Email Spoofing and Protection

Status
This thread has been locked.
A

Ally

gσ∂∂єѕѕ σƒ мαтнѕ αη∂ мєℓσηѕ χσ
Supreme
Feedback score
37
Posts
2,043
Reactions
2,194
Resources
0
I posted this on another thread, which you should 100% read through:
Ally said:
No. There is no credential forging going on here.

What is going on here is the following: Emails aren't secure essentially. Most modern computer systems have checks in place to determine whether someone is legitimate or not. Won't go into detail about them here but you can Google various things like email spam verification, etc. In emails you have a bunch of fields composed in a header (most email clients will have a View Source button to show this), including the from header. Much like HTTP, the headers are entirely changeable and settable. This includes the From header. As I mentioned before, many email services have protective measures - but some don't (obviously). On the outgoing side, you'll have a bunch of headers verified - and then again on the incoming side (though it's much harder to check, it's why blacklists are a thing). Essentially changing a single header without credential hacking will allow you to spoof an email, and I encourage you to try it addressing an email to yourself on a custom client (you can write one in a language which sets the From address) to show how they get blocked.

This is an example of one I did a year ago. Unfortunately it sends through your email server, and other various tidbits, and while you can set one up yourself, residential IPs are blocked on a global email blacklist sort of thing. (It's really hard to make one that passes various security checks). This email got blasted as spam.

5723998b-cd48-4596-b9a4-29a6928c382d.png
Click to expand...

If you have any questions, queries or amendments you'd like, please leave a message here.

I'd like to extend my response to this person and to everyone as to how to protect yourself from phishing on a fundamental level. Going down from simplest, and most fundamental, to trickier and more intricate:
  1. Ensure that your private credential-based accounts, logins, etc., are placed across either one or more various private emails. I do not recommend one email but if you really want to, absolutely make sure you have 2FA and even 3FA if your email provider offers it. At a fundamental level your email should be the hardest thing to be hacked as it facilitates the rest of your accounts/logins. I say this because you only want 1 point of weakness, and that's just yourself, socially. You don't want to be putting your attention to both protecting yourself constantly on a digital level AND social level.
  2. Pay attention to all incoming emails. If you see an email requesting to reset your password or to provide any information whatsoever, be very very wary. Companies typically will never send you reset emails and if they do, they won't include a link or they'll phrase it in an indirect way. This includes if a website gets compromised.
  3. DO NOT CLICK ANY LINKS IN ANY UNSOLICITED INCOMING EMAILS. EVEN JUST OPENING ONE CAN COMPROMISE YOUR ACCOUNT. DON'T EVEN COPY + PASTE. DON'T EVEN HOVER.
  4. Pay attention to Tweets, PSAs or other messages sent out by companies. They will list common scams relating to the company (such as supermarkets + scammer gift card requests). The only emails you should receive are updates if anything, or responses for you when you make an email.
  5. Read, re-read and re-read again all of the email. Should you spot a grammar error, spelling error, or other basic English mistake, please please please put your internal alarm on. Larger companies have editors and other people to read and re-read their external and internal emails and therefore should make very few mistakes. If you have trouble distinguishing between broken and regular English, there are sites you can go to see.
  6. Click View Source on your email. This only sometimes works because typical phishers can sometimes be stupid enough to make such a silly small mistake. You need to look for return-path, from, and any other various IPs and emails that might show up in the header. It's tedious but if you spot any sort of mismatch, it will absolutely be worth it.
Emails are a much outdated system, but they still perform up to scratch today with many flaws including other systems. A lot of the time the main issue is Social Engineering, which relies on people themselves rather than computer systems.

Stay smart, nerds.
 
Last edited:
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.
Ghast

Ghast

Founding Father of Hypocrisy - https://artemis.ac
Supreme
Feedback score
54
Posts
2,096
Reactions
3,285
Resources
79
Thanks ally for this. On the brighter side, emails are faster to load than discord on mobile Kappa
 
utaninja

utaninja

( ̄^ ̄ )ゞ
Supreme
Feedback score
36
Posts
1,360
Reactions
940
Resources
0
Ally said:
I posted this on another thread, which you should 100% read through:


If you have any questions, queries or amendments you'd like, please leave a message here.

