E-Mail Forgery

Definition

E-mail forgery is the alteration of the headers of an e-mail to circumvent spam filtering, gain the trust of the recipient, or commit a crime such as identity theft. This is an easy thing to accomplish, it is very effective, and for webmasters there is almost no defense against this.

Symptoms - End User

Because of the way e-mail is displayed in most e-mail applications, it is virtually impossible to determine if an e-mail is legitimate, or if the headers have been forged. There are a few mechanisms that can be used to verify the identity of the sender, but these methods are out of the reach of the general public. Most of this technology has to be implemented by the Internet Service Provider.

Symptoms - Company

If your e-mails address is being forged, usually the only indication is "bounce messages". These are server messages that are sent in response to a bad e-mail address. For example, you may get a message saying that an e-mail address is invalid, but you have never sent an e-mail to that address.

How to Forge E-Mail Headers

There are a few different ways someone might forge the e-mail headers. The easiest, and frighteningly, a very effective method, is to simply change the reply-to address in your E-mail client before sending the message. Note that it is easy for an investigator to track these e-mails back to the sender.
The second method is to find an e-mail server on the web, establish a telnet connection to the mail server using forged credentials, and send the e-mail. This hides your actual e-mail address and makes it harder to determine your IP address. This is one of the more common methods, as spammers will use this technique to bypass spam filters.
The third method is to compromise a web site that sends e-mail, such that you can feed the web site a list of e-mail addresses, and let the server do the work. This very effectively hides your identity, and the messages from the compromised server will contain the headers associated with the company whose site was attacked. Because these e-mails are coming from the company web server, any authentication method that the recipient uses will allow the messages to pass through.

Defense

The first thing to do is ensure your server is as secure as possible. Make sure you are using strong input validation on all scripts on your web site, and make sure your e-mail server does not allow anonymous users to send e-mail. Also, make sure you log all access to scripts on your site that send e-mail, and log all traffic to your mail server so if a compromise does occur, you can track down the offender.