• Forged E-mail, What is It?
• Replying to a Complaint,
• Forged Spam is becoming a Plague,
• FAQ, Forged E-mail
• ALERT, Penn State U.
• Example of a Reply,
• HOW TO Forge, postings,
• Spoofing my domain to spam,
• Identity Theft, by Email
• Virus attached spam,

1

University of Michigan, Informations Technical Services advisory:
http://www.umich.edu/~itua/email/spoofing/whatforged.html

Forged E-Mail
What Is It?

There's a new type of spam called "forged e-mail" or "spoofing." Spammers can obtain e-mail address lists, which may include valid U-M addresses. They use these addresses in the "From" field of spam they send. If yours is "selected," the spam looks like it came from you. Consequently, it also looks like it comes from within the University.

U-M IT security staff have begun receiving complaints from individuals both outside and within the University. Recipients are amazed we would allow this often-pornographic spam to be sent from U-M addresses. If you receive a complaint, you may worry that your e-mail account has been compromised. While this is unlikely, it's always a good idea to change your password regularly.

We are very concerned about forged e-mail. However, technically, it is very simple for spammers to forge U-M e-mail addresses, and we are not able to prevent them from doing so.

You may discover your e-mail address has been forged if you:

• receive delivery rejection notices for messages you haven't sent; if the recipient's e-mail address is invalid, the message is returned to you because your address is in the "From" field. The only thing you can do is delete the message.

• receive complaints from people who believe you are the sender. If you receive a complaint, the U-M IT User Advocate has created a standard reply message for you which explains forged e-mail. ...

2

Forged E-Mail
Replying To a Complaint

Sometimes when we receive an angry e-mail, our first instinct is to send an angry reply. In the case of forged e-mail, the complainer believes you are the spammer. Imagine how you might reply to a spam message if you thought you had found the spammer.

You need to assure the person -- in a reasoned manner -- that you are not the guilty party. Using the following prepared reply, you explain the situation and acknowledge that the University is also concerned about forged e-mail. You can copy this message and paste it into a reply. Unfortunately, the person complaining is unlikely to be the only one who received the spam attributed to you, so you might want to keep this reply handy.

Hello --

I believe we are both victims of spam called "forged e-mail" or "spoofing." The message you received was not from me. It came from a spammer who has maliciously inserted my e-mail address in the "From" field. Unfortunately, there is nothing either you or I can do about it other than to delete the message.

Recently, the University of Michigan IT Security staff has begun receiving many complaints from people both outside and inside the University who have been victimized. The U-M IT User Advocate has created a web site (http://www.umich.edu/~itua/email/spoofing/) detailing this problem that you may wish to visit.

Regards

3

University of Michigan,
http://virusbusters.itcs.umich.edu//forged_spam.html
website alert:

Forged Spam Is Becoming A Plague
by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 31 March 2003

This information can be freely reproduced in any medium, as long as the information is unmodified.

Starting in March 2003, the U-M Virus Busters team noticed that many people have sent copies of suspicious email to us, thinking that these emails might have been sent out by computer viruses. In fact, there is no virus involved; these people are the victims, so to speak, of forged spam.

First, an important fact:

If your name is forged as the sender of the spam, this does not mean that your account has been compromised. The email is not sent from your account; instead, it is sent forged in your name.

[ It DOES mean that your friends and associates who are unaware of what is on this page, as a minimum, as well as ISPs who use anti-spam software, will OFTEN assume that it has originated with YOU because they assume, in their ignorance and authoritarian thinking that Internet technology is infallible AND high in integrity.]

Here's what happens, in brief:

1. A spammer gets a list of supposedly valid email addresses

2. Taking a trick from recent viruses, the spammer forges the email from one of these addresses, and probably sends spam to the rest of those email addresses.

3. The "main victim" here is the person in whose name the email is forged: their good name is besmirched by the spammer. Of course, the people who receive the spam are victims as well.

4. If an address to which the spam is sent is invalid, email server software will generate a rejection notice (for each such address), saying that the email cannot be delivered to the intended recipient.

5. That rejection message will be sent to the apparent "sender" of the original email -- but the email server software usually isn't clever enough to recognize that the email is forged .... Hence it comes to the person whose email address was forged in Step 2 above.

