Email spoofing

When an email that uses SMTP is sent, the connection has two pieces of important information:

• MAIL FROM: - shows where the email is sent from, and this field has no checks that are done and it can be easily spoofed.
• RCPT TO: - specifies where the email should be delivered to.

Together, these are sometimes referred to as the "envelope" addressing – an refrence to a traditional paper envelope. Unless the receiving email address has problems, the server responds with the "DATA" command, and sends several items, including:

• From: Joe Q Doe <joeqdoe[@]example.com> - the address visible to the recipient; but again, by default no checks are done that check if the email is fraud or not.
• Reply-to: Joe Q Doe <joeqdoe[@]example.com> - again, not checked.
• Sender: Jin Jo <jin.jo[@]example.jp> - and this one is not checked too.

The recipient sees the email come from the From: header. They also might be able to sometimes find the MAIL FROM header, and if they reply to the email, it will go to either the From: or the Reply-to: header, but none of these addresses are reliable.

Although email spoofing is effective in forging the email address, the IP address of the computer may still be visible. In malicious cases, however, this is likely to be the computer of an innocent third party infected by malware that is sending the email without the owner's knowledge.

The SSL/TLS system has been used to encrypt the connections and protect the headers mentioned above.

A number of other defense systems have come into wide use, including:

• Sender Policy Framework (SPF) - an email authentication method to detect if the email is forged during delivery.
• DomainKeys Identified Mail (DKIM) - an email authentication method to detect if the email is spoofed, often used by Phishing.

To protect the headers, they often have strict authentication and have checks in order to look if the headers have been spoofed.