How To Find Out Where A Spoofed Email Came From

How Email Spoofing Works

âFromâ? Spoofing: How Spammers Send Email that Looks Like It Came from You

First, we need to distinguish between email spoofing, and domain impersonation. Sometimes these two techniques get conflated.

Heres the difference:

  • In an email spoofing attack, the senders email address looks identicalto the genuine email address .
  • In a domain impersonation attack, the fraudster uses an email address that is very similarto another email address .

When you receive an email, your email client tells you who the email is supposedly from. When you click reply, your client automatically fills in the to field in your return email. Its all done automatically and behind the scenes.

But, this information is not as reliable as you might think.

An email consists of several parts:

  • Envelope: Tells the receiving server who sent the email and who will receive it. When you get an email, you dont normally see the envelope.
  • Header: Contains metadata about the email: including the senders name and email address, send date, subject, and reply-to address. You can see this part.
  • Body: The content of the email itself.

Spoofing is so common because its surprisingly easy to forge the from elements of an emails envelope and header, to make it seem like someone else has sent it.

Obviously, were not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.

Lets take a look at the email header:

Enumerating Spf And Dmarc Records

So weve talked about how emails are sent, how emails are validated against a specific list of IPs and if theyre allowed into a users inbox/quarantined/failed to deliver, but how do we enumerate these records?

Theres several ways! First were going to take a look at how to do so with dig. Its fairly simple:

SPF:dig txt | grep spf

**Example Query: **

] #dig txt | grep               300     IN      TXT     "v=spf1 ip4: ip4: ip4: ip4: ip4: -all"

DMARC:dig txt

Example Query:

] #dig txt | grep "v=DMARC1"        300     IN      TXT     "v=DMARC1  p=quarantine  adkim=r  aspf=r  pct=100  fo=1  rua=mailto:  ruf=mailto:"

None of these are very pretty, as Im sure you can tell, so lets move onto the next method Using MXToolbox! MXToolbox parses records into an easy to read table for your viewing pleasure!

Am I Being Spoofed Or Has My Email Been Compromised

Imagine: a clients employee logs into their email account and discovers a lot of undeliverable bounce-back emails. However, they werent responsible for sending them, and customers are starting to complain about the amount of spam coming from their account. Obviously somethings wrong, but what? Is it a hacker spoofing their email? Has their entire email account been compromised?

To help protect their clients and their data, MSPs must make sure their employees know the key differences between email spoofing and business email compromise attacks before they take steps to prevent these scams. Heres everything you need to know.

Read Also: Remove Duplicate Emails In Outlook 2013

Email Spoofing : What Is It And How To Stop It

How can you recognize email spoofing? What are the most effective ways to realize when somebody is trying to con you through your email account?

Email scams may be nothing new, but thousands of people still fall for them every day.

Its easy to let your guard down, and unfortunately, some scammers are really sophisticated and know all of the tricks.

In this email spoofing guide, were arming you with the tools you need to prevent it, as well as going over how to stop email spoofing.

Email spoofing is defined as the art of sending disingenuous emails to fool someone. These are usually pretending to be from somebody else.

Email spoofing is a synonym for phishing emails and spam. All serving the same purpose to mislead the recipient.

For instance, it could be somebody pretending to be from a billing department saying there is a problem with your payment, and chasing money.

Email spoofing comes in a lot of different forms, and people might even pose as executives from businesses to try and get hold of your personal information.

It isnt just bank details that can hurt you.

People try to get hold of other details in order to steal your identity. This is big business, and your details might be sold on the black market.

Spoofing Via Display Name

4 Ways to Find Out a Password

Display name spoofing is a type of email spoofing, in which only the email senders display name is forged. Somebody can do this by registering a new Gmail account with the same name as the contact you want to impersonate. Mind you, the mailto: will display a different email address. If youve ever received an email from Jeff Bezos asking you to loan some money youve encountered an example of spoofing via display name.

