Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spoofed email address???

Status
Not open for further replies.
3phatladies

3phatladies

Technical User
Oct 19, 2007
4
AU
Hi all.
Today we received an email that seemed to come form our own domain called alert..."alert@domain.com"

Obviously they tried to Phish us out with the link and it's originating via a relay site in Russia but how did they manage to trick the front desk into showing them it came from within our domain though?

We don't have an email by that name so it rang alarm bells and Untangle trapped it as spam anyhow. On opening it up (actual domain name omitted)in a VM it read :


Return-Path: <sorestfbt44@sedek.ru>
From: <alert@domain.com>
To: <michael@domain.com>
Subject: For the owner of the michael@domain.com mailbox
Date: Tue, 20 Oct 2009 03:59:31 +1100
Message-ID: <000d01ca50d5$24d9f380$6400a8c0@sorestfbt44>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_003B_01CA5175.D7F98D40"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpQ1TpPBtV47dDjTkqvUVpiC7GILg==
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300

This is a multi-part message in MIME format.

------=_NextPart_000_003B_01CA5175.D7F98D40
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Dear user of the domain.com mailing service!

We are informing you that because of the security upgrade of the mailing
service your mailbox (michael@domain.com) settings were changed. In
order to apply the new set of settings click on the following link:


<il=michael@domain.com&from=domain.com&fromname=michael>

Best regards, domain.com Technical Support.
 
Sort by date Sort by votes
Spoofing email header info is probably one of the easiest things to do. All spammers do it. If your email server is in house setup your filters to trap/block/drop all email coming in that "says" it originated from from your domain. If your email server is in house, email from your domain could never(well almost never) originate from outside your network. Make sense? You could also setup an SPF record, it might help a little.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
If you are interested in seeing how this works, read the Wikipedia article on SMTP. In the example you will see where the "From" address is submitted and how easy it is to spoof it.
 
Upvote 0 Downvote
yeah they've been spoofing the from addresses and the links that are included so for outlook(majority of business users) they appear to be on your domain.
not sure what is at the link that they actually go to.. but nothing good and nothing I want to experiment with.
 
Upvote 0 Downvote
Suprised that microsoft hasn't put link checking in outlook yet, to warn of links that aren't going to the displayed link..
they already protect privacy by not auto downloading pictures, seems like there could be something to disable links that don't match until you ok them
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
318
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
333
Johnkite
Johnkite
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
79
brownmab53
brownmab53
danstaunton
  • Locked
  • Question
Change of VPN peer IP address - Cisco 877
Replies
0
Views
45
danstaunton
danstaunton
brk1221
  • Locked
  • Question
Change multiple addresses on an ASA 5510
Replies
5
Views
133
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top