I’ve been getting daily emails timestamped Dec. 26, 2037. Naturally, this means that the email sits on top of the list so that I see it first no matter when the others arrived.
Spoofed email dates are new to me. Are others seeing this? How do they do it?
They’re rare, but not new. I’ve seen it happen a handful of times over the past few years.
I’ve seen them dated in the past as well. I assume so it blends into the middle of all your emails and you’re less likely to notice and delete it right away, perhaps so you think you already read it and kept it, implying it’s not spam.
The problem with that, at least in my case, is seeing a message tagged as new/unread, below 15 or 20 emails that I have read, but left in my inbox, makes it stand out.
I notice the bad-date emails in my Yahoo! inbox but not in other providers. I think some do a sanity check on dates and reassign the date/time to the first server in the chain that isn’t reporting a ridiculous time.
BTW: assigning the correct time to an email and ensuring that the receiver sees the time in their zone is a sufficient hassle that to this day results in misconfigured email servers that report times off by a few hours. (But not off by several years.)
Even the hamsters here on the Dope sometimes mess up and get a user’s time wrong.
In the ordinary world when would there ever be a meaningful difference between these? This might help for this type of spam, which I’ve never seen before in over 20 years of email, but under what circumstances would the two sorts differ from one another?
And, since no one has addressed this, how is the date spoofed? I’m curious.
For the first one, email isn’t relayed instantaneously from one server in the chain to the next. “Back in the day …” a server might accumulate emails and send them on only a few times a day. Maybe even only once a day. So there could be a near 24 hour lag between adjacent servers in the chain. And since email might be routed thru more servers, it adds up.
Nowadays, you usually see odd gaps due to some site having server issues. Something has been temporarily borked so arriving emails are queued up and later processed when things are fixed. Remember, not everything is working at a 100% level 100% of the time. Reality is not perfect.
We used to use Google as our mail service (at work, gigantic global company 250k+ employees). Mail from people outside the organization (suppliers, consultants, customers) would arrive almost instantaneously.
Now we use Outlook. It can take 30 minutes for mail to arrive from the outside world. And even internally there is a setting apparently to delay mail by a few minutes, so that you can cancel it if you realize you’ve made a mistake. When I receive one of these delayed messages it will show up down the list. I’m guessing I can change some settings on my client to make them sort by time received but I can’t be arsed.
An email message consists of a sequence of “headers”, followed by a blank line, followed by the body of the message. The headers provide metadata about the message such as the sender and the date. The thing is, most of the headers are simply provided by the sender. He can write anything he wants in the headers, just like he can in the body of the message. It’s like writing a date at the top of a handwritten letter – nothing ensures that you’re writing today’s date. The sender can spoof the date, the From address, and pretty much everything else in the headers. The only exceptions are a few headers that are created by the receiving server rather than by the sender, and some headers that have built-in security like the DKIM-releated headers.
Of course, a simple examination of the full message (which includes all headers lines) will reveal any date spoofing. Email usually routes through several servers and each one adds a line to the header that includes a date-time stamp. The sender can’t spoof those.
From: Alice <alice@example.com>
To: Bob <bob@example.com>
Date: June 29, 2019 13:04:00-0600
Subject: Test
Message!
That’s what gets sent from the sender’s email program. Any and all of those lines before the message (in this case, “Message!”) can be made to look like whatever the sender wants them to look like. “Spoofing” is thus trivially simple.
Why is it so simple? Because in a government/academic network, security is enforced through social mechanisms more than technical ones, and email grew out of the very early Internet and pre-Internet/non-Internet systems. Therefore, security wasn’t really contemplated much at the time.
This is what makes spam fighting so hard to do automatically.
Keep in mind, if you look at a complicated email header, you will see that it has passed thru several servers. Each one tacks on more stuff to the front of the header.
So, clearly, the last header is the one from the sender, right?
No.
Remember, the sender can spoof headers! All they have to do is prefix the email with two or more headers.
So software looking to flag spam from suspicious sites can’t look at just the last header. Which might look like a legit header from a legit site. It has to parse all the headers looking for a tell-tale one that looks out of place. That’s the first “real” header.
Experienced humans are good at this. (I used to do this on occasion.) Pre-the current AI revolution, this was difficult to get a program to do well. It can probably be done quite well with a trained AI now. But it may not pay to run the AI on all the incoming emails for a large email service.
I guess what I’m really asking is how one gets to “those lines before the message.” It all takes place behind the scenes in the programs I’ve used. What is used to pull aside the curtain and gain access?
You simply need to behave like one of the first generation email programs. Most email wends its way around the planet carried by SMTP - the Simple Mail Transport Protocol. And simple it is. Back in the day you could telnet to the port (25) on a mail server that the SMTP server listened to and have a conversation with the server. It would talk to you in simple phrases, and you would reply with what it needed to know to send the email. Get the conversation right and your email was away.
Open SMTP servers were a rife way of sending spam - as the spam appeared to originate with the server you connected to, and not your ISP. Nowadays most SMTP is served over a secure port, or only from within he ISP’s own network (which leads to a whole raft of wierd bugs for people who don’t have their email setup quite right.)
If you are running your own spam email server, you can use a basic email server program with port 25 wide open to local (or whatever) connections and send something old school. A script would just make the telnet connection, send the desired text (headers plus body), close the connection and then it’s off to someone’s inbox.
There’s a ton of SMTP servers you can download and install at home. So you can become an email spammer in no time. (This is what happens with malware that hijacks your devices to spam.) You just can’t receive email since the incoming port is typically blocked. Blocking the outbound port would prevent people from using SMTP email programs to read their email from a legit server.
Technically you can do it but this violates consumer ISPs’ terms of service and they will not like it if you do this. I think you would be blocked pretty quick.
I don’t know for sure what this mechanism is but I think it’s more likely that it puts an SMTP client on your machine that sends mail out to an external SMTP server, partly for the reason above.