General discussion

Locked

Understanding email Spoofing

By john.m1 ·
Hi
I need a little help and understanding please.
35 client Lan SBS 2003 / win2k / winxp etc but not really relevant to the answer that i need.
We are about to bring in BrightMail anti spam.
we have a sonic wall firewall.
we use Sophos anti virus (auto updates etc)

I am NOT looking for a techie answer, OR help to prevent spam and spoofing.

I want to explain to non savvy colleagues and senior managers (very non IT) why we get spam, more importantly why they receive "message undeliverable" emails (spoofed) that they did not send in the first place.

So am i correct in thinking.

a spam filter will bounce / block (most) spam
BUT ALSO
the "undeliverable message" emails.

So after installing a spam filter my users will "think the problem is cured" because they no longer get told that "emails they didnt send" can't be delivered ?

OK so this doesn't stop the rest of the world from receiving emails that look like they come from us.

So is it true that we can block the result of spoofing but not prevent it from happening?

Lastly, a naive question but,
if we all (the whole world) use spam filters and block the "message undeliverable" emails, do they die or just keep wandering around the "ether" slowing it down?

Thanks for any enlightenment that you can give.
Because i want to relay your wisdom, feel free to assume that i am very dumb.
I am willing to give point to all worthy answers.

John Mahoney

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by pierrejamme In reply to Understanding email Spoof ...

You know we ghad the same problem with the US mail. Joe **** could put George W. Bush on the return address of the letter and envelope and we probably woould open it and some of us would believe it was from George.
And if George asked me for my SS# I might send it ot him??

Collapse -

by john.m1 In reply to

Poster rated this answer.

Collapse -

by HAL 9000 Moderator In reply to Understanding email Spoof ...

As for returned E-mail notifications that you didn't send these should be picked up and stopped by the Spam Filter but here is also the possibility of some getting through really it depends on the IP address that the originate from.

By the way Spam Filers Block they don't bounce so what happens with a spam filter it that it prevents something coming in and deletes it from the entire system so it can not float around Cyber Space to hit others once it hits the Spam Filter it gets destroyed.

So is it true that we can block the result of spoofing but not prevent it from happening? Basically yes thought these returned messages don't mean that you or the people in your company are being spoofed just that someone somewhere is attempting to send e-mail and it's being bounced back to some of the people in your office/Business or whatever. If you look closely at these messages generally they don't have any content in them just a return to sender announcement so technically they are not spoofed E-Mails but they could be the result of a DoS Attack.

Your Spam Filter will stop the ones that get sent to you or the people in your office but that doesn't mean to say that there are not 100,000,000 more out there floating around waiting to hit someone latter. These things tend to be generated for a purpose and are mostly DoS Attacks or from infected machines that are just spam bots constantly sending out junk mail faster that your current connection can send these so eventually the computer freezes up as there is too much junk on the Out Box and all your HDD space has disappeared. Of course the faster the Net connection the more of these that will be sent but the end result is always the same eventually the infected machine crashes it's just with the faster connection the longer it will take to crash as it's capable of sending faster so the build up takes longer.

Collapse -

by HAL 9000 Moderator In reply to

With the quality of the Spoofed E-Mails now it's sometimes very hard to tell the difference between the real and fake items banks get the worst of this but anything that asks for your User Name & Password should be considered as FAKE as real business don't ask for this information they require you to log in and change things not just provide the raw data. Of course if you get a e-mail from a bank that you have no dealings with that's a dead giveaway in the first place. From previous experience things like this the Affected Banks are not interested in so they insist that you ignore these things and then leave it to the rest of their customers to do the right thing and do not take responsibility when their clients loose all their money.

But if you want really basic non technical answer to your questions they would be as follows

Q1 Yes

O2 Yes

Q3 Yes

Q4 Yes

Q5 No


Col

Collapse -

by john.m1 In reply to

Poster rated this answer.

Collapse -

by jmgarvin In reply to Understanding email Spoof ...

The problem with mail is it is easy to spoof. I am not validated at all. So this means I can setup a server in my home and act like I'm microsoft.com or foo.bar. You might say, but what about DNS? I don't deal with it. I just "pretend" that is who I am and mail servers gladdly accept that.

A quick, dirty, and trivial mail spoof (impress your friends):
1) Fire up a mail server that allows mail forwarding via port 25
2) Follow these simple steps to create a nice mail from Santa!

helo north.pole
mail from: santa@north.pole
rcpt to: foo@bar.com
data
Hello little Bill! I hear you've been a very good boy this year! I'll bring you lots of presents!

Santa
.

That's it. So now foo@bar.com gets a mail from santa@north.pole. While many mail filters will block this (not a valid TLD (eg .com, .net, .org) it is a example of why it is so easy to spoof on ANY server that allows forwarding.

The other problem is that Joe Sixpack in his house can setup a mail server and mail from localhost (that means it has no name) and make it look like it came from anywhere.

Mail is a total charley foxtrot and really has no hope of being spam free unless we somehow validate mail servers via a DNS schema.

Collapse -

by john.m1 In reply to

Poster rated this answer.

Collapse -

by scott_hunter In reply to Understanding email Spoof ...

We use Symantec Mail Security for SMTP with the BrightMail anti-spam addin. In the last 26 days we have had 72,532 in-bound Internet emails go through this server. 77.4% of those emails were spam.
Custom blacklist: 311 (0.4%)
Real-time blacklist: 28852 (39.8%)
Spam: 25534 (35.2%)
Suspected spam: 731 (1.0%)
Reputation spam: 1772 (2.4%)
Spam quarantined: 27002 (37.2%)
Crazy, but yes it works. Not 100% though, some spam still gets through, even the undeliverable ones. Most of the ones that get through, it would be hard to write a rule for.

When I get asked about the "weird emails" I tell them "It's spam, they fake the To line. Emails can have a hidden For address. Shift+Delete them." I also tell them that their computer is not infected, that the emails were generated by a non-company source that was either infected or by a spammer.

I used to black hole emails sent to invalid email addresses. I found that some spam would send to aaa@company.com with legit reply-to email addresses. Bounce it spam. I had to stop using the black hole method since some of our clients would mangle the email address and no one would know it. Same with adding rules to block "undeliverable", it could be legit.

Collapse -

by john.m1 In reply to

Poster rated this answer.

Collapse -

by john.m1 In reply to Understanding email Spoof ...

Point value changed by question poster.

THANKS for the help Guys, John Mahoney

Back to Software Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums