In my day job as the communications guy for Valimail, I spent a lot of time explaining how easy it is to create fraudulent emails using an email address that doesn’t belong to you.
A faked “from” address, in fact, is how the majority of email attacks happen. And email attacks (aka phishing) are how mostis (actually the vast majority) of cyberattacks begin. So the ease of faking emails from people is a major vulnerability.
More great content about writing emails:
- How to send email to any phone
- TL;DR: Your emails are too long
- Secrets of my email inbox (how to pitch reporters and editors)
- Email is broken, it needs to die, and we'll all be sorry when it's gone
- How I use AI for writing emails and more
- 8 generative AI prompts to help you write better
But why would I bother faking an email from “company.com” when I could just register a fake lookalike domain (like c0mpany.com – note the zero) and use that? Or create a Gmail account (randomaddress1347356@gmail.com) and give it a friendly name that looks like the CEO of a company?
Well, actually, it’s significantly easier to forge the address of a real person at a real company than it is to register a fake domain, or even to create a throwaway Gmail account.
Website mailer
Would-be scammers sometimes use websites that can send fake emails. Using these anonymous mailers, they simply:
- Enter a recipient’s email address in the To: field.
- Put whatever email address they want in the From: field.
- Craft your message and press the Send Now! Button.
I even tested this in 2017 by sending a message to myself using the President's address. Gmail was suspicious of the source — it put a little red question mark next to the address – but it delivered it anyway, complete with the President's name and "potus@whitehouse.gov" next to his name.
Many of these anonymous mailers have since shut down. They wouldn't work that well anyway these days – the message I sent in 2017 would never have arrived in my inbox if I sent it in 2024. But as a proof of concept, they were interesting.
Unix command line
If you have a computer that’s set up with mail services — or you can telnet or SSH to a computer that has mail services — you can forge a from address with one line. Just type this:
mail -aFrom:whatever@anydomain.com
That creates a message that says “whatever@anydomain.com” in the From field. Type in a subject line and the rest of your message, press Ctrl-D when you’re done, and off the message goes.
This doesn’t work in every version of Unix, and whether it works at all depends on how your system is set up (whether it’s connected to Sendmail, etc.).
PHP
Because I’m not very sophisticated about programming, I use PHP when I need to code stuff for my personal websites. It’s fast, easy, and used by about 90% of the people (like me) who don’t know any more about programming than they were able to pick up through Google searches and by stealing snippets of code published on various public forums. (This is also why PHP is often accused of being insecure.)
Hey, I built a whole website content management system in PHP. If I can figure it out, how hard can it be?
Without getting into all the pros and cons of PHP, I will say that it is perfect for email purposes. You can forge emails with five lines of very simple PHP code:
<?php
$to = 'nobody@example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster@example.com' . "\r\n";
mail($to, $subject, $message, $headers);
?>
Note: These are actual lines of code used as an example in the online manual for PHP’s mail() function. I took out a couple of lines you don’t actually need.
Use at your own risk! Configurations vary; maybe this won’t work on every version of PHP on every server.
Email is a very trusting place
The email world, until quite recently, was an entirely trusting place. Most of it still is. No matter who I am, if I use the Unix mail command or PHP mail(), the email goes off into the internet, which obligingly delivers it with the exact headers that I specified. Nobody checks to see if I own the address I used in the From: field. Nobody cares.
Well, not quite: As I noted above, Gmail and some other major mail clients started flagging suspicious mail in 2017, and they have greatly increased their use of email address validation since then.
The only thing truly stopping fake From addresses is email authentication using a standard called DMARC. That only works if the domain you’re trying to fake has published a DMARC record and set it to an enforcement policy. Then, and only then, will almost all email servers that receive messages (Gmail, Yahoo Mail, etc.) block the faked emails.
Fortunately for fraudsters, many of the Internet’s domains haven’t done this yet. The situation is much better than five years ago, especially since Gmail started requiring email-sending domains to use DMARC.
Without DMARC, your domain can be easily faked by email scammers with access to a Unix command line or some rudimentary PHP skills. And, as we are learning, scammers have taken advantage of that vulnerability for years. For instance, according to one source, in 2017, one in four email messages from .gov domains were fraudulent.
And that’s why I am trying to get the message out: It’s way too easy to fake emails from most sources. We need to start authenticating our email, today.