Message Authenticity

Echtheit von Nachrichten

See also information videos from the research group SECUSO at KIT https://secuso.aifb.kit.edu/english/1047.php

 

Sender Forgeries

An email addresse consists of two parts: the display name and the actual address. The display name is allowed to be empty:

display name <name@abcdomain.uni-kiel.de>

The display name is fully under the control of the sender. Forging the display name is trivial.

It is common for phishing and spam emails to forge the display name and/or the sender address.  A very common method is to change the display name to a university mail address (in angle brackets behind the display name), while the real sender address is entirely different.

Full verification of the sender identity is not possible via a simple email.

It, however, has through various methods, become significantly harder to inject a message with an email address at the University from outside. Nonetheless, methods to forge a sender address still exists (usually via compromised user credentials).

Checking the sender address greatly reduces the risk to fall victim to a fraudulent message.

Sender forgeries in Roundcube

The webmailer does not show the sender address in the message list view. However, the sender address is always displayed in the message view.

Zwei Studenten und eine Tasse Kaffee

Sender Forgeries in Mozilla Thunderbird

By default, Thunderbird hides the sender address for email addresses already in the address book.

The address book, however, also includes the list of "Collected Addresses", which contains all addresses that a message was sent to. This also includes the sender of every message that was replied to at least once.

Under Settings > General -> Message List you can enforce showing the sender address.

Thunderbird settings: always show email address

Sender Forgeries in Microsoft Outlook

Outlook does not show the sender address in the message list view.

However, at least Outlook 2019 show the sender address in message view.

The issue is similar with Exchange Webmail (OWA).

Digitally Signed Messages

Mails from the computing center are digitallly signed whenever possible. Such a digital signature can be validated and displayed by mail applications:

  • Roundcube displays a banner indicating the message is signed and the signature is valid
    Signed Message in Roundcube
  • Thunderbird displays a seal with ribbons and the text S/MIME:
    signed message in thunderbird
  • Microsoft Outlook shows a banner and a short message. Note that Outlook only checks if the signature is valid, not if the signature matches the sender address.
    Signed Message in Microsoft Outlook

Note that most mobile mail clients do not support digital signatures. Please take extra care on such devices.