Court order halts spoof mailer

Ross Bentley

A major software supplier has successfully identified and pursued an e-mail spoofer who was mailing the firm's customers...

Ross Bentley

A major software supplier has successfully identified and pursued an e-mail spoofer who was mailing the firm's customers with damaging messages, following an offer of a £25,000 bounty for information leading to the perpetrator.

ERP software supplier Geac had been blighted by a series of e-mail break-ins over the summer, wheremail purporting to come from Geac staff was sent around the company intranet as well as to several hundred customers and partners.

The case is a lesson to IT managers in all industry sectors who may have to limit the damage caused by someone maliciously spoofing company e-mail.

Geac managing director Chris Allen detailed the path to the spoofer. "We employed security specialist Vogon to locate those responsible. It tracked down the e-mail ID to the ISP. We then needed to get a court order against the ISP so it would release the telephone number which had been used.

"We had to obtain a second order to recover the computer equipment from the corresponding address. This was enough to convince the court to issue an injunction against the man, prohibiting him from sending more spoofs."

The spoofer turned out to be a disgruntled ex-employee who was made redundant last year. On finding the culprit, Geac ended the suspension of a second employee who was initially the prime suspect because the e-mails had been routed through his mailbox.

Allen said the effort in tracking down the spoofer was necessary in order to send out a signal to others thinking about doing the same thing, and also to free others from suspicion.

In addition, Geac needed to prove to customers action was being taken. "Because our customers received some of the spoof e-mails, we had to work to show them that we were in control of the situation," said Allen.

Fran Davey, legal adviser at law firm DLA, who worked on the case, said this was only the second example he could recall where an e-mail spoofer in the UK had been identified and faced court action.

"This is a sensitive case," he said. "Throughout the investigation we had to be sure we were targeting the search based on information, rather than carrying out a blanket search that would have contravened some of the new laws."

What to do if you suspect a spoof attack

Clifford May, computer investigations manager at Vogon International, offers some advice on dealing with spoof e-mails:

  • Secure back-ups of all mail files immediately (electronic copies of e-mails are vital, as such information as Internet headers are not available on printed copies)

  • Maintain secrecy (inform as few people as possible - the perpetrator could be in-house)

  • Act quickly (ISPs, for instance, do not maintain logs for long, and this may be vital in tracing the sender)

  • Seek professional advice (if you don't know what you are doing you could destroy the "chain of evidence")

  • Secure all dial-in access (ensure nobody can withhold their telephone numbers, enable dial-back, etc).

  • Read more on Operating systems software