Home / blogs

Email Address Forgery

Jun 14, 2004 6:30 AM PST | Comments: 2
Print
By John Levine
John Levine

In my roles as postmaster at CAUCE (the Coalition Against Unsolicited Commercial E-mail) and abuse.net, I get a lot of baffled and outraged mail from people who have discovered that someone is sending out spam, often pornographic spam, with their return address on the From: line. “How can they do that? How do I make them stop?’’ The short answers are “easily’’ and “it’s nearly impossible.’’

One way that e-mail is very similar to paper mail is that you can scribble any return address you want on an envelope and mail it. With paper mail, just like e-mail, you can imagine ways to make it more difficult to scribble the name of someone you don’t like, but the costs of doing so would be huge, and the benefits dubious.

For both paper mail and e-mail, it’s not at all straightforward to determine who’s allowed to send mail with what return address, nor from where people should be sending mail. With paper mail, I often drop mail from my wife in the mailbox, and occasionally from friends who’ve been visiting. Conversely, sometimes I mail my own mail, and sometimes the village clerk will send mail over my signature as the mayor. Sometimes I send mail at my local post office, sometimes I send mail from the other side of the country when I’m on a trip. All of these scenarios have e-mail analogies. Sometimes I send mail with my usual taugh.com address, but I also have addresses at AOL, Yahoo, Hotmail, Outblaze (another large free web mail provider that absorbed mail.com), netscape.net, professional societies such as ieee.org, and my college alumni association. I may have more addresses than most people, but it’s quite common for people to have two or three.

When someone sends an e-mail message the return address is usually placed on the message by the user’s mail program, such as Outlook Express or Eudora. The mail program then passes the message to a mail server, also called a mail transfer agent or (MTA, usually provided by an ISP or company network manager. The MTA then sends the mail along to its destinations. For bulk mail, either legitimate or spam, the return address is placed on the message by a specialized bulk mail sending program. Some of those programs include the function of an MTA, while others pass the message to a conventional MTA for delivery.

One thing that’s notably missing in this process is any kind of security. The user’s mail program or bulk mail sending program can use any return address it wants. This may sound like a bad idea, but the reality is that only the user (or the person running a bulk mailing program) knows what addresses he’s allowed to use.

Some ISPs have attempted to verify the addresses on mail going through their MTAs, with little success. Bell Atlantic, a predecessor of Verizon, used to require that all outgoing mail through their MTAs had an address at bellatlantic.net or one of the other domains of ISPs they’d absorbed. This technique turned out to be both annoying to their users and useless to prevent spam. It was annoying because all of the users who had valid addresses elsewhere couldn’t send mail with those addresses, and it was useless because their system wasn’t able to tie a particular address to a particular PC, so spammers merely made up fake bellatlantic.net address and spammed away.

For Internet e-mail’s first fifteen years, address forgery wasn’t a problem. Technically it was easy, but there was little incentive to do so, and it was rare other than as a prank. In recent years, spammers have put forged addresses on most of their spam, both to try to defeat filters, to make it harder for recipients to figure out where to complain, and occasionally to annoy the legitimate owner of the addresses. For a while, spammers made up random addresses, but as recipients started filtering out mail with non-existent domains in the return address, spammers adapted by using real addresses, often taken from the same lists as the spam targets. A related but separate problem is phishing, impersonating a trusted organization to trick people into revealing financial information.

In the past year there’s been a great deal of work trying to figure out some way to deter address forgery. It would be straightforward to invent a system that registers a single mail source for every Internet domain, and require that all mail from a domain come from the registered source. While that would be very useful for some domains like paypal.com that are often forged and already send all their mail from one place, it would break a surprisingly large amount of legitimate e-mail, from e-mail discussion lists to electronic greeting cards to automatic mail forwarders. Several validation schemes are in the works, with names like SPF, Caller ID for E-mail (those two recently merged) and TEOS, and Domain Keys. But it remains to be seen both whether such schemes can work with the many legitimate but unusual mail sending methods that they don’t easily cover, and more importantly whether spammers will just find ways to send their spam with valid domains. The majority of spam is sent through virus controlled “zombie’’ computers, so the spam could easily forge the zombie’s own domain. Or since spammers already register large numbers of domains, they can use those domains in their spam and publish validation rules that the spam satisfies.

The whole issues of on-line identity, forgery, and authentation are remarkably complex, so we don’t expect any resolution to the forgery problem soon.

Source Credit: This has been a featured post from John Levine, Author, Consultant & Speaker. To learn more, visit this participant's full profile page.

More Under: Security, Spam

Stay Updated: To receive weekly email updates from CircleID sign up here or see the list of RSS feeds and mobile version of this site.

Print

Comments

#1 | By Colin Dijkgraaf | Jun 17, 04 @05:57 pm PST

Yes I agree it is complex. Just validating the domain is not sufficient, the whole e-mail address needs to be validated, and not only that it is a valid e-mail address, but that the person trying to use that e-mail address has the rights to send mail under that address.  This will require a fundamental change in the protocol currently used to send mail (SMTP), and will require that the server accepting mail to send (SMTP server) be able to identify the sending user, and verify that the user has the rights to use that e-mail address.
For web bases e-mails this is fairly straight forward, as the user has to log in (and hence verify who they are).  The problem is with dialup users and as mentioned, sites that send e-mails on behalf of someone such as electronic post card sites. 

