Recently someone asked me whether an email she received was spam. It seemed to be from a well-known bank (Belfius.be) in Belgium. It stated that some information was outdated and that it needed revision. Of course, the first thing that comes to mind is that it is spam. Why?
- Loads of errors in language, bad sentences .
- The link that was provided was an evil link: it appeared as if it led to the website of belfius (something like belfius.be/revision1285). But when hovering over it, you could see that it actually referred to a completely other website. A .ca domain even.
Now, I immediately said Don’t you click on that link but something made me wonder. The sender’s email was [email protected] and belfius.be is the official website of the bank. So, how can this be? How can they fake their emailaddress?
2 Answers 2
Simple. By editing the From: header while sending the mail. This is known as “Email spoofing”. The From: header is easily editable if you’re sending the mail via PHP or something, no fancy tricks required. What is not editable, though is the IP address/domain name of the site from which it originated. If you check the plaintext email (in Gmail, go to the menu next to the reply button, and “show original message”), the Received: headers carries all the information about its path (The deeper down the Received: header is, the further back in the email chain it is). Note that an email passing through multiple hops can have some of the deeper headers spoofed as well. You need to go downwards, seeing which headers (i.e. sites) you trust. Each header will say something like Received: from abc.com (IP address) by something.google.com (IP) (assuming you have Gmail — otherwise the by will be different). Now, this header was written by the by part. Start at the top, the first few Received: headers won’t have a from / by . Find the first one with those. Its by will be belonging to your email provider — which you trust. See if you trust the from , and if you do, go on to the next Received: header (which you now trust), and so on. If you don’t trust a header in between, all the ones below it cannot be trusted — those may have been spoofed.
Gmail generally detects spoofing, though, and puts a “[email protected] via [email protected]” sort of hatnote on the email. Note that there are perfectly legitimate uses of email spoofing — many mailing lists spoof emails for a smoother experience. So do certain fora/message boards. Here, they send the email to make it look like it came from the original poster. The Reply-To: header is set to the list/webapp/whatever email id, so replying to it will by default go to the list(/etc). The list can then deal with it as it sees fit — it can check for spam, maybe put on hold for moderation, etc. When it wants to send it, it will spoof your address and send it to everyone on the list (which is exactly what you wanted — to be able to have email-based discussions without using “Reply to All” and keeping a list of contacts to copy-paste).
What some “legitimate” spoofers do is that they set the Sender: header to their own id. This is supposed to mean “Sent by Sender on behalf of From “. Note that the presence of a Sender: header doesn’t mean anything when it comes to “illegitimate” spoofing — that header is spoofable as well. Like I said, the only way to check is via the Received headers.
September 28, 2016, 10:47am EDT
Consider this a public service announcement: Scammers can forge email addresses. Your email program may say a message is from a certain email address, but it may be from another address entirely.
Email protocols don’t verify addresses are legitimate — scammers, phishers, and other malicious individuals exploit this weakness in the system. You can examine a suspicious email’s headers to see if its address was forged.
How Email Works
Your email software displays who an email is from in the “From” field. However, no verification is actually performed – your email software has no way of knowing if an email is actually from who it says it’s from. Each email includes a “From” header, which can be forged – for example, any scammer could send you an email that appears to be from [email protected] Your email client would tell you this is an email from Bill Gates, but it has no way of actually checking.
Emails with forged addresses may appear to be from your bank or another legitimate business. They’ll often ask you for sensitive information such as your credit card information or social security number, perhaps after clicking a link that leads to a phishing site designed to look like a legitimate website.
Think of an email’s “From” field as the digital equivalent of the return address printed on envelopes you receive in the mail. Generally, people put an accurate return address on mail. However, anyone can write anything they like in the return address field – the postal service doesn’t verify that a letter is actually from the return address printed on it.
When SMTP (simple mail transfer protocol) was designed in the 1980s for use by academia and government agencies, verification of senders was not a concern.
How to Investigate an Email’s Headers
You can see more details about an email by digging into the email’s headers. This information is located in different areas in different email clients – it may be known as the email’s “source” or “headers.”
(Of course, it’s generally a good idea to disregard suspicious emails entirely – if you’re at all unsure about an email, it’s probably a scam.)
In Gmail, you can examine this information by clicking the arrow at the top right corner of an email and selecting Show original. This displays the email’s raw contents.
Below you’ll find the contents of an actual spam email with a forged email address. We’ll explain how to decode this information.
