In my day job as the communications guy for ValiMail, I spend a lot of time explaining how easy it is to create fraudulent emails using an email address that doesn’t belong to you.
a fake “from” address, in fact, how most email attacks happen. and email attacks (also known as phishing) are how most (indeed, the vast majority) of cyberattacks start. so the ease of spoofing people’s emails is a major vulnerability.
but, you ask, why would I bother to spoof an email from “company.com” when I could just register a fake domain (like c0mpany.com) and use it? Or create a gmail account (randomaddress1347356@gmail.com) and give it a descriptive name that sounds like a company CEO?
well, actually, it’s much easier to spoof a real person’s address at a real company than it is to register a fake domain or even create a disposable gmail account.
it’s that easy.
website email
Look for a website like deadfake, which describes itself as “a site that lets you send fake emails to anyone you want for free.” or anonymousmailer.net. or spoofbox.com. there are dozens many of them are free, some cost a little money to send mail. then:
- enter your recipient’s email address in the to: field.
- place your desired email address in the to: field.
- compose your message and press send now! button.
here’s a message i sent myself using president trump’s address. note that gmail is suspicious of the source, that’s why it put a small red question mark next to the address.
unix command line
If you have a computer that is configured with mail services, or you can telnet or ssh to a computer that has mail services, you can spoof a sender address with one line. just type this:
which creates a message that says “whatever@anydomain.com” in the from field. write a subject line and the rest of your message, press ctrl-d when you’re done and the message disappears.
This doesn’t work on all versions of unix, and whether it works depends on how your system is configured (if you’re connected to sendmail, etc.). still, this is the basic idea and it works on many systems.
php
Because I’m not very sophisticated with programming, I use php when I need to code things for my personal websites. it’s fast, easy, and used by about 90% of the people (like me) who don’t know more about programming than they could glean from searching google and stealing code snippets posted on various public forums. (which is also why php is often accused of being insecure). hey i built a complete website content management system in php. if i can figure it out, how hard can it be?
Without going into all the pros and cons of php, I’ll just say that it’s perfect for email purposes. you can spoof emails with five lines of very simple php code:
note: these are actual lines of code used as examples in the online manual for the php mail() function. I removed a couple of lines that you don’t really need.
again: settings vary; this may not work on all versions of php on all servers.
email is a very reliable place
The world of email, until very recently, was a completely trustworthy place. most still are. It doesn’t matter who I am, if I use the unix mail command or php mail(), the email is sent to the internet and the internet nicely delivers it to whoever, with the exact headers I specified. no one checks if I own the address I used in the from field. nobody cares.
well hardly anyone: As I mentioned earlier, gmail and some other email clients are starting to flag email that looks suspicious, like my anonymous email. still, that depends on the client you use and/or the receiving mail server.
Okay, these phishing tools are pretty simple. if I want to do some fancier formatting and make my messages look even more realistic, it takes a little more work. but basic forgery is that simple.
The only thing that really stops spoofed addresses is email authentication using a standard called dmarc. but that only works if the domain you’re trying to spoof has published a dmarc record and configured it with an enforcement policy. then, and only then, will almost all email servers that receive messages (gmail, yahoo mail, etc.) block fake emails.
Fortunately for scammers, most Internet domains have not yet done so. for example, only about 4% of .gov domains have been protected.
as for the other 96%? scammers can spoof emails from those domains around the clock with no repercussions.
domains like justice.gov. home.gov. senate.gov. whitehouse.gov.
and also domains like democrats.org, dnc.org, gop.com, rnc.org. and donaldjtrump.com.
all of these can be easily spoofed by email scammers with access to a unix command line or some rudimentary php skills. And, as we’re learning, scammers have been taking advantage of that vulnerability. for example, according to one source, one in four email messages from .gov domains is fraudulent.
And that’s why I’m trying to get the message across: It’s too easy to spoof emails from most sources. We need to start authenticating our email today.