Difference between revisions of "Using signature headers to determine if an email has been forged"
From ForensicsWiki
(→Signed mail: - Quick notes on PGP signed and/or encrypted messages) |
m (→Sender Policy Framework: Formatting oops) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Expand}} | {{Expand}} | ||
| + | Email signatures, designed for authentication, non-repudiation, and spam control, can also be used to determine if an email has been forged. In the most common case, the forger copies headers from an existing email message to a new one. He could also attempt to change the content of a signed message. Regardless, the signature no longer corresponds to the message and it can be shown that the message is not authentic. | ||
| + | == Sender Policy Framework == | ||
| + | {{main|Sender Policy Framework}} | ||
| + | Sender Policy Framework, or SPF records, can be used to enumerate which hosts are allowed to send mail for that domain. If a message purports to be from ''example.com'' but came from an IP address that is not authorized, under SPF, to send mail for that domain, it has been forged. As an example, let's say we have an email purporting to be from <tt>lexluthor@mit.edu</tt> using the IP address <tt>4.61.91.6</tt>. An investigator can query the DNS records from that domain, in this case <tt>mit.edu</tt> to see the SPF senders. | ||
| − | = | + | <pre>$ host -t txt mit.edu |
| + | mit.edu descriptive text "v=spf1 ip4:18.7.7.0/24 ip4:18.7.21.0/24 ip4:18.72.0.0/16 ~all"</pre> | ||
| − | These headers, included by the mail server, provide a signature of each message. See [[Gmail Header Format]]. The public keys are distributed via [[Domain Name System|DNS]]. | + | Here we see that there are three computers authorized to send mail for the <tt>mit.edu</tt> domain. None of them have the IP address found on the message, so the email in question may be forged. |
| + | |||
| + | == DomainKeys Identified Mail == | ||
| + | {{main|DomainKeys Identified Mail}} | ||
| + | These headers, included by the mail server, provide a signature of each message. See [[Gmail Header Format]]. The public keys are distributed via [[Domain Name System|DNS]]. | ||
== Signed mail == | == Signed mail == | ||
Latest revision as of 14:32, 29 April 2007
|
|
Please help to improve this article by expanding it.
|
Email signatures, designed for authentication, non-repudiation, and spam control, can also be used to determine if an email has been forged. In the most common case, the forger copies headers from an existing email message to a new one. He could also attempt to change the content of a signed message. Regardless, the signature no longer corresponds to the message and it can be shown that the message is not authentic.