Delivered-To: [MY EMAIL ADDRESS]
Received: by 10.182.3.66 with SMTP id a2csp104490oba;
Sat, 11 Aug 2012 15:32:15 -0700 (PDT)
Received: by 10.14.212.72 with SMTP id x48mr8232338eeo.40.1344724334578;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Received: from 72-255-12-30.client.stsn.net (72-255-12-30.client.stsn.net. [220.127.116.11])
by mx.google.com with ESMTP id c41si1698069eem.38.2012.08.11.15.32.13;
Sat, 11 Aug 2012 15:32:14 -0700 (PDT)
Received-SPF: neutral (google.com: 18.104.22.168 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=22.214.171.124;
Authentication-Results: mx.google.com; spf=neutral (google.com: 126.96.36.199 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: by vwidxus.net id hnt67m0ce87b for ; Sun, 12 Aug 2012 10:01:06 -0500 (envelope-from )
Received: from vwidxus.net by web.vwidxus.net with local (Mailing Server 4.69)
for [email protected]; Sun, 12 Aug 2012 10:01:06 –0500
From: “Canadian Pharmacy” [email protected]
There are more headers, but these are the important ones – they appear at the top of the email’s raw text. To understand these headers, start from the bottom – these headers trace the email’s route from its sender to you. Each server that receives the email adds more headers to the top — the oldest headers from the servers where the email started out are located at the bottom.
The “From” header at the bottom claims the email is from an @yahoo.com address – this is just a piece of information included with the email; it could be anything at all. However, above it we can see that the email was first received by “vwidxus.net” (below) before being received by Google’s email servers (above). This is a red flag – we’d expect the see the lowest “Received:” header on the list as one of Yahoo!’s email servers.
The IP addresses involved may also clue you in – if you receive a suspicious email from an American bank but the IP address it was received from resolves to Nigeria or Russia, that’s likely a forged email address.
“From” spoofing is how spammers send email that looks like it comes from you that you had nothing at all to do with. I’ll look at how it’s done.
No. You have not been hacked.
“From” spoofing means faking the “From:” address on an email to make it look like it came from you. To do it, spammers don’t need access to your account at all. I’d say that 99.99% of the time it has nothing at all to do with your account, which is quite safe.
They only need your email address.
While your email account and your email address are related, they are not the same thing.
Accounts versus addresses
Let me say that again: your email address is one thing, and your email account is another.
- Your email account is what you use to log in and gain access to the email you’ve received. In most cases, it’s also what you use to log in in order to be able to send email.
- Your email address is the information that allows the email system to route messages to your inbox. It’s what you give other people, like I might give you [email protected]
The two are related only to the extent that email routed to you using your email address is placed into the inbox accessed by your email account.
To see how spammers get away with “From” spoofing, let’s look at sending email.
Addresses, accounts, and sending email
Let’s take a quick look at how you create an account in an email program, like the email program that comes with Windows 10. Using “Advanced Setup” for “Internet email” 1 , we get a dialog asking for a variety of information.
Add an Account in the Windows Mail program (click for larger image).
I’ll focus on three key pieces of information you provide.
- Email address — This is the email address that will be displayed on the “From:” line in emails you send. Normally, you would want this to be your email address, but in reality, you can type in whatever you like.
- User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email. 2
- Send your messages using this name — Called the “display name”, this is the name that will be displayed on the “From:” line in emails you send. Normally you would want this to be your own name, but in reality, you can type in whatever you like.
Very often, email programs display email addresses using both the display name and email address, with the email address in angle brackets:
From: Display name
This is used when most email programs create your email, and that’s what you’ll then see in the “From:” line.
To send email appearing to be from someone else, all you need to do is create an email account in your favorite email program, and use your own email account information while specifying someone else’s email address and name.
Adding a fake From: to an account configuration (click for larger image).
Looking at those same three bits of information:
- Email address — As we said above, it can be whatever you like. In this case, email sent from this account will look like it’s “From:” [email protected]
- User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email. This hasn’t changed.
- Send your messages using this name — Again, this can be whatever you like. In this case, email from this account will appear to come “From:” Santa Claus.
Email sent using this configuration would have a spoofed “From:” address:
From: Santa Claus
And that — or its equivalent — is exactly what spammers do.
Before you try spoofing email from Santa Claus yourself, there are a few catches:
- Your email program might not support it. For example, most web-based email services don’t have a way to specify a different email address to send from, or if they do, they require you to confirm you can access email sent to that address first. However, sometimes you can connect to those same services using a desktop email program, like Microsoft Office Outlook, as I’ve shown above, and configure it to do so.
- Your email service might not support it. Some ISPs check the “From:” address on outgoing email to make sure it hasn’t been spoofed. Unfortunately, with the proliferation of custom domains, this approach is falling out of favor. For example, I might want to use the email account I have with my ISP [Internet Service Provider]
Spammers don’t care. They use so-called “botnets” or “zombies” that act more like full-fledged mail servers than mail clients (Microsoft Office Outlook, Thunderbird, and so on). They completely bypass the need to log in by attempting to deliver email directly to the recipient’s email server. It’s pretty close to anonymous as spam
Where’d they get my email address?
So you might be asking yourself: if they didn’t compromise your account, where did they get your email address?
Spammers get email addresses everywhere. Data breaches, public postings, emails forwarded by friends without removing your email address, less-than-reputable companies, some kinds of bulletin board postings, and more.
