Home / Blogs

Email Address Forgery

John Levine

In my roles as postmaster at CAUCE (the Coalition Against Unsolicited Commercial E-mail) and abuse.net, I get a lot of baffled and outraged mail from people who have discovered that someone is sending out spam, often pornographic spam, with their return address on the From: line. "How can they do that? How do I make them stop?'' The short answers are "easily'' and "it's nearly impossible.''

One way that e-mail is very similar to paper mail is that you can scribble any return address you want on an envelope and mail it. With paper mail, just like e-mail, you can imagine ways to make it more difficult to scribble the name of someone you don't like, but the costs of doing so would be huge, and the benefits dubious.

For both paper mail and e-mail, it's not at all straightforward to determine who's allowed to send mail with what return address, nor from where people should be sending mail. With paper mail, I often drop mail from my wife in the mailbox, and occasionally from friends who've been visiting. Conversely, sometimes I mail my own mail, and sometimes the village clerk will send mail over my signature as the mayor. Sometimes I send mail at my local post office, sometimes I send mail from the other side of the country when I'm on a trip. All of these scenarios have e-mail analogies. Sometimes I send mail with my usual taugh.com address, but I also have addresses at AOL, Yahoo, Hotmail, Outblaze (another large free web mail provider that absorbed mail.com), netscape.net, professional societies such as ieee.org, and my college alumni association. I may have more addresses than most people, but it's quite common for people to have two or three.

When someone sends an e-mail message the return address is usually placed on the message by the user's mail program, such as Outlook Express or Eudora. The mail program then passes the message to a mail server, also called a mail transfer agent or (MTA, usually provided by an ISP or company network manager. The MTA then sends the mail along to its destinations. For bulk mail, either legitimate or spam, the return address is placed on the message by a specialized bulk mail sending program. Some of those programs include the function of an MTA, while others pass the message to a conventional MTA for delivery.

One thing that's notably missing in this process is any kind of security. The user's mail program or bulk mail sending program can use any return address it wants. This may sound like a bad idea, but the reality is that only the user (or the person running a bulk mailing program) knows what addresses he's allowed to use.

Some ISPs have attempted to verify the addresses on mail going through their MTAs, with little success. Bell Atlantic, a predecessor of Verizon, used to require that all outgoing mail through their MTAs had an address at bellatlantic.net or one of the other domains of ISPs they'd absorbed. This technique turned out to be both annoying to their users and useless to prevent spam. It was annoying because all of the users who had valid addresses elsewhere couldn't send mail with those addresses, and it was useless because their system wasn't able to tie a particular address to a particular PC, so spammers merely made up fake bellatlantic.net address and spammed away.

For Internet e-mail's first fifteen years, address forgery wasn't a problem. Technically it was easy, but there was little incentive to do so, and it was rare other than as a prank. In recent years, spammers have put forged addresses on most of their spam, both to try to defeat filters, to make it harder for recipients to figure out where to complain, and occasionally to annoy the legitimate owner of the addresses. For a while, spammers made up random addresses, but as recipients started filtering out mail with non-existent domains in the return address, spammers adapted by using real addresses, often taken from the same lists as the spam targets. A related but separate problem is phishing, impersonating a trusted organization to trick people into revealing financial information.

In the past year there's been a great deal of work trying to figure out some way to deter address forgery. It would be straightforward to invent a system that registers a single mail source for every Internet domain, and require that all mail from a domain come from the registered source. While that would be very useful for some domains like paypal.com that are often forged and already send all their mail from one place, it would break a surprisingly large amount of legitimate e-mail, from e-mail discussion lists to electronic greeting cards to automatic mail forwarders. Several validation schemes are in the works, with names like SPF, Caller ID for E-mail (those two recently merged) and TEOS, and Domain Keys. But it remains to be seen both whether such schemes can work with the many legitimate but unusual mail sending methods that they don't easily cover, and more importantly whether spammers will just find ways to send their spam with valid domains. The majority of spam is sent through virus controlled "zombie'' computers, so the spam could easily forge the zombie's own domain. Or since spammers already register large numbers of domains, they can use those domains in their spam and publish validation rules that the spam satisfies.

The whole issues of on-line identity, forgery, and authentation are remarkably complex, so we don't expect any resolution to the forgery problem soon.

By John Levine, Author, Consultant & Speaker
Follow CircleID on
Related topics: Cybersecurity, Email, Spam

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Email Address Forgery Colin Dijkgraaf  –  Jun 17, 2004 6:57 PM PDT

Yes I agree it is complex. Just validating the domain is not sufficient, the whole e-mail address needs to be validated, and not only that it is a valid e-mail address, but that the person trying to use that e-mail address has the rights to send mail under that address.  This will require a fundamental change in the protocol currently used to send mail (SMTP), and will require that the server accepting mail to send (SMTP server) be able to identify the sending user, and verify that the user has the rights to use that e-mail address.
For web bases e-mails this is fairly straight forward, as the user has to log in (and hence verify who they are).  The problem is with dialup users and as mentioned, sites that send e-mails on behalf of someone such as electronic post card sites. 

Dialup user get verified as a legitimate dialup user, but there is no currently no mechanism for the mail server to 1) get this user name, 2) get a list a valid e-mail addresses that user is authorised to use.
Things get further complicated if the user has their own domain and wants to use an e-mail address which is not one assigned to them by their internet provider, there is no mechanism where the ISP can check the domain records to see if someone using a valid domain has rights to send e-mails with an address using that domain.
Things are further complicated by that there can be several different e-mail addresses in an e-mail, From, Sender, Reply-to: and different validations rules could be required when verifying these.

The fundamental underlying problem is there is no global user verification method, that allows a server to verify a request to send an mail to verify that it is being initiated by someone who has the rights to use that e-mail address in the From: or Reply-to: addresses.  The Sender address should probably be used to record which service is sending the e-mail, such as a mailing list or postcard site, and this should probably be tied to be verified against a server or group of servers.

Re: Email Address Forgery Suresh Ramasubramanian  –  Jun 21, 2004 3:11 AM PDT

That's a short, and really good summary of what MARID finally amounts to :)

Also - my followup to Esther's article, at http://www.circleid.com/article/607_0_1_0_C/#1087811284

To post comments, please login or create an account.




Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign