Analysis of a Forged Email
A few days ago, a friend of mine asked me how emails are forged. Instead of directing them to Google, I figured it’d be more fun to explain it to them. So in the interest of sharing, my explanation to them was as follows…
Email forgery is made possible due to the way email servers accept mail from email client programs and from each other. The whole process is not much different from the way regular snail mail is delivered. When you mail a letter, you write the name and address of the recipient and (usually) your own name and address so they know where to send any replies to. But this is just what’s supposed to happen. In reality, you could write anyone’s name and address as either the sender or the recipient and the mailman wouldn’t really care– his job is just to deliver the letter to whatever recipient address is listed, not to verify that you are who you say you are.
The same is true with email client applications like Outlook, Thunderbird, Hotmail, and Gmail. We can think of them as letter writers, only they always write what they believe to be the correct sender email address on the front of the letter. Email forgery takes advantage of the fact that you can list any email as the sender address. It might help to walk through a simplified instance of an email being sent.
DudeBro: Sup dude.
Mailman: Hi
DudeBro: My name is DudeBro. I live in BigCity
Mailman: Ummm… okaaay … O.o
DudeBro: I want to send a letter to NiceGirl who lives in SmallTown
Mailman: Alright.
DudeBro: I want the letter to say “sup”
Mailman: That’s it? Just “sup?”
DudeBro: … No. No, make it also say “whats ur twitter?”
Mailman: * facepalm *
DudeBro: That should do it. Thanks dude.
Mailman: No problem.
So you can see, Mailman just sends it where DudeBro asks him to send it– and he doesn’t even care if DudeBro is really DudeBro. This is exactly how an email client (Outlook, Thunderbird, etc) gets your mail sent via SMTP. The following text parallels what happened above, only it represents the actual data communicated between the Mailman (as the email server), and DudeBro (as the email client).
helo bigcity.com
mail.man.net hello [192.168.0.33], pleased to meet you
mail from: dudebro@bigcity.com
250 2.1.0 sender ok
rcpt to: nicegirl@smalltown.com
250 2.1.5 recipient ok
data
354 enter mail, end with “.” on a line by itself
sup
whats ur twitter
.
250 2.0.0 vGdK1c00F4DYCPY02GdXT5 mail accepted for delivery
So to forge the email, we just change the relevant part in the communication so it has a different “mail from:” entry. Since you essentially control the client side, its fairly straightforward. The recipient wont know if it came from who it claims it came from or not. Spammers and phishers often use this technique to do their dirty work. It is trivial to make an email appear to come from your best friend, or your roommate, or even your mom.
But if it is so easy, there has to be a way to prevent it, right? Sure, there are plenty of ways to verify that a message came from who it claims to come from (authentication). One such method is digital signatures which make use of asymmetric cryptography. If you’re interested in learning about the benefits of digital signatures, we offer training.
Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!