Basically, spammers get your email address from wherever they can but they don’t need access to your account to do it.
The “From:” spoofing takeaway
There’s nothing special about the “From:” address. It’s just another field which, like the “To:” field, can be set to any value you like. By convention — and sometimes automatically — we set it to our own email address when we send mail, so we get any replies. But there’s nothing that says it has to be that way.
And there’s nothing that forces it to be that way.
Similarly, since it’s just a setting on outgoing email, seeing a particular “From:” address doesn’t imply any relationship to the actual account that would receive email sent to that address. Spammers don’t need access to the account to make it appear in a “From:” line; all they need to do is type it in the account settings. Nothing more.
That spam didn’t really come from that address at all.
if you’re bored, you’re not paying attention
In my day job as the communications guy for ValiMail, I spend a lot of time explaining how easy it is to create fraudulent emails using an email address that doesn’t belong to you.
A faked “from” address, in fact, how the majority of email attacks happen . And email attacks (aka phishing) are how the majority (actually the vast majority ) of cyberattacks begin. So the ease of faking emails from people is a major vulnerability.
But, you ask, why would I bother faking an email from “company.com” when I could just register a fake lookalike domain (like c0mpany.com) and use that? Or create a Gmail account ([email protected]) and give it a friendly name that looks like the CEO of a company?
Well, actually, it’s significantly easier to forge the address of a real person at a real company than it is to register a fake domain, or even to create a throwaway Gmail account.
Here’s how easy it is.
Find a website like deadfake , which describes itself as “a site that lets you send free fake emails to anyone you like.” Or anonymailer.net. Or spoofbox.com. There are dozens. Many of them are free, some cost a little money to send mail. Then:
- Enter your recipient’s email address in the To: field.
- Put whatever email address you want in the From: field.
- Craft your message and press the Send Now! Button.
Here’s a message I sent to myself using President Trump’s address. Note that Gmail is a suspicious of the source — that’s why it put a little red question mark next to the address.
Unix command line
If you have a computer that’s set up with mail services — or you can telnet or SSH to a computer that has mail services — you can forge a from address with one line. Just type this:
That creates a message that says “[email protected]” in the From field. Type in a subject line and the rest of your message, press Ctrl-D when you’re done, and off the message goes.
This doesn’t work in every version of Unix, and whether it works at all depends on how your system is set up (whether it’s connected to Sendmail, etc.). Still, this is the basic idea and it works in many systems.
Because I’m not very sophisticated about programming I use PHP when I need to code stuff for my personal websites. It’s fast, easy, and used by about 90% of the people (like me) who don’t know any more about programming than they were able to pick up through Google searches and by stealing snippets of code published on various public forums. (Which is also why PHP is often accused of being insecure.) Hey, I built a whole website content management system in PHP. If I can figure it out, how hard can it be?
Without getting into all the pros and cons of PHP, I will say that it is perfect for email purposes. You can forge emails with five lines of very simple PHP code:
Note: These are actual lines of code used as an example in the online manual for PHP’s mail() function . I took out a couple of lines you don’t actually need.
Again: configurations vary; maybe this won’t work on every version of PHP on every server.
Email Is a Very Trusting Place
The email world, until quite recently, was an entirely trusting place. Most of it still is. No matter who I am, if I use the Unix mail command or PHP mail(), the email goes off into the internet and the internet obligingly delivers it to whomever, with the exact headers that I specified. Nobody checks to see if I own the address I used in the from field. Nobody cares.
Well, almost nobody: As I noted above, Gmail and some other mail clients are starting to flag mail that looks suspicious, like my anonymailer message. Still, that’s dependent on the client you use and/or the receiving mail server.
Granted, these spoofing tools are pretty simplistic. If I want to do some fancier formatting and make my messages look even more realistic, it takes a little more work. But the basic forgery is just that simple.
The only thing truly stopping fake From addresses is email authentication using a standard called DMARC . But that only works if the domain you’re trying to fake has published a DMARC record and set it to an enforcement policy. Then, and only then, will almost all email servers that receive messages (Gmail, Yahoo Mail, etc.) block the faked emails.
Fortunately for fraudsters, most of the Internet’s domains haven’t done this yet. For example, only about 4% of .gov domains have protected themselves.
As for other 96%? Fraudsters can forge emails from those domains all day long with no repercussions.
Domains like justice.gov. House.gov. Senate.gov. Whitehouse.gov.
And also domains like democrats.org, dnc.org, gop.com, rnc.org. And DonaldJTrump.com.
All of them can be easily faked by email scammers with access to a Unix command line or some rudimentary PHP skills. And, as we are learning, scammers have been taking advantage of that vulnerability. For instance, according to one source, one in four email messages from .gov domains are fraudulent .
And that’s why I am trying to get the message out: It’s way too easy to fake emails from most sources. We need to start authenticating our email, today.