I'd like to extend my response to this person and to everyone as to how to protect yourself from phishing on a fundamental level. Going down from simplest, and most fundamental, to trickier and more intricate:
  1. Ensure that your private credential-based accounts, logins, etc., are placed across either one or more various private emails. I do not recommend one email but if you really want to, absolutely make sure you have 2FA and even 3FA if your email provider offers it. At a fundamental level your email should be the hardest thing to be hacked as it facilitates the rest of your accounts/logins. I say this because you only want 1 point of weakness, and that's just yourself, socially. You don't want to be putting your attention to both protecting yourself constantly on a digital level AND social level.
  2. Pay attention to all incoming emails. If you see an email requesting to reset your password or to provide any information whatsoever, be very very wary. Companies typically will never send you reset emails and if they do, they won't include a link or they'll phrase it in an indirect way. This includes if a website gets compromised.
  3. DO NOT CLICK ANY LINKS IN ANY UNSOLICITED INCOMING EMAILS. EVEN JUST OPENING ONE CAN COMPROMISE YOUR ACCOUNT. DON'T EVEN COPY + PASTE. DON'T EVEN HOVER.
  4. Pay attention to Tweets, PSAs or other messages sent out by companies. They will list common scams relating to the company (such as supermarkets + scammer gift card requests). The only emails you should receive are updates if anything, or responses for you when you make an email.
  5. Read, re-read and re-read again all of the email. Should you spot a grammar error, spelling error, or other basic English mistake, please please please put your internal alarm on. Larger companies have editors and other people to read and re-read their external and internal emails and therefore should make very few mistakes. If you have trouble distinguishing between broken and regular English, there are sites you can go to see.
  6. Click View Source on your email. This only sometimes works because typical phishers can sometimes be stupid enough to make such a silly small mistake. You need to look for return-path, from, and any other various IPs and emails that might show up in the header. It's tedious but if you spot any sort of mismatch, it will absolutely be worth it.
Emails are a much outdated system, but they still perform up to scratch today with many flaws including other systems. A lot of the time the main issue is Social Engineering, which relies on people themselves rather than computer systems.

Stay smart, nerds.
Click to expand...
I'm not a expert but here's some tips to add to this for having a safe and secure email.

  • Ensure that you have a unique password. Password managers like Bitwarden can help you have unique passwords for each account without losing them
  • Enable 2FA via an authenticator app. Not email or text authenticator because those are more vulnerable.
  • Enable 2FA on that authenticator app.
  • Use another company besides Gmail for emails. Email services like protonmail and tutanota can offer secure emails that will make your accounts MUCH safer. (this is a good reference to understand this and have a guide https://www.privacytools.io/providers/email/ )
  • Do not open spam/scam emails. Read the email first of all. If clicked, avoid clicking anywhere inside the email. There can be hidden images that cover the whole page that will download malicious software on your account.
  • Do not click inside emails that you don't know, much less links.
  • Limit using connected accounts or login through google accounts. Although might be easier, it jeopardizes your security more.
  • Email services have built-in unsubscribe functions. You do not ever need to click unsubscribe
uh yea just off my head enjoy
 
M

Maddy

Proud Gamer
Supreme
Feedback score
87
Posts
1,729
Reactions
1,550
Resources
0
So you're telling me the Nigerian Prince who will give me his $10,000,000 USD inheritence is fake? It's only $100 from my end to get him out of jail so he can collect it!

On another note very good post Ally.
 
A

Ally

gσ∂∂єѕѕ σƒ мαтнѕ αη∂ мєℓσηѕ χσ
Supreme
Feedback score
37
Posts
2,043
Reactions
2,194
Resources
0
Maddy said:
So you're telling me the Nigerian Prince who will give me his $10,000,000 USD inheritence is fake? It's only $100 from my end to get him out of jail so he can collect it!
Click to expand...
I'm 99% sure that's actually real, you could make an epic profit out of that! Hehe.
Maddy said:
On another note very good post Ally.
Click to expand...
Thanks :)
 
A

Ally

gσ∂∂єѕѕ σƒ мαтнѕ αη∂ мєℓσηѕ χσ
Supreme
Feedback score
37
Posts
2,043
Reactions
2,194
Resources
0
Dean said:
something you didn't mention is to setup DMARC if you're hosting your own email or have a custom domain for your email.
Click to expand...
Yeah, I'm not a specialist or anything so I can't really comment on actually setting up your own email. It's also one of the reasons why I didn't go into extra detailed specifics (other than the fact it would take more than a thread's worth of content to convey). It's probably worth mentioning elsewhere (if you want to make a thread maybe), though.
 
C

croissant222

Feedback score
0
Posts
439
Reactions
151
Resources
0
"
  1. DO NOT CLICK ANY LINKS IN ANY UNSOLICITED INCOMING EMAILS. EVEN JUST OPENING ONE CAN COMPROMISE YOUR ACCOUNT. DON'T EVEN COPY + PASTE. DON'T EVEN HOVER.
"
how?
 
A

Ally

gσ∂∂єѕѕ σƒ мαтнѕ αη∂ мєℓσηѕ χσ
Supreme
Feedback score
37
Posts
2,043
Reactions
2,194
Resources
0
AxelWixel said:
I thought you can't get viruses from opening emails anymore because gmail doesn't support scripting anymore
Click to expand...
Yeah you can. Not everyone uses gmail. There are always ways around it.
croissant222 said:
"
  1. DO NOT CLICK ANY LINKS IN ANY UNSOLICITED INCOMING EMAILS. EVEN JUST OPENING ONE CAN COMPROMISE YOUR ACCOUNT. DON'T EVEN COPY + PASTE. DON'T EVEN HOVER.
"
how?
Click to expand...
Here's a good video I found recently.
 
Status
This thread has been locked.
Top