Why do phishing e-mails use faked e-mail addresses instead of the real one?
I read that you can write anything into the "from" field of an e-mail. If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing
edited 11 hours ago
schroeder♦
77.1k30171206
asked 12 hours ago
JFBJFB
485148
add a comment |
I read that you can write anything into the "from" field of an e-mail. If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing
edited 11 hours ago
schroeder♦
77.1k30171206
asked 12 hours ago
JFBJFB
485148
4
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
11 hours ago
add a comment |
I read that you can write anything into the "from" field of an e-mail. If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing
edited 11 hours ago
schroeder♦
77.1k30171206
asked 12 hours ago
JFBJFB
485148
I read that you can write anything into the "from" field of an e-mail. If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
email phishing
email phishing
edited 11 hours ago
schroeder♦
77.1k30171206
asked 12 hours ago
JFBJFB
485148
edited 11 hours ago
schroeder♦
77.1k30171206
asked 12 hours ago
JFBJFB
485148
edited 11 hours ago
schroeder♦
77.1k30171206
edited 11 hours ago
schroeder♦
77.1k30171206
edited 11 hours ago
schroeder♦
77.1k30171206
77.1k30171206
asked 12 hours ago
JFBJFB
485148
asked 12 hours ago
JFBJFB
485148
asked 12 hours ago
JFBJFB
485148
485148
4
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
11 hours ago
add a comment |
4
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
11 hours ago
4
4
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
11 hours ago
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
11 hours ago
add a comment |
2 Answers
2
active
oldest
votes
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with SPF, DKIM and DMARC. This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
2
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
9
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
2
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
1
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
5
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
11 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204770%2fwhy-do-phishing-e-mails-use-faked-e-mail-addresses-instead-of-the-real-one%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with SPF, DKIM and DMARC. This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
2
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
9
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
2
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
1
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
add a comment |
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with SPF, DKIM and DMARC. This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
2
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
9
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
2
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
1
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
add a comment |
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with SPF, DKIM and DMARC. This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
While one could create a mail with @amazon.com as SMTP envelope and/or From field of the mail header, the mail would likely be blocked since this domain is protected with SPF, DKIM and DMARC. This means that a spoofed mail would be detected as such and get rejected by many email servers. Contrary to this using another domain which is not protected this way or which is protected but controlled by the attacker is more successful.
To explain in short what these technologies do:
SPF
Checks if the sender IP address is allowed for the given SMTP enveloper (SMTP.MAILFROM).dig txt amazon.comshows that a SPF policy exists.
DKIM
The mail server signs the mail. The public key to verify the mail is retrieved using DNS. Amazon uses DKIM as can be seen from theDKIM-Signaturefields in the mail header.
DMARC
Aligns theFromfield in the mail header (RFC822.From) with the domain of the DKIM signature for DKIM or the domain of the SMTP envelope for SPF. If an aligned and successful SPF/DKIM exists the DMARC policy matches.
Neither SPF nor DKIM by their own help against spoofing of the From field in the mail header. Only the combination of at least one of these with DMARC protects against such header spoofing.
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
edited 5 hours ago
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
answered 11 hours ago
Steffen UllrichSteffen Ullrich
118k13205273
118k13205273
2
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
9
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
2
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
1
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
add a comment |
2
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
9
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
2
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
1
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
2
2
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
For someone who's not familiar with the initialisms (as I'm guessing OP also isn't), what do they mean/refer to?
– V2Blast
8 hours ago
9
9
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
SPF = Sender Policy Framework en.wikipedia.org/wiki/Sender_Policy_Framework. DKIM = Domain Keys Identified Mail en.wikipedia.org/wiki/DomainKeys_Identified_Mail. DMARC = Domain-based Message Authentication, Reporting and Conformance en.wikipedia.org/wiki/DMARC
– Mike McManus
8 hours ago
2
2
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
SPF and DMARC are publicized via DNS. DKIM is a header on valid email messages themselves.
– Mike McManus
8 hours ago
1
1
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
@MikeMcManus DKIM keys are published in DNS too, else you'd have nothing to use to verify the header.
– AndrolGenhald
7 hours ago
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
5
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
11 hours ago
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
5
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
11 hours ago
add a comment |
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
- The phisher may be hoping to get any replies to send to that address.
- They are trying to avoid the various frameworks that exist to prevent spoofed "from" fields from being perceived as authentic by a human user.
Using this tool I was able to check that amazon.com does have SPF configured. Of course it's on your email client to check DNS for SPF, but most people's client's do do that.
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
answered 11 hours ago
ShapeOfMatterShapeOfMatter
2515
2515
5
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
11 hours ago
add a comment |
5
SPF doesn't protect theFrom:header, but the envelope sender.
– Esa Jokinen
11 hours ago
5
5
SPF doesn't protect the
From: header, but the envelope sender.– Esa Jokinen
11 hours ago
SPF doesn't protect the
From: header, but the envelope sender.– Esa Jokinen
11 hours ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204770%2fwhy-do-phishing-e-mails-use-faked-e-mail-addresses-instead-of-the-real-one%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
You could tell everyone that you are the Pope, and there is nothing that prevents you from doing that. But those who know who the Pope is would recognise that you are lying. Email has this verification process.
– schroeder♦
11 hours ago