fake "from" field in an email
How can I manipulate the "from" field in an email and make the "to" user see something different then the actual.
Example:
really from
From: [email protected]
but they see
From: Tremayne "Top Dog" Stamper
I've heard its from manipulating SMTP, but really not sure how accurate that is or how it can be done
At its base, SMTP is just a text based protocol with no real verification. Here's an example:
=== Trying g3.example.net:25...
=== Connected to g3.example.net.
<- 220 home.example.net ESMTP Exim 4.68 Thu, 07 May 2009 11:03:21 -0400
-> EHLO g3.example.net
<- 250-home.example.net Hello g3.example.net [192.168.0.4]
<- 250-SIZE 52428800
<- 250-PIPELINING
<- 250-AUTH CRAM-SHA1 CRAM-MD5 MSN
<- 250-STARTTLS
<- 250 HELP
-> MAIL FROM:<[email protected]>
<- 250 OK
-> RCPT TO:<[email protected]>
<- 250 Accepted
-> DATA
<- 354 Enter message, ending with "." on a line by itself
-> Date: Thu, 07 May 2009 11:03:21 -0400
-> To: [email protected]
-> From: [email protected]
-> Subject: test Thu, 07 May 2009 11:03:21 -0400
-> X-Mailer: swaks v20070921.0-dev jetmore.org/john/code/#swaks
->
-> This is a test mailing
->
-> .
<- 250 OK id=KJA4HL-0006M6-8T
-> QUIT
<- 221 home.example.net closing connection
=== Connection closed with remote host.
The "MAIL FROM:" line defines the SMTP envelope sender, and the From: is defined in the message DATA. There are ways to protect against this, but they are defined in the mail server logic, not in the protocol itself.
For instance I, as a mail provider, may require a user to authenticate using a user@domain type username. Then my mail server might require that any mail they send have an envelope-sender and a From: header that matches the user they authenticated as. Additional technologies like DKIM and SPF can help in this area also.
There are a couple of different things to consider here. If you just want to display a different name or e-mail address, set the "From" header of the message (the message from address) to the e-mail address with the display name in brackets as such:
From: Joe Example <[email protected]>
Remember that the "from" line in the message header is only used for display purposes. The actual routing is done by the SMTP envelope address. This is what the SMTP servers actually use to transmit the message between servers. This can be different from the message "from" header. If you have a custom SMTP engine, just have it use one address in the SMTP envelope and a different one in the "from" header on the actual message.
There are a number of legitimate reasons that you might want to do this, but please refrain from nefarious purposes.
Note that a correct syntax example can be found in RFC 5322 - A.2.1
telnet some_smtp_server.com 25
ehlo whatsup
mail from: [email protected]
rcpt to: [email protected]
data
your message here
end with a dot on a single line like this:
.
Of course you'll need an SMTP server that allows relaying, which is almost impossible to find... or roll your own (just don't use this knowledge to spam!).
The "really from" address comes from the "from:" dialog in the SMTP conversation.
The "fake from" comes from exploiting the common practice in email clients of displaying the various header fields as laid out in the Data portion of the SMTP conversation. For instance:
# telnet mail.example.com 25
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo fakeserver
250 mail.example.com
mail from: [email protected]
250 2.1.0 OK
rcpt to: [email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
from: [email protected]
to: [email protected]
subject: This is a subject
This is the body.
.
250 2.0.0 Ok: queued as 90D0F95A06
quit
221 2.0.0 Bye
Connection closed by foreign host.
#
If you had left out the "from:" and "to:" lines in the Data portion, it would have displayed the actual envelope sender and recipient.
Note that these sorts of tricks are often looked for by spam filters, and will certainly not make you any permanent friends. Also, this doesn't work on all mail clients (just the most common ones).