Why do phishing e-mails use faked e-mail addresses instead of the real one?
I read that you can write anything into the From: field of an e-mail.
If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing email-spoofing spf
edited Mar 9 at 10:21
Jonas Stein
181110
asked Mar 5 at 16:24
JFBJFB
9253710
|
show 2 more comments
I read that you can write anything into the From: field of an e-mail.
If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing email-spoofing spf
edited Mar 9 at 10:21
Jonas Stein
181110
asked Mar 5 at 16:24
JFBJFB
9253710
42
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
Mar 5 at 16:48
4
@schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic.
– reed
Mar 6 at 11:54
2
@reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'.
– hiburn8
Mar 6 at 17:51
5
One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything.
– Pacopaco
Mar 7 at 9:10
1
@Pacopaco that's where the reply to field come into play
– Antzi
Mar 8 at 6:59
|
show 2 more comments
I read that you can write anything into the From: field of an e-mail.
If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing email-spoofing spf
edited Mar 9 at 10:21
Jonas Stein
181110
asked Mar 5 at 16:24
JFBJFB
9253710
I read that you can write anything into the From: field of an e-mail.
If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing email-spoofing spf
email phishing email-spoofing spf
edited Mar 9 at 10:21
Jonas Stein
181110
asked Mar 5 at 16:24
JFBJFB
9253710
edited Mar 9 at 10:21
Jonas Stein
181110
asked Mar 5 at 16:24
JFBJFB
9253710
edited Mar 9 at 10:21
Jonas Stein
181110
edited Mar 9 at 10:21
Jonas Stein
181110
edited Mar 9 at 10:21
Jonas Stein
181110
181110
asked Mar 5 at 16:24
JFBJFB
9253710
asked Mar 5 at 16:24
JFBJFB
9253710
asked Mar 5 at 16:24
JFBJFB
9253710
9253710
42
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
Mar 5 at 16:48
4
@schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic.
– reed
Mar 6 at 11:54
2
@reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'.
– hiburn8
Mar 6 at 17:51
5
One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything.
– Pacopaco
Mar 7 at 9:10
1
@Pacopaco that's where the reply to field come into play
– Antzi
Mar 8 at 6:59
|
show 2 more comments
42
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
Mar 5 at 16:48
4
@schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic.
– reed
Mar 6 at 11:54
2
@reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'.
– hiburn8
Mar 6 at 17:51
5
One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything.
– Pacopaco
Mar 7 at 9:10
1
@Pacopaco that's where the reply to field come into play
– Antzi
Mar 8 at 6:59
42
42
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
Mar 5 at 16:48
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
Mar 5 at 16:48
4
4
@schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic.
– reed
Mar 6 at 11:54
@schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic.
– reed
Mar 6 at 11:54
2
2
@reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'.
– hiburn8
Mar 6 at 17:51
@reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'.
– hiburn8
Mar 6 at 17:51
5
5
One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything.
– Pacopaco
Mar 7 at 9:10
One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything.
– Pacopaco
Mar 7 at 9:10
1
1
@Pacopaco that's where the reply to field come into play
– Antzi
Mar 8 at 6:59
@Pacopaco that's where the reply to field come into play
– Antzi
Mar 8 at 6:59
|
show 2 more comments
5 Answers
5
active
oldest
votes
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.dig txt _dmarc.amazon.comshows that Amazon has a DMARC record with a policy ofquarantine.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
edited Mar 6 at 9:11
gerrit
473520
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
1
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
10
@hiburn8: This is about spoofing theFromfield in the mail header. SPF does not even look at theFromfield of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing theFromfield of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.
– Steffen Ullrich
Mar 6 at 18:00
1
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
add a comment |
To complement Steffen Ullrich's answer, note that:
- Historically, it was indeed possible to spoof anything you wanted, no-one checked, everybody trusted everybody.
- However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
- To work, those require both the sender and the receiver to implement those methods.
- Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
- However, there are still both e-mail systems not checking either and domains without the appropriate setup.
So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less that others, and it has larger changes of being handled as spam.
Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.
But most definitely, it you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.
answered Mar 6 at 13:36
jcaronjcaron
730412
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
13
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
Mar 5 at 17:20
3
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
2
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
add a comment |
It might be worth noting the difference between theory and practice.
