Decades-Old Email Flaws Could Let Attackers Mask Their Identities

Those industry-standard "headers," as they're known, include date and time sent and received, language, a unique identifier called a Message-ID, and routing information.The researchers found that by strategically manipulating different header fields they can produce different types of attacks, all of which can be used to deceive the person on the other end of an email. Those sorts of incongruities create openings for attackers to set up strategic email domains or manipulate message headers to pose as someone else.The second category focuses on manipulating similar inconsistencies, but between the mail server that receives your message and the app that actually displays it to you. Depending on where the email service lands on that spectrum—and how the mail client is configured—attackers can game this progression to send emails that look like they came from a different address than they really did.The researchers call the third category "ambiguous replay," because it includes different methods of hijacking and repurposing (or replaying) a legitimate email an attacker has received. That bit of misdirection makes it look like the attacker's message came from the original, legitimate sender and has been fully authenticated.Though most people use their email accounts without ever checking what's in all of these hidden headers, email services provide the option.