E-mail spoofing is a term used to describe fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), Cyberpunks can make the e-mail appear to be from someone other than the actual sender. It is often associated with website spoofing which mimics an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization's activities.
As many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.
The technique is now used ubiquitously by mass-mailing worms, as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez, and Sober will often perform searches for e-mail addresses within a Microsoft Outlook address book or similar, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party. For example:
Newer variants of these worms have built on this technique by randomizing all or part of the e-mail address. A worm can employ various methods to achieve this, including:
Man-in-the-middle: In this form of network attack, a Cyberpunk will intercept two parties communications, and then alter the communication in any way that he/she sees fit. By using this form of spoof, a Cyberpunk can convince the receiver of a message to disclose confidential information, since the message will appear to have come from the supposedly trusted third party (the original sender of the message).
Non-blind spoofing: This occurs when a Cyberpunk is using the same subnet. The sequence and acknowledgment numbers are changed which makes it hard to calculate correctly. The largest problem with this type of spoofing is session hijacking, allowing a Cyberpunk to bypass any security set in place within the connection.
Blind spoofing: Blind spoofing is a much more difficult attack because the sequence and acknowledgment numbers are not reachable, making them extremely hard to track down and change. This is overcome by sending packets to the system being attacked to provide a sequence of numbers to discover the formula by studying these packets. Once the formula has been discovered, the sequence and acknowledgment numbers can be changed allowing the Cyberpunk full access.
There are a couple preventative measures that can be used to protect spoofing from occurring.
Router filtering: Placing a filter on your router is the first preventative step. By using an Access Control List, you can block private IP addresses.
Encryption and authentication: By using encryption and authentication, you can reduce spoofing attacks. By ensuring the right authentication procedures are in place with a secure network, you will make it much more difficult for an attack to take place.
For more information consult the following web sites:
