Description

Examples of spoofed email that could affect the security of your site include:

• email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this
• email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

Reaction

1. You may be alerted to spoofed email attempts by reports from your users or by investigating bounced email error messages.
2. Following relevant policies and procedures of your organization, review all information (such as mail headers and system log files) related to the spoofed email.

   Examine tcp_wrapper, ident, and sendmail logs to obtain information on the origin of the spoofed email.

   The header of the email message often contains a complete history of the "hops" the message has taken to reach its destination. Information in the headers (such as the "Received:" and "Message-ID" information), in conjunction with your mail delivery logs, should help you to determine how the email reached your system.

   If your mail reader does not allow you to review these headers, check the ASCII file that contains the original message.

   NOTE: Some of the header information may be spoofed; and if the abuser connected directly to the SMTP port on your system, it may not be possible for you to identify the source of the activity.

3. Follow up with other sites involved in this activity, if you can identify the sites. Contact them to alert them to the activity and help them determine the source of the original email. To provide as much information as possible to help trace this type of activity, you can increase the level of logging for your mailer delivery daemon.
4. Realize that in some cases, you may not be able to identify the origin of the spoofed email.

Prevention (Deterrence)

1. Use cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
2. Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.
3. Ensure that your mail delivery daemon allows logging and is configured to provide sufficient logging to assist you in tracking the origin of spoofed email.
4. Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.
5. Educate your users about your site's policies and procedures in order to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible.