Rash of email spoofing?

[Diggs]

I've had three calls in the last two days from customers whose friends are receiving emails from them they didn't send. (I immediately asked them to change their password.) This is across several ISPs. I asked for an email to be sent to me so I can look at the headers as I don't know for sure if their accounts are being spoofed or if in turn someone did get a hold of their account. ...and if it's just a spoof, how do they know to send to people on the customer's contacts?

Anyone else seeing anything?

 

[Markverhyden]

Comes and goes like the tide. But not as reliably. Remember that it could be anyone that the EU knows who got hacked. Meaning if Joe got an email addressed to Joe from Joe the address leak could have come from Mary if Joe is in Mary's address book.

 

[britechguy]

All it takes to spoof is getting one's hands on a single e-mail message, and when you can get your hands on a random sampling of hundreds of thousands without too much effort, it doesn't require any account compromise. When you add in the various address lists that get resold, that are often compiled in the same way, well . . .

I have yet to ever experience a spoof message that involved an actual account compromise, though changing your password never hurts. And, these days, if the account does have 2FA even having a password is not enough.

Spoofing is the lowest hanging of e-mail scam fruit.

 

[nlinecomputers]

Yahoo has had it’s email servers and their address books raided many times. Those lists of email addresses are still being sold years later. Somebody’s list in your local universe is being hit again. Kevin Bacon is probably getting spoofed messages from someone you know. LOL

 

[britechguy]

Yahoo has had it’s email servers and their address books raided many times.

And, just so my comment about "account compromise" is clear, I mean (and meant) someone being able to login and gain access to the account.

This is your standard data breach, but not a direct account compromise, and they've occurred so many times over so many years that spoofing from those lists will probably be going on after I'm in the ground. It's a smash and grab kinda thing, not targeted. You hope that the recipient will just react - classic social engineering.

 

[Sky-Knight]

SMTP doesn't care about validity. It's just a form filled out and handled by the mail server. If the source mail server accepts it, it will send it. If the receiving mail server accepts it, it will be delivered. We have a ton of anti-spam stuff on the receiving end to try to reject invalid senders... but that tech has white lists in it for all sorts of things.

I'm willing to bet that if you read the email headers for the spoofed messages you'll find that they're actually sending via a gmail or outlook.com free email account. These are easily configured on demand, and they often bypass spam filters because well... You cannot simply ignore mail from Google or Microsoft.

So a bunch of spoofed mail that looks like it came from me? That in and of itself isn't an indicator of breach. It is however plenty of cause to go read the access logs for all the mailboxes on the spoofed tenant to make sure there aren't any improper logins over the last couple weeks.

 

[Diggs]

So when you ban spoofed emails coming into your account at the ISP, is the "From" address banned or does the app at the ISP know to ban the originator?

 

[Sky-Knight]

So when you ban spoofed emails coming into your account at the ISP, is the "From" address banned or does the app at the ISP know to ban the originator?

That is a very good question, and it depends on the spam filter in question. Typically with ISPs, it's the from field... which makes it wonderfully useless.

 

[Diggs]

That is a very good question, and it depends on the spam filter in question. Typically with ISPs, it's the from field... which makes it wonderfully useless.

Heh! That's what I was afraid of. I can block spam by complete domains but since some of it shows from Charter (my and my friends and relatives ISP) I can't exactly do that for me and my customers.

 

[nlinecomputers]

ISP spam filters suck. Basic SPF checking should kill much of the spoofed email.

 

[Diggs]

I've used MX Toolbox Analyze Headers but it must not have liked the format I pasted into it from Thunderbird. Never revealed anything.

 

[nlinecomputers]

I've used MX Toolbox Analyze Headers but it must not have liked the format I pasted into it from Thunderbird. Never revealed anything.

It should work with thunderbird. Perhaps you had word wrapping on. Accidentally put a CR on a line?

 

[Sky-Knight]

ISP spam filters suck. Basic SPF checking should kill much of the spoofed email.

SPF is helpful, but not everything. DKIM + SPF is what nukes spam, the sending server is an authorized IP AND the message has the appropriate signature on it.

The problem is... "sending server", not everyone has this stuff implemented.