I don’t get too many spam messages from domains that are definitely from serious businesses or organizations, but I do get a couple. Highly encourage when you do, to go to their website, find the IT manager’s contact info, and send him/her/them (miss any?) an e-mail that you got a spam e-mail from the address in the ‘from’ box. Either a staff member is abusing their system, or someone hacked in and made up an account. Either way the business/organization ought to know. This usually works for me, EXCEPT Kohl’s, absolutely no hope for them, they are very closed nor want to do any community outreach from my analysis of many parts of their webpage.
I have of late started adding rules to ‘send to trash’ all e-mails from domains that send out trash. I have no count, but sure I am now over 200, probably no end to this. This and using Apple’s Safari’s ability to easily set up alias e-mail accounts, and I am beginning to get a handle on spam to an e-mail account I can’t change, nor want to try (it would entail a lot of work changing my e-mail address at legit businesses I still want to do business with).
Unfortunately, that’s not true. All of the originating mail header lines (From, ReplyTo, etc) can be easily forged to anything the sender wants them to be, and are never verified. I’m afraid you’re subjecting these IT managers to unnecessary work, or, if they know better, they’re just ignoring your contact.
Thanks for this clarification, Dana. My daughter has battled the spoofing of her email address for years, and I’ve seen it happen to mine a couple of times.
It begs the question though: is there nothing that can be done to fix this glaring weakness in the entire email universe? Sure seems like there should be, at least for those domains/organizations that would like to implement such a tool?
DMARC, SPF, and DKIM are standards that address the spoofing of addresses emails. They have been around a long time and are pretty widely deployed. They are effective when used correctly, but unfortunately require action on the part of both legitimate senders and receivers.
If you’re “subjecting … IT managers to unnecessary work” that’s probably a good thing, because it should motivate them to make sure their email authentication tools are properly configured.
My cynical former self notes that unfortunately IT managers are priority driven according to business needs, and unless their respective security departments are involved and have deemed this a significant risk, they’ll typically make note and it’ll get put in the “we have to get this done someday” bucket.
The first assertion of “wide use” is unsubstantiated and undocumented.
However, continuing on in that paragraph (footnote links to multiple confirming references removed):
To effectively stop forged email being delivered, the sending domains, their mail servers, and the receiving system all need to be configured correctly for these higher standards of authentication. Although their use is increasing, estimates vary widely as to what percentage of emails have no form of domain authentication: from 8.6% to “almost half”.
As an exercise to keep my retirement brain limber, I actually implemented those protocols on my personal domain. For a non-email specialist, it is certainly challenging, and I am still far from an expert. I do find that major email hosts (Google, Microsoft, Yahoo, AOL, Prodigy, Frontier, AT&T, Verizon, SBCGlobal, etc.) check my DKIM record against the From: header in my outbound emails before accepting them for delivery (I know because my DKIM record requests DMARC reports from the mail servers). But it’s still possible that someone could spoof my address as the sender on spam, and have their mail delivered on servers that are not DKIM-aware.
Maybe some, but definitely not all spammers have the knowledge to do that. I’ve watched spam as it has gotten more sophisticated over the years, and most obviously don’t have the brain power to do such. Just because it is technically possible, does not mean its being done.
Isn’t there more to the headers than just From, ReplyTo, etc, you see the initial SMTP server domain. Can they spoof that too?
Welcome to this conversation. This issue has been in active discussion almost since the first year of email.
Just like the paper mail system, no one thought much about this when things were being set up. (Actually I’m sure a few did and were told no way will such things be a problem.) Anyone can put anyting on an envelope and outside of the postmark (in the US and if there is on) there’s no way to tell where paper mail is actually from. And the postmark only gets you to a geographical area. Visit an actual USPS office and ask about the options for sending mail with receipts showing someone actually got it handed to them to see how the paper and email systems both have had things bolted on.
The various bolt on security standards that have been developed can help. But as others have noted they raise the bar of technical knowledge needed to run a mail server. Like all things with some sort of economic base, more and more email is handled by the big boys who can dedicate a staff of 100s to dealing with SPAM emails. (Think corner grocer to supermarkets over the last 100 years.)
One big issue is people giving out their email to whoever. Since I own the rights to some domains my extended family can use for email addresses, we all have one or a few that we use for marketing crap, err, surveys, etc… My wife and I have special email addresses for medical things and financial things, purchases, just plain folks. Plus the “crap” email address.
At one time I was managing 4 or 5 email servers. Maybe more. Now the only one I have is in my house and I want to get rid of it as soon as I gather enough round2its.
White emails (Web-Tools, Tompkins) have no DMARC setup, but haven’t failed lower level authentication (SPF/DKIM). Bright green (Stack-Overflow, Github) have passed DMARC and have enforcement activated in their policy. Orange emails have failed DMARC due to misconfiguration (like my trash company) – I sometimes try to report these problems.
Pale-green (TidBITS) have passed DMARC authentication, but don’t have enforcement activated. Too many domains have left their DMARC set to this “monitor only” mode, which doesn’t help much to prevent spoofing. I hope 2023 is the year TidBITS turns bright-green!
I have taken sometime in looking at headers in following e-mails since you wrote. I am no expert, but it was fairly easy for me by looking at the headers which e-mails has spoofed ‘from’ info (stated @gamail) but the headers said it really wasn’t, the true from was within the header, and which were not. And I am just a non-expert, not programmed machine by experts.