Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
like_any_other 5 days ago

> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.

Can somebody explain what exactly this means, and how it works?

goda90 5 days ago | parent | next [-]

No clue how it works functionally these days. But it reminds me of tricks we pulled back in high school programming class. Our school was using Novell NetWare, and some students were given email addresses for various purposes. We discovered you could edit the From field, so it would display any text as your name and then your email address after it to the recipient on Novell's email client. If you added enough text, including whitespace, it would push the actual email address off screen(I don't remember if you could scroll to it or not).

We trolled each other in class with it a bit. But at one point some student not in our class sent out a mass email, which was against the rules. I replied with a From line as "Administrator" and a bunch of whitespace, telling the girl that she broke the rule and would be suspended for it. Our teacher made me apologize, and I was lucky that I didn't get into more trouble beyond that.

matsemann 5 days ago | parent | prev | next [-]

Dmarc/spf https://en.m.wikipedia.org/wiki/DMARC

Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.

That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.

However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.

tryauuum 5 days ago | parent [-]

DMARC does check the from field in the mail, so I don't know how could this happen

matsemann 5 days ago | parent [-]

Yeah, sorry if that wasn't clear in my explanation. Without these in place, you will accept anything from anyone claiming to be @A.com,but with dmarc the whole point is to flag when they're only pretending to be.

opesorry 5 days ago | parent | prev | next [-]

Assuming I follow what you want to know, the wikipedia page on email spoofing should provide the info you desire. https://en.m.wikipedia.org/wiki/Email_spoofing

I'm pretty surprised gmail didn't flag this at least. When I did it for a class in Uni, it always let me know that the FROM header didn't match the sender since that's a clear attack vector

like_any_other 5 days ago | parent [-]

His phrasing is very confusing - claiming the "from" field was spoofed, but that if he could see the "full header", he could have spotted the spoofing.

I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.

So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?

Avamander 5 days ago | parent | next [-]

It could indeed be that some MUAs only display the comment section. In theory you can use a MIME from like '"Google <google@google.com>" foo@example.com'. Though most spam filters heavily frown upon garbage like that. Things like '"Foo (google@google.com)" <foo@example.com>' will likely pass though. (It's commonly done by shit forwarders.)

Apple Mail does allow you to see the actual sender if you tap on the name though. Outlook has been way worse in that aspect, by not letting you see the full sender. At some point it even saved these fake addresses automatically in your address book if it matched a contact's name or something. (I couldn't find the thread about it right now, but it has been discussed elsewhere.) It's a disservice to everyone except attackers to be honest.

vehementi 4 days ago | parent | prev [-]

On obvious spoofs I see "legal@gmail.com <via scamdude@askjdfaskldfj.net>". I think he means that it didn't indicate the latter. And if gmail phone app didn't fail to display headers he could have looked

throw_m239339 5 days ago | parent | prev [-]

It's my understanding that emails have headers, just like http responses, and the app might have displayed that fake header instead of verifying the provenance of the email and displaying where it actually came from. So it is a UI/UX issue.

alaithea 5 days ago | parent [-]

Why email clients have started hiding/not providing access to headers is beyond me. It seems like an anti-pattern. There have been many times recently where I've wanted to check the headers because an email was suspicious, only to find I couldn't.