UK’s leading provider of ASP email marketing solutions
Home About us Solutions Product tour Reaction Clients Partners
Home / Knowledge bank / Spoof emails

Spoof emails - protecting your brand
At Email Reaction we have already introduced SPF for all clients' domains where we run the Domain Name Servers (DNS). For more on protecting your brand, read on ...

It used to be so simple. You’d get out a sheet of Basildon Bond and your fountain pen, write what you had to say and then get it delivered. Chances are the postman knew everybody in the street he was delivering to, so wouldn’t hand over your letter to a complete stranger. And if someone did decide they were going to write a few hundred thousand spoof letters to complete strangers in your name, writer’s cramp would kick in before they got into triple digits.

But now you can contact thousands, millions of people by email at the touch of a button – with our help of course – and you may have valued and trusted relationships with customers and other businesses that you rarely if ever physically meet. It’s hardly surprising then that there are people out there who want to hijack these valued and trusted relationships for their own ends – often commercial, sometimes just plain silly.

Spoof emails can run along the lines of… the President of the United States wants you to buy some Viagra from him. I think not, but your clients are discovering similar emails (often more believable, invariably irritating) cluttering up their inboxes as you read this.

What is Email Reaction doing to help its clients?

The question is: what can you do to ensure that the email you have carefully targeted at your customers, or potential customers, makes it to their inboxes and your email reputation isn’t hijacked by purveyors of bogus erectile disfunction pharmacopoeia and dodgy software? Actually, that isn’t the question. The question is: what has Email Reaction already done so that you don’t have to do anything?

The current problem with spoof email stems from how it is sent. Simple Mail Transfer Protocol (SMTP) is a protocol for sending e-mail messages between servers, the machines that then serve up that email to the intended recipient. Most email systems use SMTP, but one of its flaws is the ease with which untruths can be put in the "from" and "to" address fields.

Someone can pretend to be sending email from the Queen, Bill Gates, or Mr.Bush with his stash of Viagra. They can pretend to be sending from you. It doesn't matter if they don’t have any connection with the address that they're claiming to be sending from, or even the domain (the bit after the @).
 
At this stage I need to make an apology. It is impossible to write something about spoof email without throwing acronyms around like confetti. Some you will be entirely familiar with, others less so. So here goes.

SPF & Sender ID

The confetti starts with SPF – or Sender Policy Framework – and this is one way to detect a forgery in the "from" address. It allows each domain owner – you or your internet service provider (ISP) – to publish a complete list of the mail servers that are allowed to send mail for your domain. This means that if any other machine claims to be sending mail for you, the recipient's mail server (or ISP) can easily tell that it's a forgery.

SPF fights return-path address forgery and makes it easier to identify spoofs.
Domain owners identify sending mail servers in Domain Name System (DNS), which turns domain names – such as your web address – into Internet Protocol (IP) addresses. SMTP receivers verify the sender address against this information, and can distinguish authentic messages from forgeries before any message data is transmitted.

Sender ID is an extension to SPF and incorporates two technologies:
1) SPF records – that list of mail servers allowed to send mail on your behalf.
2) Validation of the Purported Responsible Address (PRA). This is a mechanism for validating that the “headers”, which contain information about you and the path the email follows to get to the intended recipient, have not been tampered with and that, therefore, the "from” address is valid. This is a proprietary Microsoft extension to SPF and because of this, there is debate in the internet community as to whether this aspect of Sender ID will be widely adopted. Another acronym for Sender ID is SIDF (Sender ID Framework). I warned you about the acronyms.

Creating SPF records
To create SPF records, the domain owner adds some information to the "zone file"; this is the file that contains the list of all the hosts in your domain, and their corresponding IP addresses. The information from this file then gets distributed to all the DNS servers around the world. The information lists the servers (effectively by IP address) that are allowed to send email for the domain. Mail servers which are receiving email can then check the IP address of the mail server which is sending the email and decide if it's a forgery or not.
 
SPF does not decide if the email is spam or not, just if the sending address is a forgery. For example, somebody sending junk from MySpamCompany12345.com could pass the SPF test simply by registering SPF records for that domain. However, it does prevent them from sending junk from george@thewhitehouse.com or you@yourcompany.com, thus blackening your reputation amongst your customers, or – in George’s case – the American peoples'.
 
SPF is now becoming a de-facto standard, and many organisations – including AOL and Hotmail – have stated that they will reject email that doesn't pass the SPF test from this autumn. So the time to act is now, and get SPF records registered. Now, this is the good bit…

If you are an Email Reaction customer reading this – do nothing. We have already done this for all clients' domains where we run the DNS servers, and, if you run your own, we can supply the necessary details for you to set up your DNS correctly.

But SPF isn't perfect
Unfortunately, SPF is not perfect. It relies on checking the IP address that is sending the email. There is a theoretical risk that spammers could start to forge or "spoof" the IP address.
 
We stress that this is a theory, but we suspect that it will be technically possible, and will be adopted by the spammers in time. It will make life more difficult for the spammers because the spoofing needs to be "blind". The SMTP protocol used for sending email involves a conversation between two computers. If the sender's IP address is being spoofed, then the replies from the receiver will go to the wrong place. So the sender won't "hear" the replies.

However, it can make reasonable guesses about what those replies are, and just continue to try to send regardless. So some of the attempted email sends will fail – because the sender guesses the replies incorrectly – but some will work, and the sender will successfully send an email, apparently from the "trusted" IP for that domain. This will be a prize worth the effort for spammers, because it'll be much more likely that their spoofs will be delivered and bypass other types of filtering.

There are other authentication schemes, for example Yahoo's DomainKeys proposal, which avoid the problem of IP spoofing. Unfortunately, none of these have yet achieved anything like the critical mass required for widespread acceptance. Until they do, SPF is the best bet for email authentication.

 

Top


Home  |  About us  |  Solutions  |  View Demo  |  Product tour  |  Knowledge  |  Clients  |  Partners