SMTP (Simple Mail Transfer Protocol), which is the basis of e-mail, doesn't really prevent spoofing. I think that's where this quote comes from.
However while SMTP is part of e-mail as is now, its not he only thing in the pipeline. While I am sure there are some completely vanilla implementation of this in the wild, the vast majority of people will be using one of the few "big" stacks, which come with a lot of extras to stop this kind of behaviour.
As the goal of spamming is to reach as many (and sadly most gullible) people as possible: the cost of having the majority of cases filtered out in order to get the credibility of a real address is not good. This is particularly true if the scam involves effort of the part of the scammer to proceed as the sort of person skeptical enough to notice "service@amaz0n.com" looks wrong is likely a target you want to weed out early.
answered Mar 6 at 17:13
ANoneANone
1812
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
add a comment |
James Veitch sheds some light to it in this TED Talk
He starts his talk by telling about some phishing scam e-mail he received, the one about a south african liutenant asking for help wit diamonds. The whole story is ridiculous and, for most of us, completelly unbelievable. But
"[...] if you think about it, this is actually rather clever. Because by making the scams ridiculous, ideally for the scammer, the only people who are going to reply are the most gullible people."
If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try... If you notice the different domain, you are paying attention, and probably is a waste of scammer's time to try to trick you.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
2
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
@SomeGuy the author
– schroeder♦
2 days ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204770%2fwhy-do-phishing-e-mails-use-faked-e-mail-addresses-instead-of-the-real-one%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.dig txt _dmarc.amazon.comshows that Amazon has a DMARC record with a policy ofquarantine.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
edited Mar 6 at 9:11
gerrit
473520
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
1
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
10
@hiburn8: This is about spoofing theFromfield in the mail header. SPF does not even look at theFromfield of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing theFromfield of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.
– Steffen Ullrich
Mar 6 at 18:00
1
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
add a comment |
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.dig txt _dmarc.amazon.comshows that Amazon has a DMARC record with a policy ofquarantine.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
edited Mar 6 at 9:11
gerrit
473520
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
1
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
10
@hiburn8: This is about spoofing theFromfield in the mail header. SPF does not even look at theFromfield of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing theFromfield of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.
– Steffen Ullrich
Mar 6 at 18:00
1
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
add a comment |
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.dig txt _dmarc.amazon.comshows that Amazon has a DMARC record with a policy ofquarantine.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
edited Mar 6 at 9:11
gerrit
473520
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.dig txt _dmarc.amazon.comshows that Amazon has a DMARC record with a policy ofquarantine.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
edited Mar 6 at 9:11
gerrit
473520
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
edited Mar 6 at 9:11
gerrit
473520
edited Mar 6 at 9:11
gerrit
473520
edited Mar 6 at 9:11
gerrit
473520
473520
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
answered Mar 5 at 16:32
Steffen UllrichSteffen Ullrich
119k14209274
119k14209274
1
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
10
@hiburn8: This is about spoofing theFromfield in the mail header. SPF does not even look at theFromfield of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing theFromfield of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.
– Steffen Ullrich
Mar 6 at 18:00
1
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
add a comment |
1
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
10
@hiburn8: This is about spoofing theFromfield in the mail header. SPF does not even look at theFromfield of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing theFromfield of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.
– Steffen Ullrich
Mar 6 at 18:00
1
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
1
1
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
Not quite true on the last line... an SPF record can, by itself, protect against spoofing. Hard-fail SPF records (those ending in '-all'), are typically expected to result in violating emails being moved directly to spam, and soft-fail emails quite often results in a warning for the user (as with Gmail, o365). These choices do need some better level of standardisation, but that's what is happening in the wild; for example I have seen email clients which do completely drop email when hard-fail violations occur.
– hiburn8
Mar 6 at 17:45
10
10
@hiburn8: This is about spoofing the
From field in the mail header. SPF does not even look at the From field of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing the From field of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.– Steffen Ullrich
Mar 6 at 18:00
@hiburn8: This is about spoofing the
From field in the mail header. SPF does not even look at the From field of the mail (RFC822.FROM) but cares only about the SMTP envelope (SMTP.MAILFROM). An attacker can use an SMTP envelope with a proper domain which has either no SPF or has a valid SPF since the domain is controlled by the attacker - thus making SPF not fail. Only the combination with DMARC will protect against spoofing the From field of the mail header since it requires an alignment of the domain in either SMTP envelope for SPF or the domain in the DKIM-Signature field.– Steffen Ullrich
Mar 6 at 18:00
1
1
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
Ah yes, sorry i miss-read your answer. I thought you were saying SPF alone provides no spoofing mitigations whatsoever. +1
– hiburn8
Mar 7 at 12:50
add a comment |
To complement Steffen Ullrich's answer, note that:
- Historically, it was indeed possible to spoof anything you wanted, no-one checked, everybody trusted everybody.
- However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
- To work, those require both the sender and the receiver to implement those methods.
- Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
- However, there are still both e-mail systems not checking either and domains without the appropriate setup.
So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less that others, and it has larger changes of being handled as spam.
Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.
But most definitely, it you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.
answered Mar 6 at 13:36
jcaronjcaron
730412
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
add a comment |
To complement Steffen Ullrich's answer, note that:
- Historically, it was indeed possible to spoof anything you wanted, no-one checked, everybody trusted everybody.
- However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
- To work, those require both the sender and the receiver to implement those methods.
- Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
- However, there are still both e-mail systems not checking either and domains without the appropriate setup.
So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less that others, and it has larger changes of being handled as spam.
Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.
But most definitely, it you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.
answered Mar 6 at 13:36
jcaronjcaron
730412
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
add a comment |
To complement Steffen Ullrich's answer, note that:
- Historically, it was indeed possible to spoof anything you wanted, no-one checked, everybody trusted everybody.
- However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
- To work, those require both the sender and the receiver to implement those methods.
- Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
- However, there are still both e-mail systems not checking either and domains without the appropriate setup.
So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less that others, and it has larger changes of being handled as spam.
Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.
But most definitely, it you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.
answered Mar 6 at 13:36
jcaronjcaron
730412
To complement Steffen Ullrich's answer, note that:
- Historically, it was indeed possible to spoof anything you wanted, no-one checked, everybody trusted everybody.
- However, with the rise of spam, phishing and other scams, SPF, DKIM and DMARC were introduced. Those allow a server to check if the sender does have the right to send mail with a sender in a given domain.
- To work, those require both the sender and the receiver to implement those methods.
- Most large e-mail providers will definitely implement at least one of the 3 methods on their side (as a receiver), and many organisations at risk of having people trying to impersonate them will implement at least one of the 3 methods on their side as well (as a sender).
- However, there are still both e-mail systems not checking either and domains without the appropriate setup.
So if you find a domain without SPF, DKIM or DMARC, you could send e-mail on behalf of that domain and not be rejected outright. Many e-mail providers will "trust" such e-mails less that others, and it has larger changes of being handled as spam.
Likewise, you could send e-mail even "from" a domain protected with SPF, DKIM or DMARC to an e-mail system that doesn't check it.
But most definitely, it you want to send as Apple or Amazon to mailboxes managed by Google or Microsoft, that won't work. And that's the reason they use other domain names for this.
answered Mar 6 at 13:36
jcaronjcaron
730412
edited 2 days ago
answered Mar 6 at 13:36
jcaronjcaron
730412
answered Mar 6 at 13:36
jcaronjcaron
730412
answered Mar 6 at 13:36
jcaronjcaron
730412
730412
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
add a comment |
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
Note that only DMARC prevents spoofing of the From: address, as SPF and DKIM don't do this - DKIM can let the sender, optionally, prove they own that domain, but cannot help the recipient check the domain in the From: field if a DKIM signature is not present.
– thomasrutter
Mar 8 at 3:40
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
13
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
Mar 5 at 17:20
3
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
2
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
13
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
Mar 5 at 17:20
3
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
2
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
answered Mar 5 at 16:33
ShapeOfMatterShapeOfMatter
3717
3717
13
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
Mar 5 at 17:20
3
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
2
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
add a comment |
13
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
Mar 5 at 17:20
3
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
2
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
13
13
SPF doesn't protect the
From: header, but the envelope sender.– Esa Jokinen
Mar 5 at 17:20
SPF doesn't protect the
From: header, but the envelope sender.– Esa Jokinen
Mar 5 at 17:20
3
3
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
And it's not the email client that checks SPF; it's the receiving email server.
– Max Vernon
Mar 7 at 15:58
2
2
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
I'm gonna come clean: I've set up these protections for myself once, and at this point I'm not sure why twelve people upvoted my answer.
– ShapeOfMatter
Mar 7 at 16:03
add a comment |
It might be worth noting the difference between theory and practice.
SMTP (Simple Mail Transfer Protocol), which is the basis of e-mail, doesn't really prevent spoofing. I think that's where this quote comes from.
However while SMTP is part of e-mail as is now, its not he only thing in the pipeline. While I am sure there are some completely vanilla implementation of this in the wild, the vast majority of people will be using one of the few "big" stacks, which come with a lot of extras to stop this kind of behaviour.
As the goal of spamming is to reach as many (and sadly most gullible) people as possible: the cost of having the majority of cases filtered out in order to get the credibility of a real address is not good. This is particularly true if the scam involves effort of the part of the scammer to proceed as the sort of person skeptical enough to notice "service@amaz0n.com" looks wrong is likely a target you want to weed out early.
answered Mar 6 at 17:13
ANoneANone
1812
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
add a comment |
It might be worth noting the difference between theory and practice.
SMTP (Simple Mail Transfer Protocol), which is the basis of e-mail, doesn't really prevent spoofing. I think that's where this quote comes from.
However while SMTP is part of e-mail as is now, its not he only thing in the pipeline. While I am sure there are some completely vanilla implementation of this in the wild, the vast majority of people will be using one of the few "big" stacks, which come with a lot of extras to stop this kind of behaviour.
As the goal of spamming is to reach as many (and sadly most gullible) people as possible: the cost of having the majority of cases filtered out in order to get the credibility of a real address is not good. This is particularly true if the scam involves effort of the part of the scammer to proceed as the sort of person skeptical enough to notice "service@amaz0n.com" looks wrong is likely a target you want to weed out early.
answered Mar 6 at 17:13
ANoneANone
1812
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
add a comment |
It might be worth noting the difference between theory and practice.
SMTP (Simple Mail Transfer Protocol), which is the basis of e-mail, doesn't really prevent spoofing. I think that's where this quote comes from.
However while SMTP is part of e-mail as is now, its not he only thing in the pipeline. While I am sure there are some completely vanilla implementation of this in the wild, the vast majority of people will be using one of the few "big" stacks, which come with a lot of extras to stop this kind of behaviour.
As the goal of spamming is to reach as many (and sadly most gullible) people as possible: the cost of having the majority of cases filtered out in order to get the credibility of a real address is not good. This is particularly true if the scam involves effort of the part of the scammer to proceed as the sort of person skeptical enough to notice "service@amaz0n.com" looks wrong is likely a target you want to weed out early.
answered Mar 6 at 17:13
ANoneANone
1812
It might be worth noting the difference between theory and practice.
SMTP (Simple Mail Transfer Protocol), which is the basis of e-mail, doesn't really prevent spoofing. I think that's where this quote comes from.
However while SMTP is part of e-mail as is now, its not he only thing in the pipeline. While I am sure there are some completely vanilla implementation of this in the wild, the vast majority of people will be using one of the few "big" stacks, which come with a lot of extras to stop this kind of behaviour.
As the goal of spamming is to reach as many (and sadly most gullible) people as possible: the cost of having the majority of cases filtered out in order to get the credibility of a real address is not good. This is particularly true if the scam involves effort of the part of the scammer to proceed as the sort of person skeptical enough to notice "service@amaz0n.com" looks wrong is likely a target you want to weed out early.
answered Mar 6 at 17:13
ANoneANone
1812
edited Mar 7 at 16:05
answered Mar 6 at 17:13
ANoneANone
1812
answered Mar 6 at 17:13
ANoneANone
1812
answered Mar 6 at 17:13
ANoneANone
1812
1812
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
add a comment |
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
I think the point about only wanting easy marks is a good one. There is a tendency to do this deliberately in the contents of the message too. It's been covered here before: security.stackexchange.com/questions/96121/…
– drjpizzle
Mar 6 at 17:19
add a comment |
James Veitch sheds some light to it in this TED Talk
He starts his talk by telling about some phishing scam e-mail he received, the one about a south african liutenant asking for help wit diamonds. The whole story is ridiculous and, for most of us, completelly unbelievable. But
"[...] if you think about it, this is actually rather clever. Because by making the scams ridiculous, ideally for the scammer, the only people who are going to reply are the most gullible people."
