{"id":388,"date":"2021-11-03T17:40:50","date_gmt":"2021-11-03T17:40:50","guid":{"rendered":"https:\/\/bandittracker.com\/?p=388"},"modified":"2022-01-01T17:35:24","modified_gmt":"2022-01-01T17:35:24","slug":"how-to-spot-email-spoofing","status":"publish","type":"post","link":"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/","title":{"rendered":"How To Spot Email Spoofing (For Beginners)"},"content":{"rendered":"\n<p>This article shows you how to spot fake emails that have been spoofed to look like they\u2019re coming from a legitimate company.<\/p>\n\n\n\n<p>I\u2019ll use specific examples of spoof emails that pretend they are from PayPal or marketplaces like Amazon and eBay.<\/p>\n\n\n\n<p>If you\u2019re using these sites for transactions, you should understand what spoof emails are and how to spot them.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66285c846c152\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66285c846c152\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#What_Is_Email_Spoofing\" title=\"What Is Email Spoofing?\">What Is Email Spoofing?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#Email_Spoofing_Is_Unfortunately_Easy\" title=\"Email Spoofing Is Unfortunately Easy\">Email Spoofing Is Unfortunately Easy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#How_Does_Email_Spoofing_Work\" title=\"How Does Email Spoofing Work?\">How Does Email Spoofing Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#Legitimate_Reasons_For_Spoofing_Email_Addresses\" title=\"Legitimate Reasons For Spoofing Email Addresses\">Legitimate Reasons For Spoofing Email Addresses<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#Using_SPF_To_Prevent_Spoofing\" title=\"Using SPF To Prevent Spoofing\">Using SPF To Prevent Spoofing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#A_Brief_History_Of_SPF\" title=\"A Brief History Of SPF\">A Brief History Of SPF<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#Using_Email_Headers_To_Validate_Who_The_Email_Is_From\" title=\"Using Email Headers To Validate Who The Email Is From\">Using Email Headers To Validate Who The Email Is From<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#SPF_Isnt_Used_By_Many_Companies\" title=\"SPF Isn\u2019t Used By Many Companies\">SPF Isn\u2019t Used By Many Companies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/#Spoofing_Emails_With_Homoglyphs_Words_That_Look_The_Same\" title=\"Spoofing Emails With Homoglyphs (Words That Look The Same)\">Spoofing Emails With Homoglyphs (Words That Look The Same)<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Is_Email_Spoofing\"><\/span>What Is Email Spoofing?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Email spoofing is the manipulation of the sender address details within an email to make it look like it&#8217;s coming from a different domain. Although this can be for legitimate purposes, it is also a common spam and scam technique used by fraudsters.<\/strong><\/p>\n\n\n\n<p><strong>The scam is to fool recipients about the sender.<\/strong><\/p>\n\n\n\n<p>You may receive emails that purport to be from <a href=\"mailto:admin@WellKnownBank.com\">admin@WellKnownBank.com<\/a>.<\/p>\n\n\n\n<p>Another common target is people who use PayPal for buying and selling on online marketplaces such as eBay. If you do so, you should check out our in-depth article on <a href=\"https:\/\/bandittracker.com\/fake-paypal-notification-emails\/\" data-type=\"post\" data-id=\"386\">fake PayPal notifications<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Email_Spoofing_Is_Unfortunately_Easy\"><\/span>Email Spoofing Is Unfortunately Easy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>You may think that it takes ninja hacker skills to send spoof emails. This is far from the case.<\/p>\n\n\n\n<p>Unfortunately, many websites provide a cheap service to send spoofed emails. This allows users to send emails that look as if they\u2019re coming from PayPal or eBay or other legitimate companies.<\/p>\n\n\n\n<p>Users simply provide the fake sender email, the target to receive the email, and the message content.<\/p>\n\n\n\n<p>If you search for \u201cfree online email spoofer\u201d, you\u2019ll see what I mean. There are a lot of services in this space.<\/p>\n\n\n\n<p>But I don\u2019t advise that you check any of them out too closely. These are dodgy sites and may have hidden extras such as viruses.