MFCF/CSCF FAQ: Dealing with Email Forgery
MFCF/CSCF FAQ: Dealing with Email Forgery |
|
If you find out-dated, inaccurate or confusing items or you think that something should be added in this file, please send e-mail to consultant@math.uwaterloo.ca.
Why do people complain they received e-mail from me which I never sent?
In general, the alleged sender shown in any e-mail message is not reliably accurate. If the message does not look like something the alleged sender would have sent, they probably didn't.
Some unsolicited mass-mailings ("spam") seem to pick a semi-random address from the list of recipients to use as the apparent sender. This conveniently (for the actual sender, but inconveniently for the "victim") causes most "failed delivery" messages to that "victim" and not to the true sender. It may also be thought to increase the likelihood that the received message will be read.
Some "worm" messages cause mail to be sent from infected machines and in some cases they pick a random address from address book on the machine to use as the apparent sender.
Many mail programs allow you to easily substitute an alternate sending address. For instance, when sending mail from at home using your ISP connection and possible even their mail server, you may wish to set your @uwaterloo.ca return address even though the originating machine will have the non-waterloo address assigned to it by your ISP. That is the simplest type of "forgery".
Perhaps as an experiment you and a friend should co-ordinate an experiment to "forge" one another's return addresses in messages to each other, using various mail clients, and see how convincing the forgeries are. Or simply set your own return address temporarily to something forged--real or imaginary, send yourself a message, and see whether your true identity is revealed at all in various cases. (Hint: in some cases you might see something close to your true identity in a "X-Sender" header, but not always).
Without going into a "how-to" explanation, it can be said here that the removal of the "custom return address" facility would not prevent anyone who is even partly-knowledgeable in the e-mail computer protocol from arranging to forge their return address.
But, in short, e-mail forgery is easy-to-do and not unusual, and, at this point-in-time, little can be done about it.
See also:
Appears in other topics:
[^] Back to top
Last updated 2003-06-05
by ARPepper
mail/forgery.faq
Are local mailing lists aliases being used to deliver unsolicited bulk email from off-site?
I received mail addressed to "Everybody@" my mailserver. Does such an address exist, and can it be used to more easily deliver unsolicited bulk email from off-site?
In general, no, such aliases do not exist.
Just as the sender of a message can be "forged", the recipient list can be, too.
With many mail clients, you can add "Bcc:" destinations, to specify recipients whose address won't be revealed to other recipients--that is, won't be included in the "To:" header. When using a "fake recipient" such as "To: everybody", that is essentially what the person sending the message does. This avoids sending individual messages to each user, or having an enormous list of addresses in the "To:" header, and using the "fake recipient" avoids the confusion of addressing the message to one recipient, and bcc'ing a large number of others.
In some cases, however, mailing list addresses do themselves get placed on unsolicited mass-mailing lists. Closing the list and requiring the intervention of a moderator to send a message can solve that problem, but in some cases that requires changing a simple "mailing list alias" into an alias managed by a package, such as Majordomo.
If you suspect that you are receiving unsolicited bulk e-mail because of your inclusion in an on-campus mailing list, please contact the owner of the list directly, if you can, or submit a specific request about the specific list to MFCF or CSCF so they can determine who the owner is, and advise them.
It might be difficult as an ordinary user to determine whether the alleged destination is legitimate. You can try to look for the name in the file /etc/aliases on the machine which actually received your incoming mail. If you find the name there, it is a legitimate e-mail address. Attempting to send to the name is inadvisable in case it does exist!
But, as a general rule, lists are not created which allow sending to everybody on a particular mail server. Lists represent subsets of users, usually across several mailservers (and some even off-campus), and have a name indicative of the function of the list.
See also:
Appears in other topics:
[^] Back to top
Last updated 2003-07-21
by ARPepper
mail/forgery_to.faq
I received mail addressed to someone else. Why did it get delivered to me instead of to them?
This is actually a different case of the problem mentioned by a previous section (What about this everybody list? ).
As said before, just as the sender of a message can be "forged", the alleged recipient list can also be "forged".
With many mail clients, you can add "Bcc:" destinations, to specify recipients whose address won't be revealed to other recipients--that is, won't be included in the "To:" header. In a few cases, that may be how you received a message where you were not in the "To:" header or "Cc:" header, but more likely a lower-level technique, which ignores those headers, was used to deliver the mass-mailing. This avoids sending individual messages to each user, or having an enormous list of addresses in the "To:" header. Having one realistic-looking recipient might be deemed by the senders to increase the likelihood the message will be not filtered, and will be read by many recipients.
See also:
Appears in other topics:
[^] Back to top
Last updated 2004-06-11
by ARPepper
mail/forgery_else.faq
Couldn't we, at least within the University of Waterloo, simply disallow forgery?
Theoretically perhaps one day we could ensure that all mail sent from the University appears to come from @uwaterloo.ca, and reject incoming mail which claims to be from @uwaterloo.ca but did not originate there. But unless things changed subtantially, we could not force that on the rest of the world. (That is, not until the generalization holds that all mail with a legitimate return address of some domain is required to originate from a machine easily demonstrated as being within that domain).
Many mail programs allow you to easily substitute an alternate sending address. For instance, when sending mail from at home using your ISP connection and possible even their mail server, you may wish to set your @uwaterloo.ca return address even though the originating machine will have the non-waterloo address assigned to it by your ISP. That is the simplest type of "forgery".
Preventing that would cause inconvenience to some University of Waterloo users.
And, even if we assume we manage to require @uwaterloo.ca in all our out-going return addresses, with hundreds of personal machines on campus it would be impossible at this time to prevent all of them from forging different on-campus addresses than would be truly legitimate.
So, in short, at this point-in-time, we can no more prevent "forgery" than the Post Office could enforce a requirement of an accurate and legitimate return-address on and in all physical mail.
See also:
[^] Back to top
Last updated 2003-06-06
by ARPepper
mail/forgery_disallow.faq
Can I Find Something About Who Sent Forged e-mail?
Associated with the data (body) of your mail message are many "headers" which contain various types of information about it. The "To:", "From:" and "Subject:" headers are generally visible to you, but there are many others, most of which are not shown by most mail-readers.
Therefore, you must look in your mailreader for options, settings or preferences and enable those which will show you more (preferably all) mail-headers.
The most important headers are the "Received:" headers which indicate the machines that handled the message. These look something like:
(The message in the above example appears to have originated from a machine with IP address 64.231.219.107, and then been received by tomts15-srv.bellnexxia.net (IP 209.226.175.3), before getting to ego.uwaterloo.ca and then math.uwaterloo.ca. There is also some chance the headers before tomts15-srv.bellnexxia.net were forged by that machine. So, if the alleged sender of the message would not have been using either of those two machines, you can assume the message was forged. The incorrect nature of the machine name Kdph also indicates this message is a forgery).
Unfortunately, many mail reading clients make it difficult or impossible for you to access those particular headers, making it harder for you to positively identify forgery.
See also:
[^] Back to top
Last updated 2003-06-06
by ARPepper
mail/forgery_headers.faq
I'm receiving hundreds, maybe thousands, of rejection messages for messages I never sent. What can I do???
This is arguably the most serious problem currently arising from e-mail forgery. When mail cannot be delivered to some particular address, a rejection (announcement that the message could not be delivered) is sent to the apparent sender of the message. Because of details of how email works, the rejections of forged messages often end up being sent to the apparent sender.
The Anti-Spam Software section discusses spamassassin. In most cases, the messages rejected will contain their original contents, and "look spammy". Therefore, if you enable spamassassin, it will usually classify such rejections as "spam", causing them to not be delivered to your regular mailbox.
If spamassassin does not produce satisfactory results, contact MFCF/CSCF to arrange for a special mail-filter to be installed for you.
See also:
[^] Back to top
Last updated 2003-06-06
by ARPepper
mail/forgery_rejections.faq
Is there some way I could digitally sign my messages so as to verify my authorship of messages I sign?
There are means to sign your messages to authenticate them, even encrypting the message so it can be read only by your intended recipient. In practice, however, from our perspective as users of vast quantities of e-mail, the awkwardness of these methods outweighs their theoretical advantages.
Nevertheless, this section may be expanded in future to give more details, especially if readers make it known that they are interested.
In the meantime, see how far you can get with a web-search for PGP.
See also:
[^] Back to top
Last updated 2003-06-06
by ARPepper
mail/forgery_sign.faq
Apart from the obvious use of mail clients to fill in return addresses which aren't mine, can you give me more details about how mail can be forged?
No.
Well, I can, but I won't.
See also:
[^] Back to top
Last updated 2003-06-06
by ARPepper
mail/forgery_details.faq
What should I as a user, and the University as an organization do about e-mail forgery?
Well, there are some tentative long-term plans, but all plans require time to implement, and since solving this problem would require world-wide co-operation and agreement, roadmaps and timetables for it will be even more difficult to determine. Implementation would probably involve some changes in the way you do things, too.
In the meantime, you, as a user can do little but be aware that e-mail forgery is easy-to-do and not unusual, and, at this point-in-time, inevitable.
For instance, never send replies to "spam" you receive. The addresses tend to be completely fake (in which you waste your time and University resources bouncing the message), or else a forgery of some party who was not involved in sending the mail.
When an uninvolved party is "forged" as the sender of a message, they are likely already receiving dozens of "rejection" messages for that message. You shouldn't add to their misery by sending them your personal complaint. Whilst I'm sure your complaints would all be very politely phrased, you can see that victim's aggravation would be exacerbated were your message to be abusive.
See also:
[^] Back to top
Last updated 2003-06-06
by ARPepper
mail/forgery_whatdo.faq
Is there any hope that mail forgery can be eradicated?
Yes. IM2000 is a project to design a new Internet mail infrastructure around the following concept: Mail storage is the sender's responsibility.
See also:
[^] Back to top
Last updated 2006-03-03
by agrossku
mail/forgery_hope.faq