Manage Learn to apply best practices and optimize your operations.

Is there a way to identify a spoofed user ID?

In this application security Ask the Expert Q&A, Michael Cobb explains how an organization can identify the employee who has used a spoofed user ID to intercept email exchanges.

I discovered through return receipt that someone within my organization is intercepting e-mails. I believe he spoofed the user ID indicated on the return receipt. Is there a way in Notes to identify the device ID that initiated the return receipt?
RFC 2298, "An Extensible Message Format for Message Disposition Notifications" introduced the Disposition-Notification-To: header field in 1998. This field tells a mail program to send a read notification to the recipient. Return receipts were widely used on the Internet prior to this, often using the non-standard Read-Receipt-To: field, which is why some mail clients still send both header fields. Unfortunately, e-mail headers, cannot be trusted as they are notoriously easy to fake. The sender's IP address is included in these headers so theoretically, you do have a link between the sending device and the return receipt message. However, it is easy to fake by hiding the true IP address using forwarders, or by using a zombie machine to send the message without the real user knowing about it. The other possibility is that the suspect has gained access to the true intended recipient's machine.

I recommend two courses of action. First, check the security of the recipient's machine. Is it easy to gain physical access? Is there a strong password policy in force? I would make the suspect change their current logon password. You should also run full virus and spyware scans to check that the machine is not infected in any way. Second, issue digital certificates, which require your employees to digitally sign and encrypt their e-mail messages. Therefore, if somebody intercepted an e-mail they couldn't read it contents, because they would not have the correct private key to decrypt it.

With a signed e-mail, only the body of the message is used to create the hash value, which means as long as someone does not tamper with the From field the verification process will remain in tact. I could, for example, change the To field to make it look like the e-mail was sent to somebody else, as the recipient's digital certificate is not required for a message that is only digitally signed. However, if I change the From field, a warning is provided as the sender information in the From field is matched to the X.509 subject name on the digital certificate used to sign the e-mail message. Overall, it would be beneficial to have a security policy stating that all important documents or messages must be signed and encrypted to ensure that they cannot be altered in any way. In cases where the person to whom you are sending such an e-mail does not have a digital certificate, meaning that you can only sign the e-mail, I would add a salutation with the date and time in the e-mail body and ensure that the context of the message is clear. You can send messages with secure receipt requests to verify that the recipient is validating your digital signature. When the message is received and saved (even if it is not yet read) but your signature is verified, a receipt is returned. However, because they are not signed, these receipts are most likely of little use.

This was last published in April 2006

Dig Deeper on PKI and digital certificates

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.