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Does_Email_Spoofing_Work\"><\/span>How Does Email Spoofing Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>These websites are based on the same technology and methods to spoof emails. They start with an email server. This is also called an SMTP server.<\/p>\n\n\n\n<p>Some of the even dodgier sites will hack a legitimate SMTP server and use it to send out their messages. However, this isn\u2019t necessary nowadays.<\/p>\n\n\n\n<p>People can pay about $20 per month to a hosting provider and install SMTP mailing software away from prying eyes. This takes about an hour to install and configure.<\/p>\n\n\n\n<p>The spoofers have to choose the right SMTP software for their task. Their problem is that some mailing programs will only use the domain name on the hosting site. That\u2019s tricky when the domain name is something like \u201cOutToGetYou.ru\u201d.<\/p>\n\n\n\n<p>However, some software programs don\u2019t put restrictions on the \u201cFROM\u201d address at all. Our Russian website example can easily stick in <a href=\"mailto:president@whitehouse.gov\">president@whitehouse.gov<\/a>.<\/p>\n\n\n\n<p>Don\u2019t assume that these software programs are only used for nefarious purposes. There are several legitimate reasons for companies to edit the FROM address. Let\u2019s take a look at that next.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Legitimate_Reasons_For_Spoofing_Email_Addresses\"><\/span>Legitimate Reasons For Spoofing Email Addresses<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>It\u2019s a common business practice to have different email addresses based on the purpose of the message.<\/p>\n\n\n\n<p>Companies may not want to have every email arriving from <a href=\"mailto:service@legitcompany.org\">service@legitcompany.org<\/a>.<\/p>\n\n\n\n<p>They may send answers to customer queries from <a href=\"mailto:helpdesk@legitcompany.org\">helpdesk@legitcompany.org<\/a>, while information on returned goods comes from <a href=\"mailto:returns@legitcompany.org\">returns@legitcompany.org<\/a>.<\/p>\n\n\n\n<p>The actual email accounts probably don\u2019t exist. When the customers reply to emails from these different addresses, the incoming software reroutes them to the right destination.<\/p>\n\n\n\n<p>This means that these legitimate companies are faking email addresses within their domain. But clearly, they are not trying to fool or misinform their customers.<\/p>\n\n\n\n<p>Of course, the examples above use the domain owned by a legitimate company.<\/p>\n\n\n\n<p>But shouldn\u2019t they be stopped from sending emails spoofed as @whitehouse.gov or @paypal.com? Shouldn\u2019t the hosting provider put measures in place to monitor and stop this activity?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Multiple domains using the same mail server<\/h3>\n\n\n\n<p>It wouldn\u2019t be difficult. The hosting providers monitor all network traffic sent from the servers that they host.<\/p>\n\n\n\n<p>They know which domain is sending out the email, and they can see the sender details in the mail headers. All they\u2019d have to do is stop any that don\u2019t match up.<\/p>\n\n\n\n<p>But they don\u2019t do this for other good business reasons. Let\u2019s say that LargeLegitimateCompany has a subsidiary called SmallLegitimateCompany. Both companies share the same SMTP server.<\/p>\n\n\n\n<p>If we followed the logic of the hosting provider blocking messages that don\u2019t match the domain, then the emails from one of the companies would go down the tube.<\/p>\n\n\n\n<p>Is there no solution for proper monitoring and spoof prevention? Yes, there is. It\u2019s called SPF. I\u2019ll tell you what that stands for in the next section.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Using_SPF_To_Prevent_Spoofing\"><\/span>Using SPF To Prevent Spoofing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The principle of SPF is that website owners can specify other domains to be part of a family. Every domain in the family is allowed to use the same SMTP server.<\/p>\n\n\n\n<p>The website owners register the list of senders (other domains) who are permitted to send emails from the mail server associated with their main domain.<\/p>\n\n\n\n<p>This means that the hosting provider can compare outgoing email headers to this list. If they don\u2019t match, they can stop the email from going out.<\/p>\n\n\n\n<p>And the protection doesn\u2019t just stop there. It\u2019s also possible on the other side i.e. the receiving side.<\/p>\n\n\n\n<p>The receiving mail software can ping a request to the sending domain to check that the address details are on the list.&nbsp;If the details don\u2019t match, the software can send the email to the junk folder.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"A_Brief_History_Of_SPF\"><\/span>A Brief History Of SPF<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>This strategy of SPF was first documented in 2003 by Wong Meng Weng in Singapore. He called it Sender Permitted From.<\/p>\n\n\n\n<p>Other technologists worked on the framework. For whatever reason, the official label was renamed as Sender Policy Framework. Happily, that still meant the acronym was SPF!<\/p>\n\n\n\n<p>The goal of Weng and his colleagues was to fight the rising tide of spam on the internet. They mightn\u2019t have got anywhere if it wasn\u2019t for the fact that Bill Gates had directed Microsoft to work on a counter-measure to email spam as well.<\/p>\n\n\n\n<p>Microsoft is never shy from borrowing the work of others (and they fully credited it in this instance). The silicon giant added SPF to their mailing software in 2005.<\/p>\n\n\n\n<p>So, why are we still receiving spoof emails now? Let\u2019s explore that next.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Using_Email_Headers_To_Validate_Who_The_Email_Is_From\"><\/span>Using Email Headers To Validate Who The Email Is From<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>To understand spoof emails, we need to take a closer look at what\u2019s known as email headers.<\/p>\n\n\n\n<p>The top of every email has a standard list of information. Here\u2019s a typical notification from PayPal.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"89\" src=\"https:\/\/bandittracker.com\/wp-content\/uploads\/2021\/11\/paypal_notification.jpg\" alt=\"\" class=\"wp-image-389\"\/><\/figure><\/div>\n\n\n\n<p>My email software is only showing a subset of the information. To understand spoofing, we should examine the full header.<\/p>\n\n\n\n<p>How to do so will depend on your email software. It could be something like \u201cView Message Source\u201d or \u201cView Full Header\u201d.<\/p>\n\n\n\n<p>Here\u2019s a typical header of an email from Amazon. I\u2019ve removed some pieces to make them easier to digest. And the parts in bold are what\u2019s important.<\/p>\n\n\n\n<p>Received: from DK5EUR07HT234.eop-EUR07.prod.protection.outlook.com<br><strong>smtp.mailfrom=bounces.amazon.com<\/strong>; hotmail.com;<br>dkim=pass (signature was verified)<br><strong>Received-SPF: Pass<\/strong> (protection.outlook.com: <em>domain of bounces.amazon.com designates 57.240.12.173 as permitted sender<\/em>)<br>Date: Wed, 31 Oct 2021 10:07:28 +0000<br><strong>From: \u201cAmazon.com\u201d &lt;store-news@amazon.com&gt;<\/strong><br>To: redacted<\/p>\n\n\n\n<p>Did you notice that there are actually two different sender addresses in the header? The first is the MailFrom address. The second is the \u201cFrom\u201d address.<\/p>\n\n\n\n<p>You usually see the \u201cFrom\u201d address in your email client. They tend not to show the MailFrom details.<\/p>\n\n\n\n<p>It\u2019s important to understand that SPF only checks the \u201cMailFrom\u201d address. As I mentioned in a previous section, legitimate senders often change the From address displayed by email clients.<\/p>\n\n\n\n<p>The example above shows that the receiver checked the SPF record. The receiving software checked the I.P address of the incoming domain against the list of permitted senders:<\/p>\n\n\n\n<p>&nbsp;\u201c<em>the domain of bounces.amazon.com designates 57.240.12.173 as permitted sender<\/em>\u201d<\/p>\n\n\n\n<p>All this checking is great. So, why am I still getting spam? The reason is that SPF hasn\u2019t been universally accepted.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SPF_Isnt_Used_By_Many_Companies\"><\/span>SPF Isn\u2019t Used By Many Companies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Let\u2019s take a look at a legitimate email that arrived in my inbox.<\/p>\n\n\n\n<p>This one is sent by a company called Advance Photography (I\u2019ve slightly altered the company name and domain).<\/p>\n\n\n\n<p>Received: from DK5EUR07HT234.eop-EUR07.prod.protection.outlook.com<br><strong>smtp.mailfrom=advancephotography.com<\/strong>; hotmail.com;<br>dkim=none (message not signed)<br>Received-SPF: None (protection.outlook.com: <em>advancephotography.com does not designate permitted sender hosts<\/em>)<br>Date: Wed, 11 Oct 2021 18:25:49 +0000<br><strong>From: Ben &lt;ben@advancephotography.com&gt;<\/strong><br>To: redacted<\/p>\n\n\n\n<p>The receiving software sees that the domain is advancephotography.com. Now the software sends a request for the SPF record that lists the other domains that can send emails from the mail server.<\/p>\n\n\n\n<p>However, this company doesn\u2019t use SPF records. You\u2019ll see that note in the header (\u201c<em>advancephotography.com does not designate permitted sender hosts\u201d).<\/em><\/p>\n\n\n\n<p>I\u2019m using Outlook as my email client, and it\u2019s a Microsoft product. I mentioned that Microsoft added SPF validation to their software way back in 2005.<\/p>\n\n\n\n<p>The mailing software puts a note into the header to report a lack of information. But they certainly don\u2019t stop the email from being delivered. And in this case, it wasn\u2019t marked as spam (which was correct).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why most mailing software doesn\u2019t enforce SPF<\/h3>\n\n\n\n<p>The problem is that the attempts by various international consortiums to push SPF as a universal protocol have failed.<\/p>\n\n\n\n<p>If Microsoft or any other company changed the mailing software to reject emails without SPF validation, a vast number of legitimate emails would not get through to the recipients.<\/p>\n\n\n\n<p>So, they allow domains that don\u2019t have SPF records to get through.<\/p>\n\n\n\n<p>The scammers know this and will set up their domains and mail servers to avoid having SPF records.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Manual check<\/h3>\n\n\n\n<p>It\u2019s still useful to have the knowledge to do a manual check yourself.<\/p>\n\n\n\n<p>Open the email header and look first to see if validation has taken place.<\/p>\n\n\n\n<p>If their SPF records are missing, then you can take a closer look at the From address and the MailFrom address to see if they match.<\/p>\n\n\n\n<p>If you\u2019re doing a visual check by squinting at the screen, then there\u2019s one more trick that you need to know about.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Spoofing_Emails_With_Homoglyphs_Words_That_Look_The_Same\"><\/span>Spoofing Emails With Homoglyphs (Words That Look The Same)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A homoglyph is a word that looks the same as another but is slightly different.<\/p>\n\n\n\n<p>Some examples? Here\u2019s two:<\/p>\n\n\n\n<ul><li><a href=\"http:\/\/www.amazon.com\" target=\"_blank\" rel=\"noreferrer noopener\">Amazon.com<\/a> and <a href=\"http:\/\/www.amazon.com\" target=\"_blank\" rel=\"noreferrer noopener\">Amazom.com<\/a> (m has replaced n in the latter name).<\/li><li>PayPal.com and PayPa1.com (there\u2019s a figure 1 in the latter name).<\/li><\/ul>\n\n\n\n<p>A scammer may register PayPa1.com as the domain and send emails with the From address manipulated to represent the giant payment processor.<\/p>\n\n\n\n<p>Let\u2019s say you\u2019re visually inspecting the MailFrom and the From address. It\u2019s not always easy to see the tiny difference in one character. This is particularly a problem with long names.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article shows you how to spot fake emails that have been spoofed to look like they\u2019re coming from a legitimate company. I\u2019ll use specific examples of spoof emails that pretend they are from PayPal or marketplaces like Amazon and eBay. If you\u2019re using these sites for transactions, you should understand what spoof emails are &#8230; <a title=\"How To Spot Email Spoofing (For Beginners)\" class=\"read-more\" href=\"https:\/\/bandittracker.com\/how-to-spot-email-spoofing\/\" aria-label=\"More on How To Spot Email Spoofing (For Beginners)\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,14,16,9],"tags":[],"_links":{"self":[{"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/posts\/388"}],"collection":[{"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":2,"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"predecessor-version":[{"id":430,"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/posts\/388\/revisions\/430"}],"wp:attachment":[{"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bandittracker.com\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}