How can you fake an email address?

Recently someone asked me whether an email she received was spam. It seemed to be from a well-known bank (Belfius.be) in Belgium. It stated that some information was outdated and that it needed revision. Of course, the first thing that comes to mind is that it is spam. Why?

  • Loads of errors in language, bad sentences ...
  • The link that was provided was an evil link: it appeared as if it led to the website of belfius (something like belfius.be/revision1285). But when hovering over it, you could see that it actually referred to a completely other website. A .ca domain even.

Now, I immediately said Don't you click on that link but something made me wonder. The sender's email was [email protected] and belfius.be is the official website of the bank. So, how can this be? How can they fake their emailaddress?


Solution 1:

Simple. By editing the From: header while sending the mail. This is known as "Email spoofing". The From: header is easily editable if you're sending the mail via PHP or something, no fancy tricks required. What is not editable, though is the IP address/domain name of the site from which it originated. If you check the plaintext email (in Gmail, go to the menu next to the reply button, and "show original message"), the Received: headers carries all the information about its path (The deeper down the Received: header is, the further back in the email chain it is). Note that an email passing through multiple hops can have some of the deeper headers spoofed as well. You need to go downwards, seeing which headers (i.e. sites) you trust. Each header will say something like Received: from abc.com (IP address) by something.google.com (IP) (assuming you have Gmail -- otherwise the by will be different). Now, this header was written by the by part. Start at the top, the first few Received: headers won't have a from/by. Find the first one with those. Its by will be belonging to your email provider -- which you trust. See if you trust the from, and if you do, go on to the next Received: header (which you now trust), and so on. If you don't trust a header in between, all the ones below it cannot be trusted -- those may have been spoofed.

Gmail generally detects spoofing, though, and puts a "[email protected] via [email protected]" sort of hatnote on the email. Note that there are perfectly legitimate uses of email spoofing -- many mailing lists spoof emails for a smoother experience. So do certain fora/message boards. Here, they send the email to make it look like it came from the original poster. The Reply-To: header is set to the list/webapp/whatever email id, so replying to it will by default go to the list(/etc). The list can then deal with it as it sees fit -- it can check for spam, maybe put on hold for moderation, etc. When it wants to send it, it will spoof your address and send it to everyone on the list (which is exactly what you wanted -- to be able to have email-based discussions without using "Reply to All" and keeping a list of contacts to copy-paste).

What some "legitimate" spoofers do is that they set the Sender: header to their own id. This is supposed to mean "Sent by Sender on behalf of From". Note that the presence of a Sender: header doesn't mean anything when it comes to "illegitimate" spoofing -- that header is spoofable as well. Like I said, the only way to check is via the Received headers.

Solution 2:

It's trivial to use a fake 'from' address. The beginners way is simply to edit the settings in your mail client and change default from address. Many service providers will send an email with a fake from field because the email server doesn't know what the real one is.

The spammers use dedicated custom software and always use fake from addresses.