This type of email will also bypass all spoofing security countermeasures. It wont get filtered out as spam, because its a legitimate email address. This exploits user interfaces built with ease of use in mind most modern email client apps don’t show metadata. Hence, display name spoofing is very effective due to the prevalence of smartphone email apps. Often, they only have space for a display name.

Recommended Reading: Email Large Videos

Staying Protected From Phishing Attempts Using Spoofed Emails

Despite the fact that its relatively easy to protect against spoofed emails its still a common technique used by spammers and cyber-criminals. It does take some effort, and therefore money, to combat email spoofing. I suspect that is why many small companies do not take the necessary precautions. My recommendation to my clients is pretty straightforward:

  • Assign someone to monitor and administer the email system including the spam filtering service. This is not a trivial task as email functionality changes, new threats evolve constantly and email addresses are in frequent flux due to personnel changes.
  • Educate employees about email spoofing and other techniques used by spammers and cyber-criminals. Train them on what to look for when scanning their inbox so they can quickly identify potential malicious emails. Provide them with a resource who can help them decide if they are not sure if an email is bogus.

Email is a necessary and extremely useful business communication tool. Unfortunately, because it’s used so much it makes an easy target for cyber-criminals. For an average email user its a difficult task at best to spot a malicious email among the hundreds or thousands that pour into their inbox. That is why it’s so important for organizations to allocate the resources and funds to protect their personnel and their organization from all the threats that may arrive as an innocent looking message from a friend.


How Can I Trace Where Email Came From

by Leo A. Notenboom

I frequently get questions that boil down to How can I trace where this email came from? or Can I determine the IP address of the sender of an email?

The answer is both yes and maybe, and it may not do you any good. However there is a lot of interesting information in your email that you normally dont see, and the trail of mail servers is part of that.

So lets interpret some email headers.

First, theres the challenge of even getting to the real email headers. In Hotmail theyre apparently always visible. In Outlook, theyre hidden by default, so with the message open, click on View, and then Options, and youll see a box labeled Internet Headers. In Thunderbird, you can expand or collapse the headers by clicking on a simple control next to the subject line.

In any case, headers typically look something like this:

Now yours may look a lot different. It may be longer or shorter, or have additional information, or less. But the basic idea is that theres a lot of information in the headers that has to do with the administration of getting the email from the sender to the receiver.

A detailed reference is more than I can present here, and quite honestly, probably more than you need. But lets examine the headers above a little more closely, since its a good example of a normal email message. They are from a message I sent to my regular email account from my Hotmail account.

Now lets look at the headers of some SPAM I recently received:

Read Also: How To Recover Permanently Deleted Emails On Ipad

Other Ways To Manage Spoofing And Phishing

Be diligent about spoofing and phishing protection. Here are related ways to check on senders who are spoofing your domain and help prevent them from damaging your organization:

  • Check the Spoof Mail Report. You can use this report often to view and help manage spoofed senders. For information, see Spoof Detections report.

  • Review your Sender Policy Framework configuration. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Microsoft 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Office 365 uses Sender Policy Framework to prevent spoofing.

  • Review your DomainKeys Identified Mail configuration. You should use DKIM in addition to SPF and DMARC to help prevent attackers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to email messages in the message header. For information, see Use DKIM to validate outbound email sent from your custom domain in Office 365.

  • Review your Domain-based Message Authentication, Reporting, and Conformance configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see Use DMARC to validate email in Office 365.

How To Uncover A Spoofed Call

How to Spot a Spoofed Email

If it was, indeed, a spoofed number, its most likely impossible to know your callers true identity. There arent any guaranteed ways on how to trace a spoofed call or trace a spoofed number. Here are your best methods to unspoof a call.

  • Telephone Company: In some rare instances, telephone companies can trace spoof calls to where they were initiated. Note, however, it may be time-consuming and theres no guarantee it will yield accurate results.
  • Law Enforcement Agency: You could also involve the authorities, especially if you feel like youre being harassed or youve already fallen victim to a spoofing scheme.
  • Manual Data Extraction: Another option is to pick up the phone and do reverse psychology on your spoofer or gain the upper hand and drive the conversation to let them reveal their true identity. This is easier said than done, however, and it could be risky.
  • Also Check: How To Start An Email To Professor

    Tracing A Spoofed Phone Number

    You can also do a bit of âcitizen sleuthing,â either from a feeling of civic duty or just for your own satisfaction. Law enforcement has a lot more resources at its disposal than you do, but on the other hand they also have heavy caseloads. With just a few minutes and Spokeoâs reverse phone lookup, you can often satisfy yourself that a call or text was spoofed and might also find the callerâs real number or identity.

    Start by entering the 10-digit phone number the call purportedly came from. Theyâre typically legitimate numbers, so your search should turn up results, including if known, the name of the owner. However, you may also see complaints of scam calls from that same number. If so, itâs a sign that the number is being used for spam, possibly with or without the ownerâs knowledge .

    If they gave you a callback number, search that next. Spokeoâs search results may bring back a name and a location or even a physical address and other associated phone numbers and identifiable information . This way, when you reach out to the authorities, youâll have tangible information to give them.

    Spoofing Via Lookalike Domains

    Suppose a domain is protected, and domain spoofing isnt possible. In that case, the attacker is most likely going to set up a lookalike domain. In this type of attack, the fraudster registers and uses a domain that is similar to the impersonated domain, instead This change could be minimal enough not to be noticed by an inattentive reader. Its effective because when exactly was the last time you bothered to read an email header?

    Using a very similar domain, which also bypasses spam checks due to being a legitimate mailbox, the attacker creates a sense of authority. It might be just enough to convince its victim to reveal their password, transfer money, or send some files. In all cases, email metadata investigation is the only way to confirm whether the message is genuine. However, its sometimes plain impossible to do on the go, especially with smaller smartphone screens.

    You May Like: How To Send A Large Video File Through Email

    Identify A Spoofed Message

    Scammers alter different sections of an email to disguise the sender of the message. To view the message properties that indicate a message has been spoofed, you must view the email headers of that message. The following examples are spoofed email header properties:

    • FROM : This property appears to come from a legitimate source on a spoofed message.

    • REPLY-TO: This property can also be spoofed, but a lazy scammer might leave the actual REPLY-TO address. If you see a different sending address here, the email might be spoofed.

    • RETURN-PATH: This property can also be spoofed, but a lazy scammer might leave the actual RETURN-PATH address. If you see a different sending address here, the email might be spoofed.

    • : This property is typically more difficult to alter, but it is possible that this property is spoofed.

    The first three properties can be easily altered by using settings in your Microsoft® Outlook®, Gmail®, Hotmail®, or other email software. The fourth property, SOURCE Internet Protocol address, can also be altered, but it usually requires more sophistication to make a false IP address convincing.

    In the following example, the recipient appears to have received a message from their office assistant requesting money:

    In the message header snippet shown above, the From: field shows the message being sent from . However, the REPLY-TO: field lists , which is a clear example of a spoofed message.

    Is Your Account Hacked Or Spoofed

    How Can I Find Out Where an Email Really Came From?

    The initial fear in these circumstances is that the sender account has been hacked. If your own account were compromised, an attacker could use it to implement social media attacks against your fellow employees and email contacts. At the least, it could be used as a spamming account, which would negatively affect your email reputation. The good news is that email accounts are rarely hacked. Most of these occurrences are due to email spoofing.

    Spoofing is all about making it appear that the email is coming from a sender that you trust, including yourself. In actuality, the email originated from an external source that could be on the other side of the world. Unfortunately, it is easy to spoof an email account today. Any email server can be configured to send mail from any given domain for someone with the required knowledge. Even if you dont have the equipment or know-how, there are websites that will let you send one-off emails using the email address of your choice. All of this is possible because the email protocol makes spoofing possible by its very design. Thats because security was not built-in to the email protocol when it was created.

    Don’t Miss: Delete Duplicate Emails In Outlook 2016

    Popular Articles

    Related Stories

    Stay on top - Get the daily news in your inbox