Reply to potentially spoofed email

A colleague recieved an unsolicited email along the lines below:

Dear Ms. Smith

please click on the following link to recieve Document X regarding Project Y.

Yours,

Eve Nobody
eve.nobody@company.com


I suggested my colleague to reply to Eve Nobody, and ask whether the email is legitimate. Note, that we typed-in the address of Eve Nobody, since one could tamper with the reply-to header.

I assume three possible scenarios:

  1. Eve Nobody exists and she did send the email
  2. Eve Nobody exists, but she didn’t send the email
  3. Eve Nobody does not exist, and the email-server of company.com will reply with an error message

In all possible scenarios, we only interact with company.com, and not with any potential spoofer. Thus, I consider this course of action safe.

Was my advice sound, or are there other aspects to consider?


For context:

  • We are a firm which does research with academia and industry, hence we have plenty of information on our current projects along with the corresponding researchers. Thus, the information contained in the initial email (a reasonable title for Document X and the title of Project Y) can be gather from our homepage.
  • company.com is a legitimate company, and is involved in some research of ours.

Spoofed DNS answers ignored by target machine applications

Attacker: Arch Linux

Target: Windows 10

Scenario The attackers launches an ARP spoof attack to redirect all target traffic to the attacker. (This works)

The target sends DNS queries for domain name resolution to the attacker machine. (This works)

The attacker machine listens for this queries and if the query tries to resolve a specific domain (detectportal.firefox.com) sends an spoof DNS answer with the attacker’s ip. For all the other domains the queries are not answered and not even forwarded.

Wireshark on both attacker and target machine confirms the reception of the spoofed dns answers although the applications that triggered the dns resolution seems to ignore this answers and just timeout.

Example on target machine:

ipconfig /flushdns nslookup detectportal.firefox.com DNS request timed out.     timeout was 2 seconds. Server: UnKnown Address: 10.42.0.1  (my gateway ip and the ip being spoofed by the ARP attack)  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds. **** Request to UnKnown timed-out 

Wireshark confirms the DNS spoof answers are correct and correlates them to the queries.

Assumption:

I do not compute the ip header checksum nor the udp checksum, just put some value (i.e. 0xdead, 0xbeef, 0xcafe). Could it be the target machine dropping these packets AFTER wireshark picks them?

How likely it is that a hacker spoofed my own IP address when trying to log in to a website?

I got a confirmation code without trying to log in which is what prompted me to investigate this. The account is just a Ubisoft account with 1 free game on it; I somehow doubt there would be motivation to employ sophisticated hacker techniques.

I know about Tor services and VPN, but I don’t think those would spoof my own IP address. When I look at the log-in history for my account, it says my very own IP (at least, an IP with the same first and last segment) failed a login attempt 15 minutes ago and I definitely don’t remember doing anything remotely related to that account in the last 12 hours. Did a hacker actually spoof the correct first and last numbers of my IP, or is this more likely some sort of bug? How would they even know the right IP to spoof in the first place

How to tell if an email source is spoofed?

So I’ve received an email to my gmail account from FCMB, a bank in Nigeria (flashing warning lights already). It’s not addressed to me (i.e., the email starts off “Dear Daniel,” [not my name]). But the email address is mine. When I look at the headers in Google, it really does look to me like Google received it directly from FCMB.com. Here’s the relevant bit (I think):

ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ebusiness@fcmb.com designates 41.223.147.112 as permitted sender) smtp.mailfrom=ebusiness@fcmb.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fcmb.com

Return-Path: < ebusiness@fcmb.com >

Received: from lin-smtp.fcmb.com (lin-smtp.fcmb.com. [41.223.147.112]) by mx.google.com with SMTP id n5si1099097wmi.93.2019.09.04.11.31.49 for ; Wed, 04 Sep 2019 11:31:50 -0700 (PDT)

Received-SPF: pass (google.com: domain of ebusiness@fcmb.com designates 41.223.147.112 as permitted sender) client-ip=41.223.147.112;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of ebusiness@fcmb.com designates 41.223.147.112 as permitted sender) smtp.mailfrom=ebusiness@fcmb.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fcmb.com

Message-ID: <5d700316.1c69fb81.8dceb.fbc9SMTPIN_ADDED_MISSING@mx.google.com>

Received: from INTRANET (unknown [172.27.15.3]) by lin-smtp.fcmb.com (Postfix) with ESMTP id 69410875FC for ; Wed, 4 Sep 2019 19:43:36 +0100 (WAT)

MIME-Version: 1.0

From: FCMB

I can’t actually tell what the email is about since it’s mostly images, and I’m not about to view them.

So – is this really being sent to me legitimately – in which case someone has given a fake email address (mine) for their account? Or is this being faked in a way that I am missing things? – in which case I want to better understand it since if not for all the red flags, I would have concluded that this email is legitimate.

FWIW, this is the third email I’ve received in the last 2 months from FMCB that is addressed to “Daniel”.

How to detect a spoofed email with Outlook Web Access?

I am specifically asking about Outlook Web Access (browser based Outlook), and not for any other email service or program.

Within Outlook Web Access, is there a way to tell whether or not an email was spoofed? For example, if I receive an email from “boss@company.com”, how can I be sure that the email is from “company.com” and not spoofed?

There is an option in Outlook to direct all messages from outside the organization to the junk folder, but I found that this feature is not reliable. Spoofed messages still get through.

How to protect from being the spoofed number on caller ID?

The question How to protect from caller-id spoofing? focuses on how to protect oneself from incoming calls with spoofed caller ID information.

This question is about how to protect oneself when someone is using your number in spoofed caller ID to place calls to others (e.g. to check if a target number is still “live”). A certain subset of those called get angry, call back demanding to be taken off the call list, file complaints, get the number on blacklists that prevent legitimate use, etc.; the spoofer is hurting both the called party and the party whose number is being used. What can the latter party do to protect themselves from these consequences?

Get client ip address that is not spoofed

I am using the following source code to get a client IP address,

Public Shared Function GetIPAddress() As String     Dim context As System.Web.HttpContext = System.Web.HttpContext.Current     Dim sIPAddress As String = context.Request.ServerVariables("HTTP_X_FORWARDED_FOR")     If String.IsNullOrEmpty(sIPAddress) Then         Return context.Request.ServerVariables("REMOTE_ADDR")     Else         Dim ipArray As String() = sIPAddress.Split(New [Char]() {","c})         Return ipArray(0)     End If End Function 

But I have found that HTTP_X_FORWARDED_FOR can be easily spoofed using X-FORWARDED-FOR HTTP header. Is it correct?

Can REMOTE_ADDR also be spoofed? If yea then what can rely upon as a security point of view?

Note: My only concern with clients that are receiving the response, not the one that spoofed the IP at the TCP level and will not get the response.