Discussion Reply to spoofing email gets answer from spoofer. How?

Please consider this scenario, all while using Gmail's web client in an upto date and secure browser:
Someone receives a legit email containing important information and, after a few hours, a spoofed email containing the same, but with some vital information altered. Gmail sais that it can't verify the identity(SPF failure), but said person unattentively replies to the bad email.

Now, here is the part I can't figure:
A reply arrives from the spoofer(again, with failed SPF), even if the victim's reply was directed towards the correct email address(there was no reply-to in the bad email and the return path was set to the proper address). How can bad actors achieve this and where do you think the breach in confidence is most likely, on the victim's side or with the owners of the legit email on the other side. So far as I can tell, the pc used is clean.

Thank you!
 

Ralston18

Titan
Moderator
Perhaps the "reply" did not actually get back to the spoofers.

The spoofer's simply sent another email pretending that they got a reply.

Just fudged the second email enough to appear to have done so.

I get regular "junk" mail that uses a similar approach using words and phrasing to make it look as if I failed to do something. E.g., "You have yet to....." sort of language. Often referring to a previous, non-existing correspondence.

And rather realistic phone calls from "Jim" in "Shipping" claiming my shipment is ready....

Scammers, crooks, etc. are very igneous when it comes to such things.
 
Perhaps the "reply" did not actually get back to the spoofers.

The spoofer's simply sent another email pretending that they got a reply.
No, the reply was precise and in the right context. The victim replied with a (unpredicatable) question and the spoofers answered.
So, in your opinion, am I correct in assuming that a reply to a spoofed email should arrive at the proper address, not the spoofers? If so, I am assuming this to be some sort of man-in-the-middle attack on the other side, since the victim was using Gmail in a browser(HTTPS). Either that, or some sort of remote access to the victim's computer, but I scanned it thouroughly with a good AV.
 

rgd1101

Titan
Moderator
If only email from that one sender having issue. would assume that the issue.

but then not sure what this "some vital information altered", so it might be only targeting that sender too.
 

Ralston18

Titan
Moderator
Way out of my comfort zone now.

But I got to wondering about using BCC to hide another "reply" to the spoofer(s).

No way for me to figure out the forensics involved but just reading more about "failed SPF" led me to believe that discovering what went astray may take some effort.

Again, I am out of my comfort zone but I do believe what happened can be worked out if that is deemed a "must do".

For example; the following link may be suggestive with respect to what happened and how.

https://support.gfi.com/hc/en-us/articles/360012880714-What-are-the-different-results-in-Sender-Policy-Framework-

And this next link gets even more involved.

https://www.reddit.com/r/sysadmin/comments/aph6ee View: https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/?st=k05nodh2&sh=3d4026b6


But that work must be done by someone who can readily delve into all of the related configuration settings, logs, etc..

Reverse engineering may uncover the flaw.
 

ex_bubblehead

Champion
Moderator
The "From:" field is just a text field that can contain any text at all. It is NOT definitive. You have to parse the headers to deduce the actual sender, which is what your email application uses when replying. This is the way email has worked since day 1 all those decades ago. And one should NEVER reply to spam as all it does is confirm a live mailbox.
 
The "From:" field is just a text field that can contain any text at all. It is NOT definitive. You have to parse the headers to deduce the actual sender, which is what your email application uses when replying. This is the way email has worked since day 1 all those decades ago. And one should NEVER reply to spam as all it does is confirm a live mailbox.
I actually did one better and checked the code of the actual reply sent by the victim and it did go to the proper email address, yet the spoofers replied..
 
Way out of my comfort zone now.

But I got to wondering about using BCC to hide another "reply" to the spoofer(s).

No way for me to figure out the forensics involved but just reading more about "failed SPF" led me to believe that discovering what went astray may take some effort.

Again, I am out of my comfort zone but I do believe what happened can be worked out if that is deemed a "must do".

For example; the following link may be suggestive with respect to what happened and how.

https://support.gfi.com/hc/en-us/articles/360012880714-What-are-the-different-results-in-Sender-Policy-Framework-

And this next link gets even more involved.

https://www.reddit.com/r/sysadmin/comments/aph6ee View: https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/?st=k05nodh2&sh=3d4026b6


But that work must be done by someone who can readily delve into all of the related configuration settings, logs, etc..

Reverse engineering may uncover the flaw.
Thanks for the resources. I'll post here if I ever manage to figure out what's what.
 

ASK THE COMMUNITY

TRENDING THREADS