Can email spoofing be prevented?

Question

My wife's email account was hacked and the attacker got her address book. I don't know if the attack was on her local email client (Thunderbird running on Windows 7) or on the server (hosted at GoDaddy). Either way, the contact list data is out there and I can't undo that. I have changed all passwords, updated security, etc., and I don't think there have been any further intrusions.

However, whoever did this has been sending huge amounts of spam, using my wife's name as the "sender". They go quiet for a while, and then so often I wake up to a few dozen emails from my wife, which of course she didn't really send, and every other person in her address book gets these as well. And because her address book was full of many dead addresses, my wife gets hundreds of "Mail Delivery Failed" bounceback messages, as well as hundreds of emails rejected by the receiving domain as spam. The people in her contact list are getting angry, and it's becoming a real problem.

I have asked GoDaddy about this, and they say that any person A can send an email to b@bbb.com claiming to be c@ccc.com, and there is no email infrastructure in place to verify that person A is authorized to send an email from ccc.com. Consequently, there's absolutely nothing I can do about this, and this spammer will be able to harass people, damage my wife's reputation, get her email blacklisted, etc. and there is no way to stop it.

Is this true, or is there anything I can do to stop these spammers, or at lease mitigate the damage?

Answer 1

It is indeed very hard to solve the problem of e-mail spoofing in a general way, due to the simple and highly distributed way the protocol is designed.

The physical letter analogy holds up quite well in this example: I can put a letter into the post, and write on it that it comes from your house; I don't need to have broken into your house to do this, just drop it in a public post box. And if the post is marked "return to sender" it may well end up being "returned" to you, even though you didn't write it. The same happens with e-mail: anybody can deliver a message into the system, with a To and a From address; the server you send mail from may not be the same one you receive mail to, and there's no centralised service verifying your identity when you drop a message into the system.

There are two general approaches to solving this:

Digital signatures are a way of including in a message a kind of signature or seal which only the real sender knows how to generate (using a private key which they never share). The recipient can then verify the signature using a public key which mathematically proves who produced the signature (and that it matches the received text).

This is not, however, very useful for your example, because it doesn't prevent the messages being delivered, and requires recipients to know the public key, or a verified location to retrieve it.

Domain-based sender verification systems have been developed to try to prevent spam. These store data in the DNS (directory lookup) for the domain of the address (the part after the @) which allow a receiving system to verify if a mail is legitimate. One system, SPF, lists which systems are allowed to send mail on behalf of that domain; another, DKIM, stores public keys used similar to the digital signature approach above, but for verifying the transmitting system, rather than the actual sender.

(To slightly over-extend the physical letter analogy, SPF is like publicly saying "I only post letters using this post box" and DKIM is like publicly saying "I always send mail from this post office which prints a tamper-evident label for me".)

These would be more relevant to your case - if your wife were using a custom domain, an appropriate SPF or DKIM setup would cause many systems to silently reject mail which she had not sent herself (or mark it as spam, without attributing it to her). However, it only works at the domain level, not the individual address, and some recipient systems may not check the records.

Answer 2

Emailing all the live contacts in her address book & telling them about the email spam problems would probably help. And now's as good a time as any to remove any dead contacts from the list.

Using PGP/GPG in the future would be a near-perfect solution for private users & senders to verify for themselves that an email is actually sent from the sender, and could hide/encrypt the contents of messages too so they're only seen by the intended receiver. But, though PGP has been available for decades now, it's not universally super easy for anyone to start using, and web-only mail (like Gmail, etc) make it hard to keep the secret parts truly secret to just you and still easy to use from anywhere...

Email Authentication

There are things that can be done to authenticate to email receivers (at least some, like Yahoo & Google & others, that "represent a high percentage of Internet email users" - DMARC FAQ) that a message that says it's from your domain really is from your domain. They use DMARK which "allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message" - DMARC FAQ.

Changing to a different email address could help in the short term too, then you & everyone else could safely ignore / "mark as spam" all further messages from the spammers. But even if that's not your main concern since they're "obviously super-spammy spam" and no one's being fooled, you probably want to look into stopping the "from:" line from being easily spoofed, since if enough users always "mark as spam" your wife's business email, spam filters will probably start throwing out all messages from that address.

Email Authentication should help the sending & receiving mail servers to verifying messages are actually sent from who they say they're from. I've found some info on Gmail, since it's one of "the big three" email companies it's probably a good place to start. Even switching email providers to one that's already set up / authenticated, like Gmail for Business should help & might be easier, but shouldn't be necessary, although judging by your response from GoDaddy they might not be your dream host.

Gmail's help on Email Authentiation has some advice for sending domains:

If you’re a sending domain

Messages with DKIM signatures use a key to sign messages. Messages signed with short keys can be easily spoofed (see http://www.kb.cert.org/vuls/id/268267), so a message signed with a short key is no longer an indication that the message is properly authenticated. To best protect our users, Gmail will begin treating emails signed with less than 1024-bit keys as unsigned, starting in January 2013. We highly recommend that all senders using short keys switch to RSA keys that are at least 1024-bits long. Authentication is highly recommended for every mail sender to ensure that your messages are correctly classified. For other recommendations see our Bulk Senders Guidelines.

Authentication by itself is not enough to guarantee your messages can be delivered, as spammers can also authenticate mail. Gmail combines user reports and other signals, with authentication information, when classifying messages.

Similarly, the fact that a message is unauthenticated isn’t enough to classify it as spam, because some senders don’t authenticate their mail or because authentication breaks in some cases (for example, when messages are sent to mailing lists).

Learn more about how you can create a policy to help control unauthenticated mail from your domain.

The last link Control unauthenticated mail from your domain is particularly relevant:

To help fight spam and abuse, Gmail uses email authentication to verify if a message was actually sent from the address it appears to be sent from. As part of the DMARC initiative, Google allows domain owners to help define how we handle unauthenticated messages that falsely claim to be from your domain.

What you can do

Domain owners can publish a policy telling Gmail and other participating email providers how to handle messages that are sent from your domain but aren’t authenticated. By defining a policy, you can help combat phishing to protect users and your reputation.

On the DMARC website, learn how to publish your policy, or see the instructions for Google Apps domains.

Here are some things to keep in mind:

• You'll receive a daily report from each participating email provider so you can see how often your emails are authenticated and how often invalid emails are identified.
• You might want to adjust your policy as you learn from the data in these reports. For example, you might adjust your actionable policies from “monitor” to “quarantine” to “reject” as you become more confident that your own messages will all be authenticated.
• Your policy can be strict or relaxed. For example, eBay and PayPal publish a policy requiring all of their mail to be authenticated in order to appear in someone's inbox. In accordance with their policy, Google rejects all messages from eBay or PayPal that aren’t authenticated.

More about DMARC

DMARC.org was formed to allow email senders to influence unauthenticated mail by publishing their preferences in a discoverable and flexible policy. It also enables participating email providers to provide reports so that senders can improve and monitor their authentication infrastructure.

Google is participating in DMARC along with other email domains like AOL, Comcast, Hotmail, and Yahoo! Mail. In addition, senders like Bank of America, Facebook, Fidelity, LinkedIn, and Paypal have already published policies for Google and other receivers to follow.

For more information, please refer to this post in the Official Gmail Blog.

Other helpful looking links:

• Set up Gmail to Send/Receive Emails Using Your Own Domain Name
• Take Control of Your Email Address

Answer 3

What can be done depends on how much of the infrastructure you have control over, and whether you are using your own domain name or simply have an address under a domain controlled by somebody else.

If you have your own domain, it is easy to switch to a new email address under the same domain. Additionally you can set up DNS records to tell the world that all emails from your domain is supposed to be digitally signed. (SPF, DKIM, and DMARC are the terms to search for if this is the approach you want to take.)

You cannot expect everybody to verify these signatures, so even if you do setup DNS records indicating that email from your domain must be signed, there will still be abusers sending unsigned emails claiming to be from your domain and receivers accepting those unsigned emails.

If you do not control the domain, then changing the email address is not as easy, and you have little influence on whether DNS records are used to limit the ability to spoof the domain in outgoing emails.

The problem with spam messages using a spoofed source address causing bounces coming back to the legitimate address is at least in principle easy to solve.

You can record the Message-ID of all emails you are sending. All bounces need to include the Message-ID of the original message somewhere - otherwise the bounce is completely useless anyway, because that is what tells you which message got bounced. Any bounced message which does not contain a Message-ID you have previously send can be send straight to the spam folder or be rejected at receiving time (which has the nice benefit of pushing the problem one step closer to the source).

Bounces can be told apart from other emails by the MAIL From address. Bounces always have an empty MAIL From address, other emails never have an empty MAIL From address.

So if MAIL From is empty - and the DATA does not contain a Message-ID you previously send, the mail can be safely rejected.

That's the principle. Turning it into practice is a bit harder. First of all the infrastructure for outgoing and incoming emails may be separate, that makes it problematic for the infrastructure for incoming emails to always know about every Message-ID which has gone through the infrastructure for outgoing emails.