6. The "forge-ee" gets mysterious copies of bounced emails that s/he didn't send....

Why do spammers do this? I don't know, but I suspect that it is their hope that email from a "real" address is more likely to be read by the recipient than email from a fake name. Perhaps it's to try to defeat email spam filters. Perhaps it's so that bounced email doesn't go directly to postmasters, who would get the accounts cancelled more quickly. Who knows? In any event, of course the spammer isn't going to use his or her real name!!

[That would be honest, self-responsible, and assertive ... and we know that these individuals are greedy cowards with low self-esteem.]

A few points:

• This original spam -- between spammer and the spammed -- contains information that shows where it originates. With proper analysis -- see e.g., links on our antispam page -- one can complain to the spammer's ISP and probably get the spammer's account cancelled. In particular, the "full email headers" show where the email originated.

• Unfortunately, the email "bounces" generated in Step 3 above do not always contain this full email header information. [That's a pity -- but it does seem that more often than not, email server software does include these data in the rejection message.]

• Moreover, getting the spammer's account cancelled does not necessarily stop the abuse of the victim's email address: The spammer just opens a new account at a different ISP and continues to send the forged emails. :-(

• These spammers forge many addresses. At once. They both forge different email addresses, and also use a single email address to send with multiple names. [In this latter case, for example, email might use the names "Bruce Burrell", "Brad Burrell", and even "Brian Bosworth" all with the same forged from "bpb@umich.edu" address.

  Probably the spammer isn't picking on a particular address with any malice toward that individual, but it sure won't look that way to the victim.

• A thought: if the spammer includes a web address in the email, you might be able to get that web site closed. This will cause considerably more pain and suffering to the spammer than closing a (free and anonymous, probably) email account, so this may yield the biggest bang for your effort. Similar techniques to those discussed in our anti-spam URL above can be used to find the spammer's web service provider.

• Reprise: Note that if your name is forged as the sender of the spam, this does not mean that your account has been compromised. The email is not sent from your account; instead, it is sent forged in your name.

• Until the laws change so that:

  1. Spam is outlawed both in the U.S. and world-wide by international treaty and

  2. Severe penalties against spammers are both put into the penal code, and aggressively enforced

     [So write to your congresspeople!]

  3. or we file class action lawsuits for defamation of character

  4. Or, perhaps, all ISPs somehow manage to block all spam before it gets sent, either by clever filtering or authenticated email (for technical details, see the reference section below)

  there's not much you can do about this, other than report the email to the spammer's ISP. Remember, the email probably is entirely external to U-M (or your email provider) so we can't help you ... much though we'd love to eradicate spam!. For example, neither the spammer nor the spammed have U-M accounts. Hence the U (or your ISP) isn't involved with the email in any way .. so it can't be blocked or otherwise prevented on the University email servers (because the original spam never goes through them).

It sucks. But to some degree, that's just the way email is.

It comes as no surprise that both spammers and those who write and distribute viruses and other malware would use the same scumbag techniques. They are a blight upon the planet.

Some References for Controlling Spam

See these URLs:

• CAUCE (leaving our site), The Coalition Against Unsolicited Commercial Email, has information about lobbying against spam.

• A Plan For Spam (leaving our site) offers an interesting technical approach to spam control.

• For a semi-automated way of reporting spam, see SpamCop (leaving our site)

4

Rice University,
https://www.owlnet.rice.edu/FAQ/cache/432.html
Forged E-mail FAQ: ...

In general, the addresses in the From, To or CC fields are no more reliable than the handwritten return address on a postal envelope. ...

Can the Internet e-mail system prevent forgery?
Unfortunately, the Internet e-mail system has no defense against deception. Academic and government researchers developed Internet e-mail protocols in the early 1980s. Commercial and criminal organizations were not part of the early Internet, and the first Internet-capable malicious software (the Morris Internet Worm) was still six years in the future. The first successful e-mail virus appeared in 1999. ...

How did they get my e-mail address?
The answer depends on the source of the forged mail. Computer viruses scavenge e-mail addresses from files on the infected computer. They will scan address books, word processing documents, web pages, and mailboxes to look for addresses. They use these addresses to both send and forge e-mail.

Spammers (senders of unsolicited bulk e-mail) may purchase large lists of e-mail addresses, then generate e-mail with both the From and To address pulled from the list. They also use web searches to find e-mail addresses, or they may get e-mail addresses from USENET news system searches.

Viruses and spammers often try to confuse you by using e-mail addresses from the same domain. For example, if they generate fraudulent e-mail to an address at Rice, they will put a Rice address in the From field. ...

