
3) Any way to prevent it from happening in the future?
------------------------------------------------------
That depends. Can Boss Doe prevent people from ever spoofing his
e-mail address ever again? Not as long as you can alter your From:
field at will.
Can he prevent spoofed items from being sent over the company mail
server? Yes, if he's very careful:
"3.2.2. Configure your mail delivery daemon to prevent someone from
directly connecting to your SMTP port to send spoofed email to other
sites.
3.2.3. Ensure that your mail delivery daemon allows logging and is
configured to provide sufficient logging to assist you in tracking the
origin of spoofed email.
3.2.4. Consider a single point of entry for email to your site. You
can implement this by configuring your firewall so that SMTP
connections from outside your firewall must go through a central mail
hub. This will provide you with centralized logging, which may assist
in detecting the origin of mail spoofing attempts to your site."
How to protect from Spoofed/Forged Email
http://secinf.net/misc/How_to_protect_from_SpoofedForged_Email_.html
Additionally, CERT suggests the use of cryptographic signatures to
authenticate mail.
I'm sure you're well aware that e-mail spoofing is indeed very common
for spammers - one look in your e-mail box will confirm that rather
handily. Surprisingly enough, it's also quite common for pranksters
(I have some hysterical examples of spoofed mail sent among a group of
friends), disgruntled employees, and kids trying to get out of hot
water with their teachers (via forged e-mail ostensibly from their
parents to explain an absence to the teacher):
"Spoofing is a technique that is frequently used by perpetrators of
all manner of e-mail hoaxes to hide their identities and point the
blame at somebody else. It is a favorite with spammers, but also used
by hackers.
All too often the person whose online identity has been hijacked
becomes the primary victim.
In the workplace, spoofing can be used to embarrass or discredit
individuals by associating them with inappropriate e-mails. It is most
often associated with sexual harassment, but might be used to spread
materials that could trigger disciplinary action by an employer."
No Joke: Email Spoofing on the Rise
http://enterprisesecurity.symantec.com/content.cfm?articleid=784
People also use spoofing if they maintain several e-mail accounts:
"Spoofing can be a legitimate and helpful tool for someone with more
than one email account. I spoof regularly from my ISP-provided email.
For instance, you have an account, yourname@isp.net, but you want all
replies to go to yourname@purplemonkeys.com. You can spoof yourself so
that all the mail sent from the isp.net account looks like it came
from your purplemonkeys.com account. If anyone replies to your email,
the reply would be sent to yourname@purplemonkeys.com."
What is e-mail spoofing?
http://www.techtv.com/screensavers/answerstips/story/0,24330,2566233,00.html
As for the law and e-mail spoofing - e-mail spoofing is the equivalent
of electronic forgery in the US. It's a "cyber-crime", and victims of
spoofing are encouraged to contact the FBI:
How the FBI Investigates Computer Crime
http://www.cert.org/tech_tips/FBI_investigates_crime.html
Spoofing is also covered under the following laws:
Privacy Act of 1974
Counterfeit Access Device and Computer Fraud and Abuse Act of 1984
Computer Fraud and Abuse Act of 1986
Electronic Communications Privacy Act of 1986
Computer Security Act of 1987
See: Handling the Cyber Attack (via Google's cache)
http://216.239.51.100/search?q=cache:AuRuE997KIYC:www.nocinfragard.org/HandlingtheCyberAttack.ppt+%22email+spoofing%22+law+&hl=en&ie=UTF-8
I hope you find this information helpful! If I can be of further
assistance, please don't hesitate to ask for clarification. I'll be
happy to help!
--Missy
Search terms: [ "email spoofing" law ], and prior e-mail tracking
experience. |
