Filtering Spoofed Emails

Do you get a lot of spoofed messages about your “World of Warcraft” account? Do you not have a “World of Warcraft” account? Annoying isn’t it. Even if you set up your gmail to receive messages at username+alias@gmail.com and filter on the recipient field these messages often make it by because they’ll use the proper value in the to field. And the from field will read something like …..@realplace.com, but of course they’re not sending it from realplace. So how to tell the posers from the real thing? Take a look at the full message source, in gmail you’d hit the down arrow next to reply when viewing the message and choose “show original”. This will show you some unformatted goodies about the message, including the identity of the real sender. There are a few fields of interest:
From: obviously this is the first place to look, generally it’s composed of two parts, first a claimed name and then an account name. Both are actually spoofable, but we’re relying on the ineptitude of these folk to work in our favor. And on the first is easily spoofed. So if I get an email from
From: “service@paypal.com”
it’s easy to tell that it’s not actually originating from PayPal. Here a good filter would be “” in the “has words” field. This will actually save you a large deal of spam.

Other fields of interest (but less usable) are:
The sender field, here is an example pulled from the same email “Sender: williamsrnd9@gmail.com”, so you can see that this spammer actually isn’t totally incompetent because the from field is spoofed enough to look like it’s coming from “post.com” instead of “gmail.com”. It’s possible that they’re even avoiding @paypal.com because that would be flagged as spam by gmail. Unfortunately the sender field is not usable in filters in gmail now, who knows why.

When in doubt always check the message center or whatever it’s called on the site in question. The one instance where closed source saves us, as it’s harder to spoof those messages. Granted if gmail was open source we could just filter on the sender field, or even on the originating ip address and we wouldn’t be in the bind in the first place. Seriously, how cool would that be, to tag emails with geographic locations on the basis of ip address, so emails actually come “from” somewhere instead of just magically appearing. It’s going to be a thing.

Posted in Tech. Tags: , , , , . 1 Comment »

One Response to “Filtering Spoofed Emails”

  1. bob marley Says:

    this is often where google ignores requests to filter arbitrary [X-]headers :(


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: