How can header information track down an email spoofer?

Spammers can use spoofed headers to hide the true origin of unwanted email. In this Q&A, application security expert Michael Cobb explains how to trust where a message is coming from.

I have been accused of sending unwanted emails to one specific user. I have indeed sent emails to this user, but not containing the information alleged. I have been told that:

"Anyone can 'fake' the email address of a sender, but the encrypted headers contained in every email are tagged to the sender's PC. Also, your Internet service provider (ISP) is obliged to keep logs of all emails sent by their users."

Is it correct that the ISP will keep a full record of the emails, including content, and not just the tag to the PC? Presumably, it is possible for the recipient to leave the headers intact and change the information within the email?

The recipient of your unwanted emails has some of his facts right, but let me explain how emails are sent and handled by ISPs; that way you can decide how best to resolve this problem. The main protocol used for sending email, Simple Mail Transfer Protocol ( SMTP), doesn't include a means of authenticating where an email originated. A message's "Received:" headers, however, do provide a record of how it has been routed to its destination. Even if the sender uses a fictitious or false name when contacting the receiving server, modern mail transfer programs record the sender's correct IP address. You can view this header information in any email you receive. Spammers will often add spoofed headers in order to hide the true origin of unwanted email.

Even if your colleague can show that the email originated from you, it may have still been sent by a malicious program that has infected your PC. Run a full virus scan on your machine to rule out this possibility. As things stand, an ISP doesn't have to save all of your email unless it is presented with a legitimate law enforcement request. There doesn't really seem to be a standard practice of what ISPs do and do not keep, so you'll need to check with your ISP for its current policy and practices.

The easiest way to trust an email's origin data is to use digital signatures, such as Pretty Good Privacy (PGP). This provides a way of ensuring that messages are from whom they appear to be from, verifying also that the message has not been altered in transit. When a message is digitally signed and sent, a unique mathematical value is calculated using a hashing or message authentication algorithm. This value is then encrypted with your private key, creating a digital signature for that specific message. This encrypted value is attached to the end of the message along with your digital certificate, which also contains your public key.

When the recipient's email program receives a signed message, it calculates its own hash of the message and then uses your public key to decrypt the sent email's hash value; the two values are then compared. If the two values match, you can be sure that the message has not been altered and was signed by you.

If the person you are sending an email to also has a digital certificate, you can sign and encrypt the email to ensure that it cannot be altered or read by anyone other than the intended recipient. Also, as a matter of good practice, I would always write an email as if it were a postcard, adding a salutation, date and time in the body of your messages. This ensures that the context of the message is clear.

More information:

  • Michael Cobb decides whether Sender ID is an effective email authentication tool.
  • Find out how well blacklists and whitelists stop spam.
  • Dig Deeper on Threats and vulnerabilities

    Enterprise Desktop
    Cloud Computing