Discussion Reply to spoofing email gets answer from spoofer. How?

Toggle sidebar Toggle sidebar
Status
Not open for further replies.
Hlsgsz

Hlsgsz

Champion
Feb 29, 2016
8,003
5
51,415
Please consider this scenario, all while using Gmail's web client in an upto date and secure browser:
Someone receives a legit email containing important information and, after a few hours, a spoofed email containing the same, but with some vital information altered. Gmail sais that it can't verify the identity(SPF failure), but said person unattentively replies to the bad email.

Now, here is the part I can't figure:
A reply arrives from the spoofer(again, with failed SPF), even if the victim's reply was directed towards the correct email address(there was no reply-to in the bad email and the return path was set to the proper address). How can bad actors achieve this and where do you think the breach in confidence is most likely, on the victim's side or with the owners of the legit email on the other side. So far as I can tell, the pc used is clean.

Thank you!
 
Ralston18

Ralston18

Titan
Moderator
Oct 11, 2014
34,894
3,324
146,290
Perhaps the "reply" did not actually get back to the spoofers.

The spoofer's simply sent another email pretending that they got a reply.

Just fudged the second email enough to appear to have done so.

I get regular "junk" mail that uses a similar approach using words and phrasing to make it look as if I failed to do something. E.g., "You have yet to....." sort of language. Often referring to a previous, non-existing correspondence.

And rather realistic phone calls from "Jim" in "Shipping" claiming my shipment is ready....

Scammers, crooks, etc. are very igneous when it comes to such things.
 
Hlsgsz

Hlsgsz

Champion
Feb 29, 2016
8,003
5
51,415
Ralston18 said:
Perhaps the "reply" did not actually get back to the spoofers.

The spoofer's simply sent another email pretending that they got a reply.
Click to expand...

No, the reply was precise and in the right context. The victim replied with a (unpredicatable) question and the spoofers answered.
So, in your opinion, am I correct in assuming that a reply to a spoofed email should arrive at the proper address, not the spoofers? If so, I am assuming this to be some sort of man-in-the-middle attack on the other side, since the victim was using Gmail in a browser(HTTPS). Either that, or some sort of remote access to the victim's computer, but I scanned it thouroughly with a good AV.
 
rgd1101

rgd1101

Don't
Moderator
Nov 7, 2011
73,304
3,854
176,290
If only email from that one sender having issue. would assume that the issue.

but then not sure what this "some vital information altered", so it might be only targeting that sender too.
 
Ralston18

Ralston18

Titan
Moderator
Oct 11, 2014
34,894
3,324
146,290
Way out of my comfort zone now.

But I got to wondering about using BCC to hide another "reply" to the spoofer(s).

No way for me to figure out the forensics involved but just reading more about "failed SPF" led me to believe that discovering what went astray may take some effort.

Again, I am out of my comfort zone but I do believe what happened can be worked out if that is deemed a "must do".

For example; the following link may be suggestive with respect to what happened and how.

https://support.gfi.com/hc/en-us/ar...different-results-in-Sender-Policy-Framework-

And this next link gets even more involved.

View: https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/?st=k05nodh2&sh=3d4026b6


But that work must be done by someone who can readily delve into all of the related configuration settings, logs, etc..

Reverse engineering may uncover the flaw.
 
ex_bubblehead

ex_bubblehead

Titan
Moderator
Aug 24, 2012
16,248
1,517
87,240
The "From:" field is just a text field that can contain any text at all. It is NOT definitive. You have to parse the headers to deduce the actual sender, which is what your email application uses when replying. This is the way email has worked since day 1 all those decades ago. And one should NEVER reply to spam as all it does is confirm a live mailbox.
 
Hlsgsz

Hlsgsz

Champion
Feb 29, 2016
8,003
5
51,415
ex_bubblehead said:
The "From:" field is just a text field that can contain any text at all. It is NOT definitive. You have to parse the headers to deduce the actual sender, which is what your email application uses when replying. This is the way email has worked since day 1 all those decades ago. And one should NEVER reply to spam as all it does is confirm a live mailbox.
Click to expand...
I actually did one better and checked the code of the actual reply sent by the victim and it did go to the proper email address, yet the spoofers replied..
 
Hlsgsz

Hlsgsz

Champion
Feb 29, 2016
8,003
5
51,415
Ralston18 said:
Way out of my comfort zone now.

But I got to wondering about using BCC to hide another "reply" to the spoofer(s).

No way for me to figure out the forensics involved but just reading more about "failed SPF" led me to believe that discovering what went astray may take some effort.

Again, I am out of my comfort zone but I do believe what happened can be worked out if that is deemed a "must do".

For example; the following link may be suggestive with respect to what happened and how.

https://support.gfi.com/hc/en-us/ar...different-results-in-Sender-Policy-Framework-

And this next link gets even more involved.

View: https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/?st=k05nodh2&sh=3d4026b6


But that work must be done by someone who can readily delve into all of the related configuration settings, logs, etc..

Reverse engineering may uncover the flaw.
Click to expand...

Thanks for the resources. I'll post here if I ever manage to figure out what's what.
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom