Self-Addressed Spoofed Email: How to Shut Down Spam

May 11th, 2017

Spam messages coming from… your own email? This may sound like a cheesy movie plot, but this form of spam, known as “spoofing,” can have horrifying consequences if they result in compromised security, stolen data, or malware on your company’s machines. Read on to find out how to snuff out spoofing and help everyone avoid these attacks in the future.

Forged Email

The Basics of a Spoof

Simple Mail Transfer Protocol (SMTP) servers generally provide little to no validation on the identity of the person sending the email. Some ask to verify that senders can log in to the address used in the sender field, but not all SMTP servers do. Most spammers use this vulnerability to mask the true nature of the “from” aspect of an email, much in the way that a return address on a package is only as good as the honesty of whoever wrote it. Other scams involve the use of “botnets” as mail servers to work around any weak form of verification.

Though you can control the accounts you use to send and receive email, you cannot truly prevent anyone from assuming the identity of your email account’s name.

Why Spoofing Exists

On a surface level, spoofing sounds more annoying than harmful, but dedicated scammers and spammers can use the technique to get personal information from you. These emails can subtly trick you into installing malware on your computer, or use Trojan horses to siphon your personal data. Other fiendish tactics include linking you to a forged website that will track and record personal information that you shared, such as on a bank’s website or your PayPal account.

Spoofers often scour your saved address book and will make further dummy emails claiming to originate from “your” email, continuing the process further and further. You could receive more than a few confused or angry phone calls about why you have been sending malware to clients and friends.

The spoof is a common method to wreak havoc on SMTP servers by flooding them with undeliverable emails and other spam meant to overwhelm the queue system. Spoofs can also be used to bypass access controls.

Your Own Worst Enemy

Many people have taken to adding their own email address (or domains) to spam filtering lists. This allows your own messages free and clear access under the assumptions that you would never spam yourself and no one using your domain would spam anyone else on that domain. Many people email information to themselves in lieu of a USB flash drive or cloud services.

Unfortunately, spammers are familiar with these tendencies. They know that complex spam filters are still only as good as the users setting the parameters. If they can disguise the sender’s name as a valid one, then they will have breached the first wall.

It’s also possible that you — or someone who shares an email contact with you — fell prey to clicking a link in a previous phishing email. You may also have been part of a mass email that was compromised by an email scraper. This copies all the addresses it has access to and adds them to a master list for later (mis)use.

How IT Professionals Can Help

IT professionals can help by informing people of the basics of a spoofing scam. Give clear instructions and use analogies where possible to explain how an unfamiliar email might end up in a person’s inbox.

But you can also help everyone in the workplace improve their defense against spoof attempts by using the following suggestions.

Helpful Tips for Employees

If you do not recall sending an email to yourself, and if the email body contains links or attachments, delete it. Read up on common forms of fake emails, including spoofs that prey on your poor memory. Don’t fall for a “completed application” or “contest winner” scam. Legitimate financial and governmental institutions will never ask for personal information in an email, and their websites will always require further verification beyond a simple click.

Repeated spelling errors, odd formatting, and foreign phone numbers are often tell-tale signs that this email isn’t really from you or a trusted source. Check the email against previous emails from that sender to see if they typically use a signature or image. If the possible spoof is from someone claiming to be you, check your Sent folder for proof. If the possible spoof is from someone else, you can always ask the sender, “Did you mean to send this, or has your email been compromised?”

Switch Up the Spam Filter

Instead of adding your email address or domain name to your spam exceptions list, try adding individual IP addresses — as long as your spam filter will allow this. For the most part, this simple switch will stop most spammers, as they cannot mask their IP address as easily as they can disguise sender information.

Regardless of the “how” and “why” of a spoof, employees need to understand the potential severity and act with haste. If an email account has been compromised, change the password immediately, and use a stronger form of password protection in the future.

Further Protection

SPF and/or DKIM, PGP, or S/MIME digital signatures will allow recipients or recipient email servers to verify messages and discard unauthorized ones as spam, though many users you send emails to will not understand the purpose or utility of the technology.

Furthermore, failed SPF and/or DKIM tests will make fake messages appear like spam without necessarily forcing the email client to mark it as actual spam. You may have to contact the provider of your filter to update your spam criteria to cause SPF and/or DKIM failures to automatically reject the message.

For more robust protection, use SPF-protected “allow lists” and add SPF and DKIM to your domain’s DNS. You may also want to consider PGP or S/MIME for cryptographic signatures as added security.

Read more: 8 ways to protect yourself from fake or forged email.