If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try... If you notice the different domain, you are paying attention, and probably is a waste of scammer's time to try to trick you.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
2
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
@SomeGuy the author
– schroeder♦
2 days ago
add a comment |
James Veitch sheds some light to it in this TED Talk
He starts his talk by telling about some phishing scam e-mail he received, the one about a south african liutenant asking for help wit diamonds. The whole story is ridiculous and, for most of us, completelly unbelievable. But
"[...] if you think about it, this is actually rather clever. Because by making the scams ridiculous, ideally for the scammer, the only people who are going to reply are the most gullible people."
If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try... If you notice the different domain, you are paying attention, and probably is a waste of scammer's time to try to trick you.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
2
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
@SomeGuy the author
– schroeder♦
2 days ago
add a comment |
James Veitch sheds some light to it in this TED Talk
He starts his talk by telling about some phishing scam e-mail he received, the one about a south african liutenant asking for help wit diamonds. The whole story is ridiculous and, for most of us, completelly unbelievable. But
"[...] if you think about it, this is actually rather clever. Because by making the scams ridiculous, ideally for the scammer, the only people who are going to reply are the most gullible people."
If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try... If you notice the different domain, you are paying attention, and probably is a waste of scammer's time to try to trick you.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
James Veitch sheds some light to it in this TED Talk
He starts his talk by telling about some phishing scam e-mail he received, the one about a south african liutenant asking for help wit diamonds. The whole story is ridiculous and, for most of us, completelly unbelievable. But
"[...] if you think about it, this is actually rather clever. Because by making the scams ridiculous, ideally for the scammer, the only people who are going to reply are the most gullible people."
If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try... If you notice the different domain, you are paying attention, and probably is a waste of scammer's time to try to trick you.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
answered Mar 8 at 14:46
Rafael HenriqueRafael Henrique
12
12
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Rafael Henrique is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
2
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
@SomeGuy the author
– schroeder♦
2 days ago
add a comment |
2
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
2
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
@SomeGuy the author
– schroeder♦
2 days ago
2
2
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
I don't believe it's fair to say "If you are naive or distracted enough to misread "amaz0n" as "amazon", then maybe you are worth a try." Not everyone grew up with technology, and this sounds a lot like "If you are too dumb to realize it, you deserve being hooked." The REAL answer to why they use similar, but not identical domain names is because they are technically unable to spoof the real name Amazon.com. If they could use "amazon.com" I'm certain they would.
– SomeGuy
Mar 8 at 17:11
2
2
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
You have an error in logic. It is not "because you are vulnerable, we will try this" but rather, "we try everybody and people's vulnerabilities will be exposed".
– schroeder♦
Mar 8 at 17:47
@SomeGuy the author
– schroeder♦
2 days ago
@SomeGuy the author
– schroeder♦
2 days ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204770%2fwhy-do-phishing-e-mails-use-faked-e-mail-addresses-instead-of-the-real-one%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
42
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
Mar 5 at 16:48
4
@schroeder, I don't think email requires any verification. AFAIK, it's up to the email provider, and I've seen huge differences between them. Some might display additional info (a "from" field and also a "sender" field), some might put the message in the junk folder, some might outright reject it... and others might accept it. I know for sure, because I tested it yesterday, that a reputable provider in my country accepts spoofed addresses because an SPF (soft)fail alone is not enough to trigger their SpamAssassin, so spoofed emails can look totally authentic.
– reed
Mar 6 at 11:54
2
@reed, SPF policies alone do not typically DROP email altogether. And for good reason. It would be a nightmare if your email provider started dropping email that might be legitimate, even if its very unlikely. The policies of SPF are usually just to decide if the mail should go straight to spam or contain a potential spam/phishing warning. Only with DKIM/DMARC can you really get enough of a picture to say 'yeah, this email is bollocks, lets drop it'.
– hiburn8
Mar 6 at 17:51
5
One possible use of a fake address email nowadays would be in case the victim is trying to actually answer the email. The attacker could receive the response and create a discussion with an unaware victim.and perform social engineering. If the "reply to" address were not under control, then the attacker would not (at least not easily) intercept anything.
– Pacopaco
Mar 7 at 9:10
1
@Pacopaco that's where the reply to field come into play
– Antzi
Mar 8 at 6:59