How can you fake an email address?

56

22

Recently someone asked me whether an email she received was spam. It seemed to be from a well-known bank (Belfius.be) in Belgium. It stated that some information was outdated and that it needed revision. Of course, the first thing that comes to mind is that it is spam. Why?

  • Loads of errors in language, bad sentences ...
  • The link that was provided was an evil link: it appeared as if it led to the website of belfius (something like belfius.be/revision1285). But when hovering over it, you could see that it actually referred to a completely other website. A .ca domain even.

Now, I immediately said Don't you click on that link but something made me wonder. The sender's email was noreply@belfius.be and belfius.be is the official website of the bank. So, how can this be? How can they fake their emailaddress?

Bram Vanroy

Posted 2012-11-14T11:23:42.597

Reputation: 1 486

1

Try it yourself: http://deadfake.com/Send.aspx

– Mark E. Haase – 2014-07-27T19:44:50.963

2This kind of mails is generally known as phishing, which may be considered spam, although I think spam is more harmless and tries to sell you stuff, not gain access to your account(s). – R-D – 2012-11-14T14:08:49.663

37I can throw a letter in the mail to you that says it's from Santa Claus. The only giveaway would be the California postmark. Same thing with email, more or less. – David Schwartz – 2012-11-14T14:53:56.697

1Both SMTP's MAIL FROM command and IMF's Mail header field can contain spoofed addresses. – james.garriss – 2012-11-14T20:19:55.673

Answers

79

Simple. By editing the From: header while sending the mail. This is known as "Email spoofing". The From: header is easily editable if you're sending the mail via PHP or something, no fancy tricks required. What is not editable, though is the IP address/domain name of the site from which it originated. If you check the plaintext email (in Gmail, go to the menu next to the reply button, and "show original message"), the Received: headers carries all the information about its path (The deeper down the Received: header is, the further back in the email chain it is). Note that an email passing through multiple hops can have some of the deeper headers spoofed as well. You need to go downwards, seeing which headers (i.e. sites) you trust. Each header will say something like Received: from abc.com (IP address) by something.google.com (IP) (assuming you have Gmail -- otherwise the by will be different). Now, this header was written by the by part. Start at the top, the first few Received: headers won't have a from/by. Find the first one with those. Its by will be belonging to your email provider -- which you trust. See if you trust the from, and if you do, go on to the next Received: header (which you now trust), and so on. If you don't trust a header in between, all the ones below it cannot be trusted -- those may have been spoofed.

Gmail generally detects spoofing, though, and puts a "abc@def.com via ghi@jkl.com" sort of hatnote on the email. Note that there are perfectly legitimate uses of email spoofing -- many mailing lists spoof emails for a smoother experience. So do certain fora/message boards. Here, they send the email to make it look like it came from the original poster. The Reply-To: header is set to the list/webapp/whatever email id, so replying to it will by default go to the list(/etc). The list can then deal with it as it sees fit -- it can check for spam, maybe put on hold for moderation, etc. When it wants to send it, it will spoof your address and send it to everyone on the list (which is exactly what you wanted -- to be able to have email-based discussions without using "Reply to All" and keeping a list of contacts to copy-paste).

What some "legitimate" spoofers do is that they set the Sender: header to their own id. This is supposed to mean "Sent by Sender on behalf of From". Note that the presence of a Sender: header doesn't mean anything when it comes to "illegitimate" spoofing -- that header is spoofable as well. Like I said, the only way to check is via the Received headers.

Manishearth

Posted 2012-11-14T11:23:42.597

Reputation: 1 136

5Thank you! And also thank you for that last legitimate use. Very informative! – Bram Vanroy – 2012-11-14T11:56:23.987

How is the spoofing supposed to improve the experience. The only impact I've encountered from it is negative. Outlook effectively won't let me whitelist the messages (for automatic image download) because each one comes from a different mailist@randomnumber.maillistcompany.com address. – Dan is Fiddling by Firelight – 2012-11-14T14:32:56.447

1@DanNeely: Well, without spoofing, all emails would appear to come from list@domain.com. It gets confusing when you want to PM someone, and it's hard to keep track of who you're talking to. The spoofing makes it appear as if you're just having a conversation with a bunch of people, except that the mailing list is an intermediate entity (necessary for archiving and moderation). What do you mean each one comes from a different mailing list addy? That's probably just a particular list. – Manishearth – 2012-11-14T14:37:52.100

@Manishearth I was thinking of despair.com's "Wailing List" (technically a marketing mail but I subscribe to it for the humor value). I'm at work so I can't copy what i get in outlook at home; but gmail shows it as ex The Wailing List wailinglist@despair.com via mail17.us2.mcsv.net both the mail# and us# subdomains vary from one message to the next. I several other subscriptions with similar issues from their 3rd party mailing services. – Dan is Fiddling by Firelight – 2012-11-14T16:20:17.750

@DanNeely usually you'd use spoofing like Alice <alice@example.com> via list@example2.com – OrangeDog – 2012-11-14T16:29:40.770

Except for the one added by the final server, received headers are just as easily forged as the from address. – Zoredache – 2012-11-14T16:58:29.740

@zore see last few lines, paragraph 1. I've mentioned it-- you go top-down, seeing which received headers you trust and trust subsequent ones based on the from portion. – Manishearth – 2012-11-14T17:27:39.200

There is also another "From:", namely the envelope from used in an SMTP conversation. You can fake that separately from what is in the headers of the e-mail. In the SMTP conversation you can issue mail from: a-user@b-domain and then in the data command which gives the message itself, generate a different From: c-user@d-domain header. – Kaz – 2012-11-15T01:11:59.517

Could you add something about the role of the Sender:-header? – gerrit – 2012-11-15T08:59:19.653

@gerrit: Added a bit (not too familiar with it, though--feel free to improve on it), as well as some more on how to check if an email is trustworthy via the Received: header. Thanks :) – Manishearth – 2012-11-15T09:17:58.517

"What is not editable, though is the IP address" - IP address is also editable. But it's another theme called IP address spoofing

– Jet – 2014-05-11T16:48:30.550

@Jet I'm assuming that the ISPs are not involved in the spoofing. IP address spoofing would only affect the email trace if the ISPs were spoofing themselves, within an ISP's local subnet it hardly matters. – Manishearth – 2014-05-11T17:13:56.497

11

It's trivial to use a fake 'from' address. The beginners way is simply to edit the settings in your mail client and change default from address. Many service providers will send an email with a fake from field because the email server doesn't know what the real one is.

The spammers use dedicated custom software and always use fake from addresses.

Peter Jenkins

Posted 2012-11-14T11:23:42.597

Reputation: 438

Asked: 2012-11-14T11:23:42.597

Viewed: 82 252 times

Active: 2018-03-21T14:51:38.170