E-mail can be made to appear like it came from a big organization?

Question

I know almost nothing about security. So, please bear with me if the questions sound silly.

Is it possible for a malicious person to make an e-mail appear as if it came from a big company like Google, Apple, Cisco etc ? If yes, what kind of techniques do they use and how to detect these fake e-mails ?

Another thing - I guess that big companies like these must be having different servers to send out official e-mails. Is it possible for someone to create a fake server or add their own server to the company server list and then send malicious e-mails from it ?

Also, could someone silently hijack a company's mail server, send malicious e-mails to a few targets only to avoid detection ?

@FiascoLabs - hey ! thanks for mentioning that word. Had never heard of it until now. — FirstName LastName, Dec 30 '12 at 09:54

score 10 · Accepted Answer · answered Dec 30 '12 at 03:09

It sounds like you're asking about email spoofing. Look here for a good primer on the subject

Email all by itself is not a secure technology, and it is very easy to spoof a sender. Often times the mail server doesn't need to be hijacked to send email as that person.

People who want to protect their branding need to implement anti spoofing technologies. Some anti spoofing technologies include SPF records, DKIM signing, and DMARC authentication.

When the sender and the receiver both implement SPF, DKIM and DMARC properly then spoofing risk is greatly reduced.

score 2 · Answer 2 · edited Mar 17 '17 at 10:46

There is no security in emails.

Many people have tried to add some security, with methods which fall in roughly three categories:

Methods which try to validate emails by getting information on how a given email should be transported, in particular from which site / domain it may possibly be sent. DKIM and SPF are from this class of security methods.
Methods which try to guarantee provenance, down to the individual sender, with a lot of cryptography (S/MIME, OpenPGP...).
Obscure filters which attempt at pruning out the most obviously forged emails. Big sites are quite fond of these, and, of course, never explain the details. These filters tend to backfire (e.g. because of my name, emails I send to Hotmail addresses are classified as spams).

The core issue is that no security system can be complete unless everybody uses it. As long as there are people who may send emails which do not use DKIM/SPF/PGP/whatever, mail readers will accept "insecure" emails, and the problem will not be solved. This is not new. Securing emails was already talked about twenty years ago.

score 1 · Answer 3 · answered Dec 30 '12 at 07:19

I know almost nothing about security. So, please bear with me if the questions sound silly.

There is no silly question

As said previously there is some way to authenticate the smtp server but most small business (from my personal experience) do not have such capability. There is a lot of insecurity and a good example is godaddy anonymous smtp.

From a more global point of view, if the target has, for example, registered the domain with godaddy then a malicious user could just use the godaddy smtp server and use it as smarthost.

The email sender you see when you receive an email is for convenience and can be modified as desired. For anything to run well the email itself must be properly formatted and it can be achieve using a variety of programming language.

score 1 · Answer 4 · answered Dec 30 '12 at 22:57

Is there a security in real mail?

Man could take a copy of a enterprise paper with header, write anything he want on paper, fold them in an envelop, write any expeditor name on the envelop and go with his car to a post office localized near the faked expeditor to send them by traditional post.

The recipient could become them, read post stample and belive this comme from faked expeditor.

For prevent this, expeditor have to place his signature on paper in order before the recipient could believe them.

Digitaly, all is same!

rook · Answer 5 · 2012-12-31T15:49:14.507

0

E-mail spoofing doesn't work for nearly every recipient because of the Sender Policy Framework. Which allows SMTP servers to verify if an email came from an allowed list of servers.

However, it maybe possible that the person you are trying to impersonate is sending email from an Open mail relay then it is possible to impersonate them. This can happen due to a misconfiguration. If they are using a reasonable email provider like gmail then this isn't going to work.

Another option is using SMTP Command Injection. If the person that you are trying to impersonate uses an SMTP server that is also shared by a web application. Then it maybe possible to to use SMTP command injection to communicate with the SMTP server. Google has suffered from this of flaw... and so do banks.

edited Dec 31 '12 at 15:49

answered Dec 30 '12 at 16:38

rook

47,004
10
94
182

You said that Google also suffered from "SMTP Command Injection". Can you help me to find a web article that discusses this issue as it was faced by google ? thanks. – FirstName LastName Dec 30 '12 at 18:48
2

SPF is not broadly implemented – Jacco Dec 30 '12 at 19:15
@Jacco Exactly, thats why you need another vector like SMTP command injection. – rook Dec 31 '12 at 15:49
@FirstName LastName I remember reading some bug hunter's blog... but I can't find it now. Sorry. – rook Dec 31 '12 at 15:50

E-mail can be made to appear like it came from a big organization?

5 Answers5

Linked