If the sender uses an additional authentication technique called a digital signature, it may be possible to verify the identity of the sender to a reasonable degree. What is a digital signature?

Digital signatures rely on a method for scrambling data called asymmetric-key cryptography or public key encryption. Briefly, the public key encryption method allows the sender to generate a unique block of numbers called a digital signature for each outgoing mail using a secret passphrase and a block of random numbers called a private key.

In order to verify that the digital signature came from the sender, the recipient uses another block of numbers called the public key. The recipient decrypts the digital signature with the public key to verify that the original secret passphrase and private key were used to create it. The sender can give the public key to the recipient in various ways, such as posting it on a web page or uploading it to a public key server. It is important to verify that the public key came from the right person -- if you use a public key without verifying the identity of the person who gave it to you, there is no way to be sure that it is legitimate.

To properly use digital signatures, both the sender and the recipient must use compatible public key encryption software. The most popular digital signature techniques are based on Pretty Good Privacy and S/MIME. ...

Mozilla, Thunderbird, Netscape 7.1
To use digital signatures with these mailreaders, you can install a plug-in called Enigmail and GnuPG, a free PGP implementation. These mailreaders also have integrated S/MIME support, if you purchase a digital ID from a commercial certificate provider.

5

Pennsylvania State University,
http://its.psu.edu/news/phishing.html
website alert:

A forged e-mail message appearing to come from Penn State's Registrar asking for confirmation of enrollment at Penn State was recently received by a member of the Penn State community. The message originated from a bogus Web site which ITS Security Operations and Services (SOS) is working to shut down.

The message headers were forged so that registrar@psu.edu was in the "from" address, and the body of the message contained a link to http://www.elion.service.to/. That page provided a form for Penn State authentication similar to the login pages for http://eLion.psu.edu/. A Web page containing the message "Thank you! Your information has been sent" was displayed upon submission of the form. This is clearly a phishing scheme to collect usernames and passwords.

If you entered your information on the above bogus Web site in response to an e-mail, you should immediately change your Penn State Access Account password at
https://www.work.psu.edu/password/ on the Web.

6

This is an example of a reply received from a server which had detected a Forged Address as the Sender, which used the earthtym.net site URL as a pointer. It could just as easily been YOUR website URL, or that of any other one.

The original message was received at Fri, 4 Mar 2005 00:48:22 GMT from [195.46.50.66]

----- The following addresses had permanent fatal errors -----

(reason: 553 : Recipient address rejected:
Requested action not taken: mailbox name not allowed)

----- Transcript of session follows -----
... while talking to alpha.dmz-eu.st.com.:
DATA
553 : Recipient address rejected:
Requested action not taken: mailbox name not allowed
550 5.1.1 ... User unknown
554 Error: no valid recipients

Reporting-MTA: dns; lon-del-01.spheriq.net
Received-From-MTA: DNS; [195.46.50.66]
Arrival-Date: Fri, 4 Mar 2005 00:48:22 GMT

Final-Recipient: RFC822; carmen.delia@st.com
Action: failed
Status: 5.1.3
Remote-MTA: DNS; alpha.dmz-eu.st.com
Diagnostic-Code: SMTP; 553 : Recipient address rejected:
Requested action not taken: mailbox name not allowed
Last-Attempt-Date: Fri, 4 Mar 2005 00:48:24 GMT

Return-Path:
Received: from lon-inc-02.spheriq.net ([195.46.50.66])
by lon-del-01.spheriq.net with ESMTP id j240mMUK014437
for ; Fri, 4 Mar 2005 00:48:22 GMT
Received: from lon-net-02.spheriq.net (lon-net-02.spheriq.net [195.46.50.34])
by lon-inc-02.spheriq.net with ESMTP id j240mKnd025269
for ; Fri, 4 Mar 2005 00:48:20 GMT
Received: from st.com
(CPE000d56b521b1-CM000a73a9634e.cpe.net.cable.rogers.com [69.192.244.229])
by lon-net-02.spheriq.net with ESMTP id j240mIaY010652
for ; Fri, 4 Mar 2005 00:48:19 GMT
Message-Id: <200503040048.j240mIaY010652@lon-net-02.spheriq.net>
From: health4all@airpost.net
To: carmen.delia@st.com
Subject: [I-VIRUS4][I-VIRUS3][I-VIRUS1]Mail Delivery
(failure carmen.delia@st.com)
Date: Thu, 3 Mar 2005 18:48:41 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
X-I-General-Status: No
X-I-Spam1-Detail:
ADDRESS_IN_SUBJECT,FORGED_RCVD_HELO,HTML_MESSAGE,
MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MIME_SUSPECT_NAME,
MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_FROM_MTA_ID,
NO_REAL_NAME,PRIORITY_NO_NAME,RCVD_IN_SORBS_DUL

