Photo by @kasiade | Unsplash

It’s very rare for me to check my spam emails, but on this occasion where I did, I was quite surprised to see an email sent by me. Obviously, I did not send myself an email saying I have failed to pay for my cloud storage, so how did they do it?

Spoofing

Luckily Gmail’s headers can give us some clues. Email protocols actually have two separate concepts of “From”: Header-From and Envelope-From, this is something scammers can exploit. Envelope sender is the real origin of the message, the one mail servers actually use to route email. The second is the display headers, things like From: and Sender: Strangely, those are just text, so anyone can edit them to whatever they like.

They ran their own mail server on a .biz.ua Ukrainian domain, set the Sender: header in the email to read my email, and Gmail’s UI displayed that as “sent by.” That’s it. No Gmail account was hacked. No passwords were stolen. They just… typed a name into a field.

Digging

Now we have their mail domain, lets do some digging. This give us their Sender Policy Framework (SPF) record, a DNS record which tells the server the only IP’s permitted to send mail. It looks like whatever addresses hosted on ips.dnstool.site can send mail.

Lets dig further A list of IP’s, this is likely their cluster for their snowshoe spamming operation. Now we can run a WHOIS on each domain to find out more information on them. It is a lot of IPs so I’ll use a bash script A lot of servers, most importantly, they have distributed it across providers within different countries. If one gets taken down, they still have lots remaining.

-----IN PROGRESS-----