Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 4 of 22
Anatomy of a Forged Message and Its SMTP Details
The structure of the message in Figure 2 is very similar to our first variant in Figure 1. Both are examples of
Envelope From abuse. The Envelope From field, shown below in the Simple Mail Transfer Protocol (SMTP)
connection, is illegally using the domain name alpha.com. Envelope From abuse is easily remediated with sender
verification, discussed later. But the problem is that sender verification checks only the SMTP envelope portion
shown in Figure 2. The harder-to-detect spoofs introduced earlier (From abuse, cousin domain abuse, and free
email account abuse) all have legal SMTP envelope portions, but the body portions of the message are designed
to deceive the recipient. These two portions do not have to agree. In fact there are legitimate external mailing lists
in which they may not.
Figure 2. SMTP Envelope and Body of Envelope From Abuse