Everyone has seen spam messages arrive with a “From” address that is your own address, a colleague’s, a friends, or that of some company that you work with or use. These From addresses are forged to help the messages (a) get by your spam filters, and (b) get by your “eyeball filters”.
But how are these folks “allowed” to do that?
When email was first developed, there was no concept of the need for security; protections against identity theft and forgery were not part of the plan. As a result, it is actually trivial for one to send an email with a forged “From” address and even some forged “Received” tracking lines by just connecting to your target’s email server and telling it whatever you want.
Let’s try to send an email to the address “firstname.lastname@example.org” pretending to be from “Bank of America”. The purpose of this exercise is not to teach you how to send forged email so much (this is not a new technique) as to set the stage for understanding how to detect and combat these kinds of messages.
Read the rest of this post »