Additionally some providers insist on sending bounces that do not conform with common sense. For example I have seen providers sending bounces containing no information whatsoever about the original email which was bounced. My best recommendation for such useless bounces is to treat them as spam, even if they originate from an otherwise legitimate mail system.

Remember that whoever has obtained the list of email addresses can put any of the addresses as source address and any of the addresses as destination address. Thus unless you have additional information you can't be sure the leak even happened from your own system. It may be any of your contacts who leaked the list of addresses including yours.

The more you can figure out about which addresses are on the leaked list and which are not, the better you will be able to figure where it was leaked from. It might be you have already done this and concluded that the leak must have originated from your contact list since none of your contacts would have known all of the addresses confirmed to have been leaked.

My approach to that is to use my own domain and a separate email address under that domain for each contact I communicate with. I include the date of first communication with the contact in the mail address, such that it could look like kasperd@mdgwh.04.dec.2015.kasperd.net if I were to write an email to a new contact today. That approach obviously isn't for everybody, but for me it surely helps know exactly who has been leaking a list of email addresses where one of mine is on. It also means I can close the individual addresses such that only the person who leaked my address has to update their contact information for me.

Answer 4

Yes and no.

Nothing stops me from writing an email with your address as a sender. This is not different from regular paper mail where I also can put a destination address on the front of the envelope and a (any!) return address on the back of the envelope.

However, you can add a digital signature to proof that you are the sender (see PGP and Xen's answer). And mail providers are also starting to implement safety checks for communication between mail servers. (See TLS - Transport Layer Security). But mail is build on the old protocols where everybody behaved and cooperated nicely. It was not designed for the big bad world.

Answer 5

You are approaching this incorrectly.

From years spent in the computer repair industry, I can tell you it's very unlikely there was any "hacking" going on here. It's far more likely your wife's computer has a virus, and that virus has accessed her Thunderbird address book.

This is fairly common. Usually the virus is sending the emails directly from the infected computer, so removing the virus will stop the spam emails -- they are not "spoofing" your wife's email address, they are your wife's email address.

Changing email addresses as suggested by another user is very unlikely to solve anything... especially if you enter it into Thunderbird on the same computer.

Download and run Combofix on your wife's computer.

http://www.bleepingcomputer.com/download/combofix/

There are instructions on how to run it at: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Essentially, download it, run it as administrator (right-click --> run as administrator), click OK/Yes/Continue to the prompts, then walk away for 30 minutes to an hour. It will run for a long while, and likely reboot the computer (make sure you log back in for it to continue working).

You will know it's done when a full screen notepad is open with a bunch of text. Close it, reboot once more, and you likely solved your problem... only time will tell.

Answer 6

There are two issues here. Your specific question about validating email senders, and what one can do when email is being sent in your name.

Unfortunately it is a simple matter to spoof the From: address in an email, and that's all it takes. While there are ways to set up email so that the sender can be verified (such as the difital signing mentioned in other answers), they are not in general use. If your wife's stolen contacts included a lot of casual connections, onetime clients, mailing lists etc., this is a non-starter: if the recipients find the faked emails a hassle, the last thing they want is to be asked to install special software on their computers.

Which brings us to what she can do. Stolen addresses are widely used as cover by spammers, and most people know to ignore obvious spam that pretends to come from an acquaintance. If that's all that's going on, the solution is clearly for your wife to get a new email, preferably one that is easily distinguishable from the old one; if possible, combine it with spelling her full name differently, e.g., add a middle name or job title. Then notify everyone on her contact list, and stop using the old email but continue to monitor it for incoming messages from people who missed the memo.

Things are more difficult if you believe that someone is specifically targeting your wife, trying to impersonate her, damage her reputation, etc. In that case, a new email will be quickly adopted by the attacker (since your wife will not be keeping it a secret). But that's a bridge you can cross if it should ever come to that (which I consider unlikely).

Answer 7

As Freeman said...let all regular email correspondents know that all future email from her will have the phrase he mentioned or something similar.

A few of my most regular contacts know that if they want me to open their messages they have to say something in the email that no spammer would ever know, for example "Yes, Dennis this is really ______ and your dog's name is ______" I say something similar to them. Is this a hassle? Perhaps it is more of a minor annoyance.

Now if everyone would adopt SPF that would be a huge help.

Answer 8

It might not be ideal, but If I were you I'd shut down my account and start a new one. Telling everyone my new address and to blacklist the old.