X-I-Spam1-Level: 25
X-I-Spam1-Status: Yes (7.957)
X-I-Spam2-Detail: 00000000
X-I-Spam2-Level: 20
X-I-Spam2-Status: No (0)
X-I-URL-Status: Not Scanned
X-I-Virus1-Status: Yes
X-I-Virus1-Detail: [message.scr,W32.Netsky.P@mm]
X-I-Virus2-Status: Not Scanned
X-I-Virus3-Status: Yes
X-I-Virus3-Detail: [message.scr,Worm.SomeFool.P]
X-I-Virus4-Status: Yes
X-I-Virus4-Detail: [message.scr,W32/Netsky-P]
X-I-Image-Status: Not Scanned
X-I-Attach-Status: No
X-SpheriQ-Ver: 2.0.2

7

MacIntosh Underground website,
http://freaky.staticusers.net/ugboard/viewtopic.php?p=32681
HOW TO postings:

[There is no harm in posting this here as there is the following and other examples which can be easily accessed in the Internet. Here, the unaware can become empowered by finding out just how EASY it is for ANYONE to use THEIR e-mail address, or an alias address, which may not be setup and active, of THEIR website --- to SPAM others and make them look responsible!]

Hey if anyone knows how to forge emails so i can send pranks to someone and have a email address like blahblahblah@something.com if anyone knows how i can put something in the part before the .com it would really help me out thanx

you need:
1) an email account to test it on.
2) An anonymous emailer/ remailer like CEAM which is one of the best and is available from freakys website [look for caem...]
3) a server to send it from (this is the hard one to find )

If your isp gives email accounts chances are it has SMTP setting .... al you have to do is either go to your isp's website and search for them or call up their support and ask for it ..... but your isp has to offer email accounts which are pop based for it to be available .... if the only way you can access your isp assigned email account is through webmail then they don't have an SMTP server.

Some SMTP servers will allow you to forge mail using an average mail application. Apple Mail, for example:

1. Open Apple Mail.
2. Select the "Preferences..." menu (Mail>Preferences)
3. Click the "Accounts" tab, then double click on an account row.
4. Change the "Email Address" field to whatever you'd like.
5. Send a message using this account.

Your ISP's mail server may rewrite the From address upon relaying your message or bounce it outright. Mine doesn't seem to, but it's suggested you test it out first, obviously. As near as I can tell, that's all that Logik's Caem seems to do (aside from sending a slew of extra characters in the initial HELO message in an effort to.. flush out the rest of the reported mail path? It doesn't seem to work, so who knows).

If you're not sending millions of spam messages, you do not need to find an open relay server. You can even send the message to the receiving mail server yourself, using telnet. Just find the highest order MX address for the domain with dig. Then follow the SMTP protocol as per the SMTP RFC (check rfc-editor.org). It's pretty straightforward.

It doesn't really make a difference if you do it with the terminal or with the gui . It's just more convenient with a gui.
plus with things like caem its less detectable.

8

Tagged Message Delivery Agent (TMDA),
An Open Source software application to limit spam.
http://tmda.net/faq.cgi?req=show&file=faq04.010.htp

4.10. SPAM is getting in by spoofing my domain.
Occasionally you will receive spam coming from your own e-mail address, or an address within your domain. e.g,

Date: Sun Nov 9 20:21:11 CST 2003
From: "al"
To: jason@mastaler.com
Subj: Get Free shipping! Curn like a p.... star!
Actn: CONFIRM action_incoming

If the spam got through, this is most likely because you have whitelisted your own address, and/or your entire domain. For example, in your FILTER_INCOMING:

from jason@mastaler.com ok
from *@mastaler.com ok

Most MTAs have ways of handling this problem before the message even reaches TMDA. For example, if the message claims to be from a local address, but isn't being relayed from a machine on your network, the message can be rejected or discarded as a forgery.
....