Dialup user get verified as a legitimate dialup user, but there is no currently no mechanism for the mail server to 1) get this user name, 2) get a list a valid e-mail addresses that user is authorised to use.
Things get further complicated if the user has their own domain and wants to use an e-mail address which is not one assigned to them by their internet provider, there is no mechanism where the ISP can check the domain records to see if someone using a valid domain has rights to send e-mails with an address using that domain.
Things are further complicated by that there can be several different e-mail addresses in an e-mail, From, Sender, Reply-to: and different validations rules could be required when verifying these.

The fundamental underlying problem is there is no global user verification method, that allows a server to verify a request to send an mail to verify that it is being initiated by someone who has the rights to use that e-mail address in the From: or Reply-to: addresses.  The Sender address should probably be used to record which service is sending the e-mail, such as a mailing list or postcard site, and this should probably be tied to be verified against a server or group of servers.

Reply | Top ^
#2 | By Suresh Ramasubramanian | Jun 21, 04 @02:11 am PST

That’s a short, and really good summary of what MARID finally amounts to :)

Also - my followup to Esther’s article, at http://www.circleid.com/article/607_0_1_0_C/#1087811284

Reply | Top ^
Login or Sign Up to add your comments here, get access to CircleID Directory, browse the most popular posts, and more.

Start Your AdAds

Sponsored LinksMarketplace

Industry Updates

May 15, 2008 11:28 AM PST

Overstock.com Chooses NeuStar’s UltraDNS for Managed DNS Service

NeuStar, Inc. has announced that Overstock.com, a popular online closeout retailer, has chosen NeuStar's UltraDNS Managed DNS Service to provide Overstock.com with a global DNS infrastructure that significantly enhances end-user experience and operational security -- and protects revenue in the highly competitive online retail market. ›››

By NeuStar | Views: 117

May 14, 2008 11:37 AM PST

Inside Your Domain Portfolio

We've seen a lot of changes in the domain industry over the last year, some positive, some challenging. Whether you're an old pro or just beginning, this spring is a great time to take inventory and make sure your domain business is on the right track for success this year and beyond. ›››

By Sedo | Views: 148

May 14, 2008 11:32 AM PST

Sedo at Domain Roundtable 2008, San Francisco

Domain Roundtable 2008 was an all-around successful event for Sedo. The conference was attended by the domain industry's best and brightest and the Sedo team was right there in the thick of it. ›››

By Sedo | Views: 140

May 14, 2008 11:27 AM PST

Sedo’s New Brokerage Application

Have you ever wanted to buy or sell a domain or a portfolio of domains but just didn't have the time to market it, manage and negotiate the best possible price? You can now request this premium service and work with an experienced Sedo domain broker. ›››

By Sedo | Views: 179

May 13, 2008 3:00 PM PST

ICANN Unanimously Approves RegistryPro Proposal to Expand the .Pro TLD

RegistryPro, the exclusive operator of the .Pro top level domain (TLD), has received approval from ICANN to greatly expand the scope and availability of the .Pro TLD. The newly ratified terms of service increases the number of professionals who are eligible for the TLD, extends the availability globally, and streamlines the registration process. ›››

By Hostway | Views: 299

May 06, 2008 10:16 AM PST

Oversee.net’s DomainSponsor Presents 3rd Annual DOMAINfest Global

The third annual DOMAINfest Global, the premier conference and networking event for the domain name industry, will be held at the Renaissance Hollywood Hotel in Hollywood, California from January 28-30, 2009. Event registration will open later this year. ›››

By DomainSponsor | Views: 510

May 02, 2008 10:21 AM PST

.NL Auction Sneak Peak!

Join Sedo for our much anticipated .NL auction, being held from May 2nd 4pm (EST) until May 9th at approximately 4pm (EST). As the worth of the .NL continues to increase, so does the demand. ›››

By Sedo | Views: 589

Apr 30, 2008 10:01 AM PST

dotMobi Requests Proposals for find.mobi

dotMobi today announced that is accepting proposals for find.mobi, a consumer-facing mobile search tool; find.mobi was created by dotMobi's research and development team to demonstrate an operational mobile search engine that made the most of the mobile web and needs of on-the-go users. ›››

By dotMobi | Views: 797

Apr 28, 2008 2:08 PM PST

dotMobi Offers Prime Selection of Generic Domain Names to Spur Mobile Web Growth

As part of its ongoing series of unique methods of allocating Internet domain names, dotMobi is bringing 16 "premium names" to market at Moniker's T.R.A.F.F.I.C. East Auction on May 23, 2008. ›››

By dotMobi | Views: 1028

Apr 28, 2008 11:41 AM PST

Sedo’s Better-than-Ever Brokerage Service!

Sedo's brokerage services are being updated with a new process for submitting both buyer and seller side brokerage requests and enhanced communications tools.  ›››

By Sedo | Views: 870

Start Your AdAds