Forged Emails

As many are undoubtedly aware, there have been a number of instances where email has been forged so that it appears to be from someone with an email address ending in In the cases IS has investigated, the email forgeries have not involved an account compromise.

Whilst account compromises do happen, email forgeries can take place without being able to get in to the sender’s account.

IS are investigating technical counter-measures, but none of the candidates can be implemented easily nor are such measures likely to be 100% effective. In the meantime, please be aware that emails with an address ending in may be forged.

Detecting such forgeries is a more of an art than a science – or the counter-measures would be simple to implement. However there are usually some hints available :-

  • The sender address (or the “From” header) may contain a name that conflicts with the email address – such as “Sarah Williamson-Blythe <>”.
  • The salutation (“Hi!” , “Dear _”, etc.) may be unusually formal or unusually informal. How do people normally start an email to you?
  • The end of the email (or the “signature”) may look unusually plain, or different to that you normally see.
  • The subject may include suggestions of urgency (“Urgent”, “Priority”, “Immediate”, etc.).
  • The message itself may ask you to do something that you wouldn’t ordinarily expect to see from the sender. Such as click on a link to pay some fees, enable a quota, etc. Or send the supposed sender data that they need.
  • The language used within the message or the subject may be particularly ungrammatical (although not everyone has memorised “Eats, Shoots, and Leaves”) or uses Americanizations.
  • If you start to reply, and the email address changes (i.e. what appears next to “To”) then there is something suspicious going on.

If an email is suspicious in any way, it is advisable to contact the alleged sender to see if they really did send it. Essentially these forged messages are ordinary (or not so ordinary) spam messages that use a forged to gain credibility.

How Email Is Forged

Without getting too technical, the underlying network protocol that is used to transmit email between servers (SMTP) is very old, and was originally designed in the era when Internet services were very trusting.

Because it is so trusting, it will accept any headers including setting the sender address to “”.

Attempts have been made to improve the security of email over the decades (yes it is that old), but most of which are optional extensions that are aimed more at combating spam than dealing with forgeries.

Blocking The Forger’s Network Address

It is not uncommon for people to suggest blocking the network address used to send the forged emails. It is not a bad idea as such, because there are anti-spam measures that are very similar (RBLs).

However the blocking of a single network address can be compared to locking a stable door after the horse has bolted. It is likely that once such a network address has been used, the forger will use a different network address in the future. Essentially in almost all circumstances it isn’t possible to block a network address quickly enough for it to be effective.


This entry was posted in Active Attacks, Email. Bookmark the permalink.