Forensic analysis of E-mail address spoofing

E-mail is the most widely used application on the internet. However E-mail application is not totally reliable and safe communication medium as loopholes in protocols make the attacker able to misuse it for sending spoofed E-mails. E-mail sender spoofing is a major problem of the E-mail system. E-mail sender spoofing is a malicious activity in which the source is being modified and presented as if the E-mail is coming from intended sender whereas the original sender is an attacker. This paper presents the behavior of different E-mail client applications while receiving the sender spoofed E-mails. We propose an investigation algorithm for sender spoofing which will check for spoofed addresses in E-mail by performing extensive analysis on E-mail header fields. We have taken basically four fields into consideration i.e. Received SPF, DKIM, DKIM-Signature, and DMARC. Our algorithm checks for valid values of the fields; any invalid value indicates an unauthorized E-mail. We have created dataset of spoofed & legitimate E-mails in our lab and performed the analysis on E-mail headers for invalid values. Our proposed algorithm is able to detect address spoofed E-mails.