Exchange Web Services identifying spoofing

Question

Let's assume that i use a telnet session and send an email with address [email protected] to [email protected] but in fact i am [email protected]...

On [email protected] i have a WCF web service running that's monitoring that specific mailbox using Exchange Web Services...

How can i tell that the message from [email protected] actually came from [email protected]?

I am using Visual Studio 2010, with .NET 4.0 and EWS managed API 1.1 The server is configured to use SSL and i have Exchange Server 2007 SP1.

i tried the two properties "Sender" and "From" but they are identical and both point to bob... nothing in the message header actually points to charly... everything points to bob... any ideas? things that i might have overlooked?

Demento Demento · Accepted Answer · 2011-05-02T13:11:18

If you want to make sure that identity spoofing is not possible using an email service, you can use cryptographic signatures. PGP / GPG and S/MIME are common technologies in use to implement this.

This requires every mail sent from [email protected] to be signed by her with a secret. The key or certificate she uses to do this must be trusted by your webservice. Your webservice can verify that a mail has really been sent by Alice by checking the validity of the signature. Only someone who possesses the secret of Alice can create such a valid signature. If the signature is wrong or missing, your webservice can trigger an alert.

Should the real Alice forget to sign an email, your service will trigger as well, because it cannot tell if it really was Alice who sent that mail. You also need to make sure that the secret in use can only be accessed by Alice. If you need further informations, you should read up on public key cryptography.

Exchange Web Services identifying spoofing

2 Answers