Security awareness

Email spoofing and Spams

Hashim Shaikh
October 31, 2017 by
Hashim Shaikh

What is email spoofing?

Email spoofing is the technique of sending email to others with a forged sender's address.

What is spamming?

Spamming is an automated process of sending "junk" emails.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

This automation process can be used negatively by sending fraud messages to millions of users asking them about their credit card details and other sensitive information.

Description:

If you receive a mail letter, you can verify the return address within the top left corner as an indicator of the point of origination. However, the sender may write any name and address there; there is no assurance that the letter is from that person and address. E-mail messages contain return addresses, too – however, they could likewise be deliberately dishonest, or "spoofed." Senders do that for a variety of reasons, including:

  1. The e-mail is spam and therefore the sender does not wish to be subjected to anti-spam laws.
  2. The e-mail constitutes a violation of another law (for example, it is threatening or harassing)
  3. The e-mail contains a virus or Trojan or ransomware.
  4. The e-mail requests information that you just may be willing to convey to the phony sender's

Spam is additionally referred to as uninvited business Email (UCE). This includes the following:

  • Advertisements
  • Pyramid schemes (MLM)
  • Giveaways
  • Chain letters
  • Political email
  • Stock market advice
  • One-time notices

The purpose of spam is to make money illegally simply. Some individuals assume that if the spam is targeted to a particular cluster of individuals, it then doesn't qualify as spam.

They also assume that if an opt-out methodology is provided, then the e-mail is not spam.

Wrong! ALL uninvited email is spam.


Scenario:

Eric recently found himself in a scenario, as he began to receive a deluge of "bounced" email--spam messages that appeared to be sent from his email account to various invalid email addresses that came to him, the alleged sender.

However, the e-mail address in question is for an account that Eric seldom uses, and he did not use it wittingly to send any spam email to anyone. Initially, he conjectured that spammers had somehow hijacked the e-mail account. However, even when he reset the e-mail address, the bounce messages continued to flow in.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Why was this happening? Were the messages coming from Eric's email address, or were their actual senders simply operating his email address as a spoofed address within the email headers? What might he do to prevent the annoying activity? Was his only choice to obliterate the e-mail account and begin over with an untouched one?

Effects:

  1. In different cases, you will get a slew of "undeliverable" email messages from random strangers. This happens when spam emails using your email address is sent to unsuspecting people. If they are undeliverable, the non-delivery notifications come to you eventually, flooding your inbox.
  2. Spamming consumes network resources. A deluge of spam can logjam e-mail servers.
  3. Because of this, the sending and receiving of legitimate e-mail messages can be significantly slowed down.
  4. If an email is received from the attacker with the subject such as "Google liked your profile," it is tough not to click on the attachment. Once the attachment is clicked on, malware gets downloaded and performs all kind of malicious activities.
  5. Solutions:

    • Only offer your email address to an organization if it is entirely necessary. There are surveys, gaming sites, free shopping vouchers, etc. that asks you for your email address. Once you fill in your email id, it is then circulated to various advertisers and others to send you promotional emails, etc.
    • Do not enter contests. The sole prize you will win may be an inbox filled with spam.
    • Use 2 email accounts. Use one account for all business, purchasing, newsletters, selling lists, chat rooms. The second account ought to be for all personal use.
    • Do not unsubscribe from spam. Spam typically contains an unsubscribe link. This link is there to get you to verify your address and typically gets you even further spam.
    • Look for opt-out policies. Ensure that you are not signing up for something that you simply don't wish to receive.
    • Don't offer out alternative people's email address. Don't do that unless you have got permission from the recipient.
    • Don't forward chain letters. Spammers collect email addresses from them.
    • Keep your email address off the web unless where entirely necessary.

    Good reads:

    Hashim Shaikh
    Hashim Shaikh

    Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: http://justpentest.blogspot.in and his LinkedIn Profile here: https://in.linkedin.com/in/hashim-shaikh-oscp-45b90a48