Saturday, October 6, 2018

Email spoofing

Email spoofing is the creation of email messages with a forged sender address. Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message.

Technical detail

When an SMTP email is sent, the initial connection provides two pieces of address information: MAIL FROM: - generally presented to the recipient as the Return-path: header but not normally visible to the end user, and by default no checks are done that the sending system is authorized to send on behalf of that address.RCPT TO: - specifies which email address the email is delivered to, is not normally visible to the end user but may be present in the headers as part of the "Received:" header. Together these are sometimes referred to as the "envelope" addressing, by analogy with a traditional paper envelope, and unless the receiving mail server signals that it has problems with either of these items, the sending system sends the "DATA" command, and typically sends several header items, including:

From: Joe Q Doe < > - the address visible to the recipient;

but again, by default no checks are done that the sending system is authorized to send on behalf of that address.

Reply-to: Jane Roe < > - similarly not checked

and sometimes:

Sender: Jin Jo < > - also not checked.

The result is that the email recipient sees the email as having come from the address in the From: header; they may sometimes be able to find the MAIL FROM address; and if they reply to the email it will go to either the address presented in the From: or Reply-to: header - but none of these addresses are typically reliable, so automated bounce messages may generate backscatter.

Use by spam and worms

Malware such as Klez and Sober and many more modern examples often search for email addresses within the computer they have infected, and use those addresses both as targets for email, but also to create credible forged From fields in the emails that they send, so that these emails are more likely to be opened.

For example:

Alice is sent an infected email which she opens, running the worm code.

The worm code searches Alice's email address book and finds the addresses of Bob and Charlie.

From Alice's computer, the worm sends an infected email to Bob, but forged to appear to have been sent by Charlie.

In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice's computer; meanwhile Alice may remain unaware that her computer has been infected.

Fooling media

It has happened that the media printed false stories based on spoofed e-mails.

In October 2013, an e-mail which looked like it was from the Swedish company Fingerprint Cards was sent to a news agency, saying that Samsung offered to purchase the company. The news spread and the stock exchange rate surged by 50%. It was later discovered the e-mail was a fake.

Legitimate use

In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor.

When multiple software systems communicate with each other via email, spoofing may be required in order to facilitate such communication. In any scenario where an email address is set up to automatically forward incoming emails to a system which only accepts emails from the email forwarder, spoofing is required in order to facilitate this behavior. This is common between ticketing systems which communicate with other ticketing systems.

The effect on mailservers

Traditionally, mail servers could accept a mail item, then later send a Non-Delivery Report or "bounce" message if it couldn't be delivered or had been quarantined for any reason. These would be sent to the "MAIL FROM:" aka "Return Path" address. With the massive rise in forged addresses, Best Practice is now to not generate NDRs for detected spam, viruses etc. but to reject the email during the SMTP transaction. When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties - in itself a form of spam - or being used to perform "Joe job" attacks.

Identifying the source of the email

Although email spoofing is effective in forging the email address, the IP address of the computer sending the mail can generally be identified from the "Received:" lines in the email header. In many cases this is likely to be an innocent third party infected by malware that is sending the email without the owner's knowledge.


The SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice it is seldom used, and a range of other potential solutions have also failed to gain traction.

However a number of effective systems are now widely used, including:

  • SPF
  • Sender ID
  • DKIM

Although their use is increasing, estimates vary widely as to what percentage of emails have no form of domain authentication: from 8.6% to "almost half". To effectively stop forged email being delivered, the sending domains, their mail servers, and the receiving system all need to be configured correctly for these higher standards of authentication.

As modern countermeasures prevent spammers from spoofing the envelope-from address, many have moved to utilising the header-from address as seen by the recipient user rather than processed by the recipient MTA. Proprietary implementation beyond the scope of the SPF schema is required to protect against certain header-from spoofing implementations.

© From Wikipedia, the free encyclopedia

Friday, June 20, 2014

Russian ex-banker Andrei Borodin wins asylum in UK

A Russian ex-banker who fled to London in 2011 after being accused of alleged fraud has been granted political asylum in the UK, the BBC has learnt. Announcing the news earlier to a Moscow newspaper, Andrei Borodin said the legal case against him in Russia was politically motivated.

BBC News established Mr Borodin had indeed been granted asylum.

Russia's interior ministry says it will continue to seek the extradition of the former Bank of Moscow president. He and another former official at the bank are both being sought by Russia over a 2010 criminal case involving a loan worth 12.8bn roubles ($419m; £276m; 319m euros). An Interpol "red notice" has been posted for Mr Borodin, which states he is wanted by Russia for fraud. In October, the Russian interior ministry said assets belonging to Mr Borodin and the other former official worth more than £265m had been frozen in bank accounts in Switzerland, Belgium and Luxembourg. Andrei Borodin's successful claim is likely to cause new problems in the relationship between Moscow and London, reports the BBC's Daniel Sandford from Moscow. The Kremlin has been infuriated by the way that several high-profile businessmen fleeing justice in Russia - like the billionaire Boris Berezovsky - have been granted political asylum in Britain, our correspondent notes.

 Andrei Borodin & Tatiana

'Politically driven'

Mr Borodin is perhaps best known in the UK for buying Britain's most expensive house in 2011, paying £140m for Park Place Estate, near Henley-on-Thames in Oxfordshire. Andrei Borodin Speaking to Vedomosti newspaper, he said he had been granted political asylum in the UK "a few days ago" after his lawyers submitted a request. He accused Russian Prime Minister Dmitry Medvedev, who was the country's president when the criminal case was launched, of being the "chief initiator of all this persecution and hounding". Speaking later to BBC News, Mr Borodin accused the Kremlin of ordering his prosecution. "At some point the Kremlin issued an order to the law enforcement agencies and they continue tirelessly working and executing this political order," he said. Responding to news of Mr Borodin's case, Mr Medvedev's press secretary, Natalya Timakova, said the charges against the ex-banker were of an "ordinary criminal nature". "The practice of obtaining political asylum, especially in England, has been reduced to having no regard for what the applicant has done..." she was quoted as saying by Russian media. "The main thing is to cry political persecution as loud as possible." Following Mr Borodin's departure from Russia, Bank of Moscow, the country's fifth-biggest bank, was given the biggest bailout in Russian history, worth $14bn. Another bank, VTB, had gained control through a hostile bid, only to uncover bad loans valued at $9bn - a third of the bank's assets. © BBC

Present family name : BORODIN
Forename : ANDREY
Sex : Male
Date of birth : 24/05/1967 (47 years old)
Place of birth : MOSCOW CITY, Russia
Language spoken : Russian
Nationality : Russia
CHARGES Published as provided by requesting entity
Charges : aggravated swindling

Andrey Borodin (born Moscow, May 24, 1967) is a Russian financial expert, economist and businessman who until 2011 was President of Bank of Moscow. He and his first deputy Dmitri Akulinin were dismissed from office by the court for the period of the investigation due to the Premier Estate criminal case, charged with abuse of authority. In the April of 2011, the meeting of the bank's shareholders dismissed them. Since April 2011, Borodin has lived in London, England, and since November 2011 has been on an Interpol Red Notice, wanted as a suspect in a 13-billion-rouble fraud committed in Bank of Moscow under his governance. In August 2012 he bought Park Place, Britain’s most expensive house near Henley-on-Thames.He was granted political asylum in the UK in February 2013. © WIKIPEDIA