|
Email spoofing is the creation of email messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN or from an external environment using Trojan horses.〔(SMEmail – A New Protocol for the Secure E-mail in Mobile Environments ), Proceedings of the Australian Telecommunications Networks and Applications Conference (ATNAC'08), pp. 39–44, Adelaide, Australia, December 2008.〕 Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.〔See e.g. (UK tax website ) or (Lloyds TSB Bank security advice )〕 ==Technical detail== When an SMTP email is sent, the initial connection provides two pieces of address information: * MAIL FROM: - generally presented to the recipient as the ''Return-path:'' header but not normally visible to the end user, and by default ''no checks'' are done that the sending system is authorized to send on behalf of that address. * RCPT TO: - specifies which email address the email is delivered to, is not normally visible to the end user but ''may'' be present in the headers as part of the "Received:" header. Together these are sometimes referred to as the "envelope" addressing, by analogy with a traditional paper envelope.〔("A quick overview of SMTP" ), University of Toronto〕 Once the receiving mail server signals that it accepted these two items, the sending system sends the "DATA" command, and typically sends several header items, including: * From: Joe Q Doe * Reply-to: Jane Roe The result is that the email recipient sees the email as having come from the address in the ''From:'' header; they may sometimes be able to find the ''MAIL FROM'' address; and if they reply to the email it will go to either the address presented in the ''From:'' or ''Reply-to:'' header - but none of these addresses are typically reliable,〔http://www.slate.com/id/2063042/〕 so automated bounce messages may generate backscatter. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Email spoofing」の詳細全文を読む スポンサード リンク
|