[Programming codes can be entered to some mail programs to accomplish this form of filtering.]

9

Email Identity Theft
http://www.albionresearch.com/disaster/email_identity.php

Recently we received a number of bounce messages indicating that a spammer has been forging one of our email addresses in the "From:" field of outgoing email.

Spammers use forged email addresses because they do not want to receive complaints (or complaints to their ISP). They just want your money. Unfortunately email forgery is simple and commonplace.

Email viruses also forge email addresses.
Generally an address is chosen from the infected machine's address book and used as the "From" address for outgoing email. Doing so has two advantages: (1) it makes it more difficult to determine the real source of the virus (it's someone who has both your email and that of the forged sender in their address book); (2) by posing as a trusted contact it is more likely that the email recipient will open an attachment and thus propagate the virus. Addresses have also been chosen using search engines, and by examining the DNS whois database. See our list of recent worm and virus threats for more information.

As a company, you can't prevent this. You can't conceal your email addresses and only reveal them to trustworthy individuals. Your clients and suppliers need to be able to contact you. All you can do is react when it happens.

So what should you do? You should:

1. Notify your web hosting provider or ISP:
   you don't want your website disconnected because of complaints from people who didn't realize that the From address was forged. Make sure any email sent to your web hosting provider is very clear and concise: some overworked abuse desks have been known to confuse such explanations with abuse reports.

2. Put a note on the front page of your site so that any annoyed spam recipient going to your website will understand what has happened and that you weren't responsible.

3. If you have control of your company's DNS records, then you should create SPF (Sender Policy Framework) records for your domain. These specify which host computers are allowed to send mail on your behalf, allowing more sophisticated mail handling programs to to detect and eliminate most forged email.

4. Collect evidence (printed and electronic copies of complete emails, including all headers) in case it becomes necessary to either pursue the spammer through the courts or to convince a skeptical inquirer that you didn't send the email.

One of the spam email messages being sent in this instance referred the recipient to a website which claimed to be MortgagePlus Financial, a mortgage broker.

Visitors to this site are asked to fill in an application form revealing personal details... but you have to wonder somewhat about a company whose domain name is the memorable c1010.hud...bch.co.uk. Although it appears to be a US mortgage broker, it uses a uk domain, is hosted in Hong Kong, and its DNS records report ownership by Fanraz Industries in Budapest, Hungary. And there doesn't appear to be single phone number, email address, or postal address on the entire website.

And if you try c1011.hud...bch.co.uk the company is now QuickMortgages, another company keen on receiving your financial information...

If you filled in the form with your credit information, what might it be used for?

Update: Some further detective work at SPEWS (Spam Prevention Early Warning System) suggests that the trail to the actual spammer may be even more convoluted, involving an address translating proxy in Hong Kong re-routing packets to a US site. See Case S2040 for more information.

If you receive spam...

1. The simplest thing to do is just delete it.
   Replying is pointless as either (a) the From address is forged, or (b) the From address will be used to harvest a list of working email addresses which the spammer can use to optimize his or her operations.

2. Try to avoid loading such email in an HTML capable email client which automatically loads images. Spammers often encode your email address in the URL used to retrieve images. By examining their server logs, they can determine if you received the email, and whether you read it.

3. For the same reason, don't click on any links in the email.

4. If you want to do some detective work, look at SamSpade.org, which has a collection of online tools for deciphering URLs and tracing website ownership. But be careful! It's all too easy to point the finger at the wrong person. Spammers try to cover their tracks, and more than one of the email headers will typically be forged. Indeed, one of our clients recently encountered problems because a spammer included a link to their domain (as well as to other random web sites) in their email to confuse automated spam reporting systems.

And obviously never buy anything from a spammer. You don't really think your credit information is safe with somebody who forges emails for a living, do you?

10

E-mail Service Provider,
Virus attached e-mail Spam: 27-04-05

We have just rejected a message to health4all@airpost.net from alston@dodo.com.au because it tested as positive to a virus.

Please note that most viruses use a "fake" from address, so unless you were explicitly expecting a message and file from the above person, the above address is probably not the true source of the virus and can be ignored.

If you do not wish to be notified about infected files we reject, log into your account, go to Options and Spam/Virus protection and check the "Silently discard virus laden emails" check box

If you do not wish to use anti-virus protection, log into your account, go to Options and Spam/Virus protection and uncheck the "Enable virus protection" check box

The virus scanner output was:
----