Can email spoofing be prevented?
My wife's email account was hacked and the attacker got her address book. I don't know if the attack was on her local email client (Thunderbird running on Windows 7) or on the server (hosted at GoDaddy). Either way, the contact list data is out there and I can't undo that. I have changed all passwords, updated security, etc., and I don't think there have been any further intrusions.
However, whoever did this has been sending huge amounts of spam, using my wife's name as the "sender". They go quiet for a while, and then so often I wake up to a few dozen emails from my wife, which of course she didn't really send, and every other person in her address book gets these as well. And because her address book was full of many dead addresses, my wife gets hundreds of "Mail Delivery Failed" bounceback messages, as well as hundreds of emails rejected by the receiving domain as spam. The people in her contact list are getting angry, and it's becoming a real problem.
I have asked GoDaddy about this, and they say that any person A can send an email to [email protected] claiming to be [email protected], and there is no email infrastructure in place to verify that person A is authorized to send an email from ccc.com. Consequently, there's absolutely nothing I can do about this, and this spammer will be able to harass people, damage my wife's reputation, get her email blacklisted, etc. and there is no way to stop it.
Is this true, or is there anything I can do to stop these spammers, or at lease mitigate the damage?
Solution 1:
It is indeed very hard to solve the problem of e-mail spoofing in a general way, due to the simple and highly distributed way the protocol is designed.
The physical letter analogy holds up quite well in this example: I can put a letter into the post, and write on it that it comes from your house; I don't need to have broken into your house to do this, just drop it in a public post box. And if the post is marked "return to sender" it may well end up being "returned" to you, even though you didn't write it. The same happens with e-mail: anybody can deliver a message into the system, with a To and a From address; the server you send mail from may not be the same one you receive mail to, and there's no centralised service verifying your identity when you drop a message into the system.
There are two general approaches to solving this:
Digital signatures are a way of including in a message a kind of signature or seal which only the real sender knows how to generate (using a private key which they never share). The recipient can then verify the signature using a public key which mathematically proves who produced the signature (and that it matches the received text).
This is not, however, very useful for your example, because it doesn't prevent the messages being delivered, and requires recipients to know the public key, or a verified location to retrieve it.
Domain-based sender verification systems have been developed to try to prevent spam. These store data in the DNS (directory lookup) for the domain of the address (the part after the @) which allow a receiving system to verify if a mail is legitimate. One system, SPF, lists which systems are allowed to send mail on behalf of that domain; another, DKIM, stores public keys used similar to the digital signature approach above, but for verifying the transmitting system, rather than the actual sender.
(To slightly over-extend the physical letter analogy, SPF is like publicly saying "I only post letters using this post box" and DKIM is like publicly saying "I always send mail from this post office which prints a tamper-evident label for me".)
These would be more relevant to your case - if your wife were using a custom domain, an appropriate SPF or DKIM setup would cause many systems to silently reject mail which she had not sent herself (or mark it as spam, without attributing it to her). However, it only works at the domain level, not the individual address, and some recipient systems may not check the records.
Solution 2:
Emailing all the live contacts in her address book & telling them about the email spam problems would probably help. And now's as good a time as any to remove any dead contacts from the list.
Using PGP/GPG in the future would be a near-perfect solution for private users & senders to verify for themselves that an email is actually sent from the sender, and could hide/encrypt the contents of messages too so they're only seen by the intended receiver. But, though PGP has been available for decades now, it's not universally super easy for anyone to start using, and web-only mail (like Gmail, etc) make it hard to keep the secret parts truly secret to just you and still easy to use from anywhere...
Email Authentication
There are things that can be done to authenticate to email receivers (at least some, like Yahoo & Google & others, that "represent a high percentage of Internet email users" - DMARC FAQ) that a message that says it's from your domain really is from your domain. They use DMARK which "allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message" - DMARC FAQ.
Changing to a different email address could help in the short term too, then you & everyone else could safely ignore / "mark as spam" all further messages from the spammers. But even if that's not your main concern since they're "obviously super-spammy spam" and no one's being fooled, you probably want to look into stopping the "from:" line from being easily spoofed, since if enough users always "mark as spam" your wife's business email, spam filters will probably start throwing out all messages from that address.
Email Authentication should help the sending & receiving mail servers to verifying messages are actually sent from who they say they're from. I've found some info on Gmail, since it's one of "the big three" email companies it's probably a good place to start. Even switching email providers to one that's already set up / authenticated, like Gmail for Business should help & might be easier, but shouldn't be necessary, although judging by your response from GoDaddy they might not be your dream host.
Gmail's help on Email Authentiation has some advice for sending domains:
If you’re a sending domain
Messages with DKIM signatures use a key to sign messages. Messages signed with short keys can be easily spoofed (see http://www.kb.cert.org/vuls/id/268267), so a message signed with a short key is no longer an indication that the message is properly authenticated. To best protect our users, Gmail will begin treating emails signed with less than 1024-bit keys as unsigned, starting in January 2013. We highly recommend that all senders using short keys switch to RSA keys that are at least 1024-bits long. Authentication is highly recommended for every mail sender to ensure that your messages are correctly classified. For other recommendations see our Bulk Senders Guidelines.
Authentication by itself is not enough to guarantee your messages can be delivered, as spammers can also authenticate mail. Gmail combines user reports and other signals, with authentication information, when classifying messages.
Similarly, the fact that a message is unauthenticated isn’t enough to classify it as spam, because some senders don’t authenticate their mail or because authentication breaks in some cases (for example, when messages are sent to mailing lists).
Learn more about how you can create a policy to help control unauthenticated mail from your domain.
The last link Control unauthenticated mail from your domain is particularly relevant:
To help fight spam and abuse, Gmail uses email authentication to verify if a message was actually sent from the address it appears to be sent from. As part of the DMARC initiative, Google allows domain owners to help define how we handle unauthenticated messages that falsely claim to be from your domain.
What you can do
Domain owners can publish a policy telling Gmail and other participating email providers how to handle messages that are sent from your domain but aren’t authenticated. By defining a policy, you can help combat phishing to protect users and your reputation.
On the DMARC website, learn how to publish your policy, or see the instructions for Google Apps domains.
Here are some things to keep in mind:
- You'll receive a daily report from each participating email provider so you can see how often your emails are authenticated and how often invalid emails are identified.
- You might want to adjust your policy as you learn from the data in these reports. For example, you might adjust your actionable policies from “monitor” to “quarantine” to “reject” as you become more confident that your own messages will all be authenticated.
- Your policy can be strict or relaxed. For example, eBay and PayPal publish a policy requiring all of their mail to be authenticated in order to appear in someone's inbox. In accordance with their policy, Google rejects all messages from eBay or PayPal that aren’t authenticated.
More about DMARC
DMARC.org was formed to allow email senders to influence unauthenticated mail by publishing their preferences in a discoverable and flexible policy. It also enables participating email providers to provide reports so that senders can improve and monitor their authentication infrastructure.
Google is participating in DMARC along with other email domains like AOL, Comcast, Hotmail, and Yahoo! Mail. In addition, senders like Bank of America, Facebook, Fidelity, LinkedIn, and Paypal have already published policies for Google and other receivers to follow.
For more information, please refer to this post in the Official Gmail Blog.
Other helpful looking links:
- Set up Gmail to Send/Receive Emails Using Your Own Domain Name
- Take Control of Your Email Address