is it actually possible to spoof an email if the sender domain has not a valid SPF-Entry without providing a Reply-To / Error-To / Return-Path field in the email metadata?
2 Answers
You need to look at the sending domain of the spoofed email very closely. It may be similar to but not exactly the same as your domain.
Spammers do not use your domain; they use their own email sender apparatus.
I see this frequently - mostly in Spam Folder, sometime as ordinary email.
Freight forwarders (DHL, FedEx) are victims of this. The email domain includes (say) dhl but is not actually coming from DHL. Spammers can make it look like you are sending the email.
So the fact that your reverse lookups do not function here does not affect the spammer's sending apparatus.
If the email is coming from your domain, check machines for viruses. Spammers can install bogus senders on your machines.
-
it was actually the same domain. I checked them against each other. That's why I was wondering and thought maybe it is possible to spoof the email without providing fields like Reply-To / Error-To / Return-Path when the SPF entry is missing– 1337Commented Oct 6, 2021 at 16:47
-
You want to check your machines for viruses, because spammers can install bogus senders on your machines.– anonCommented Oct 6, 2021 at 16:48
-
So is it not possible to spoof the email without having these fields in the email header?– 1337Commented Oct 6, 2021 at 16:50
-
Because the emails weren't send from my infrastructure. They were send from a malicious IP address in China– 1337Commented Oct 6, 2021 at 16:51
-
They may have spoofed the domain as well. That can happen. They are very inventive.– anonCommented Oct 6, 2021 at 16:52
Yes – if the domain in question doesn't have SPF (and doesn't require DKIM signatures through DMARC), then any sender can directly connect to any recipient's incoming mail servers (according to MX records) and deliver any data they want. If you want to add a fake From:, just add a fake From:. If you don't want to add a Reply-To:, just don't add a Reply-To:.
"Return-Path:" is special; if it is missing, then the recipient's inbound server will itself add a Return-Path header according to what you specify in the SMTP MAIL FROM: command (i.e. Envelope-From) – but you can literally just put the spoofed domain in there, too, as there's no SPF to stop you.
The only thing that cannot be fully spoofed is the topmost "Received" header, which is also stamped by the recipient's server and will include the IP address of whoever submitted the message.
However, reading this header needs extra care – while the IP address is real, the "reverse-DNS" name included next to it might not be. The server's rDNS is often in control of the sender, who could use a similar-looking domain if they're doing this as a custom job. Even worse, it's usually shown right next to the SMTP 'HELO' domain name, which – again – the sender can just lie about.
(Note that depending on the recipient's mail system, it could stamp 2-3 headers, e.g. it's not uncommon for a mail server to accept a message; relay it over 'localhost' to an anti-malware scanner; then accept it again on a different port. The recipient should look at some legitimate messages to learn where the boundary between local/external "Received" headers is.)
The swaks tool is useful for testing/experimenting with SMTP. In its default mode (i.e. when "--to" is specified, but "--server" is not) it will directly look up MX records and deliver mail to the recipient without going through any relays. Classics like telnet <server> 25 can be used as well.
answered Oct 6, 2021 at 17:05
-
Thank you! I was kinda scared because normally I see fields like Reply-To, Error-To and so on and can spot spoofed emails at ease, but this one was different. The only indication that I had was the first received entry in the email showed a chinese IP address.– 1337Commented Oct 6, 2021 at 17:10
-
One question. What if the Return-Path is missing? In case of my suspicious email it was actually missing.– 1337Commented Oct 6, 2021 at 17:19
-
If it's missing entirely, I'm tempted to say that means either the recipient's mail system is not standards-compliant, or something weird is going on (not necessarily "compromised" weird, although possibly that too). However, if the Return-Path is present but only contains a
Return-Path: <>, that's actually fairly standard – the sender is allowed to specify a blank address in the SMTP envelope-from, which is typically used for sending bounce/failure notifications. (You don't want a bounce message to get bounced again...) Spammers sometimes do so as well. Commented Oct 6, 2021 at 17:27 -
Actually, even with SPF, DKIM & DMARC, email can be spoofed. People should never trust email to be authentic. It's a design problem. Not likely to change. Commented Oct 7, 2021 at 0:06