[conspire] Case study in modern forgery of SMTP headers

Rick Moen rick at linuxmafia.com
Tue Nov 3 21:04:01 PST 2015


I wrote:

> Two forwarded messages.  The first is scam-mail, and the second 
> is my analysis of it.  Simultaneous to the cited scam-mail to the BASFA
> mailing list, several other mailing lists to which forged sender Michael
> Siladi subscribes _also_ received pretty much identical forgeries 
> claiming to be from him.
[...]
> Instead, what is happening here is _forgery_.  Both the 'From:' internal
> sender header and the 'From ' SMTP envelope header have been _forged_ 
> to say 'msiladi at ix.netcom.com' -- but this mail did not come form
> msiladi at ix.netcom.com, and didn't go anywhere near Netcom.
> Siladi's mailbox, not from Netcom at all.
> 
> Now, a significant question is why Dreamhost accepted mail from
> on6.server6.gr as being a valid SMTP sender for ix.netcom.com's e-mail.
> Examination shows why:  Netcom is not yet bothering to provide
> authentication data in the form of SPF or DKIM records.
[...]
> Making that same check for netcom.com reveals that Netcom still
> publishes no such information.  Hence, nobody operating an SMTP server
> (as Dreamhost does) can weed out imposters impersonating netcom.com 
> senders like Michael Siladi.
> 
> Michael had nothing to do with this -- and cannot prevent recurrences.
> A computer criminal did, and Netcom behaving like it's still 1995
> (failing to publish SMTP authentication data) definitely didn't help.
> 
> The interesting part of this is that the scammer/spammer shows signs of
> having harvested significant data about Michael's correspondents.
> This probably was harvested by (once again) a malware-infected
> MS-Windows box belonging to someone Michael corresponds with.

Let me unpack this a bit.

SMTP forgery is as ancient as SMTP is, but scarily credible forgery 
was invented on January 2, 1997 by a spammer cleverly misleading the 
anti-spam community into attacking reputable Internet businessman Joe
Doll of Saratoga, California, because Doll had taken down one of the 
sleazy-sales Web pages the spammer had placed on Doll's free Web hosting
and sent out spam mail advertising the page.

1997.  We've known since then that the bad guys can fully, believably
forge our mail for 18 years.

(The spammer who revenge-attacked Doll came up with the innovation of
forging the SMTP envelope header in addition to the mail's own 'From: '
header.  Or rather a Perl codemonkey he hired in Chicago did this for
him.)

Since 1997, envelope-sender forgery has been the key problem.  There
have been two technical solutions put forward for this problem, SPF and
DKIM.  (DKIM is also part of a more complicated mail-authentication
system called DMARC.)  Both SPF and DKIM are ways for an Internet
domain-operator to publish to the public, as part of the public DNS, to
declare that only particular Internet sources should be considered
authentic senders of mail from that domain, and not others.  (DKIM and
DMARC also accomplish other things, not covered here.)

For the full benefits of such DNS records to be felt, SMTP receiving
systems need to _also_ check envelope-sender authentication for
incoming mail, something SMTP software has increasingly been improved to
also do since SPF's invention 12 years ago in 2003 -- though I'm not
sure all SMTP software yet does so by default.

But the main point is:  Until your domain publishes such authentication
data (SPF or DKIM or both), bad guys can credibly impersonate your
domain's mail.  This is what just happened to Netcom and Michael Siladi,
because Netcom is over 12 years out of date.

I expect a lot of mailing lists will soon have forged-mail spam
problems -- not a problem until now.

This is a wake-up call.





More information about the conspire mailing list