Recently someone asked me whether an email she received was spam. It seemed to be from a well-known bank (Belfius.be) in Belgium. It stated that some information was outdated and that it needed revision. Of course, the first thing that comes to mind is that it is spam. Why?
- Loads of errors in language, bad sentences …
- The link that was provided was an evil link: it appeared as if it led to the website of belfius (something like belfius.be/revision1285). But when hovering over it, you could see that it actually referred to a completely other website. A .ca domain even.
Now, I immediately said Don't you click on that link but something made me wonder. The sender's email was noreply@belfius.be and belfius.be is the official website of the bank. So, how can this be? How can they fake their emailaddress?
Best Answer
Simple. By editing the
From:
header while sending the mail. This is known as "Email spoofing". The From: header is easily editable if you're sending the mail via PHP or something, no fancy tricks required. What is not editable, though is the IP address/domain name of the site from which it originated. If you check the plaintext email (in Gmail, go to the menu next to the reply button, and "show original message"), theReceived:
headers carries all the information about its path (The deeper down theReceived:
header is, the further back in the email chain it is). Note that an email passing through multiple hops can have some of the deeper headers spoofed as well. You need to go downwards, seeing which headers (i.e. sites) you trust. Each header will say something likeReceived: from abc.com (IP address) by something.google.com (IP)
(assuming you have Gmail -- otherwise theby
will be different). Now, this header was written by theby
part. Start at the top, the first fewReceived:
headers won't have afrom
/by
. Find the first one with those. Itsby
will be belonging to your email provider -- which you trust. See if you trust thefrom
, and if you do, go on to the nextReceived:
header (which you now trust), and so on. If you don't trust a header in between, all the ones below it cannot be trusted -- those may have been spoofed.Gmail generally detects spoofing, though, and puts a "abc@def.com via ghi@jkl.com" sort of hatnote on the email. Note that there are perfectly legitimate uses of email spoofing -- many mailing lists spoof emails for a smoother experience. So do certain fora/message boards. Here, they send the email to make it look like it came from the original poster. The
Reply-To:
header is set to the list/webapp/whatever email id, so replying to it will by default go to the list(/etc). The list can then deal with it as it sees fit -- it can check for spam, maybe put on hold for moderation, etc. When it wants to send it, it will spoof your address and send it to everyone on the list (which is exactly what you wanted -- to be able to have email-based discussions without using "Reply to All" and keeping a list of contacts to copy-paste).What some "legitimate" spoofers do is that they set the
Sender:
header to their own id. This is supposed to mean "Sent bySender
on behalf ofFrom
". Note that the presence of aSender:
header doesn't mean anything when it comes to "illegitimate" spoofing -- that header is spoofable as well. Like I said, the only way to check is via theReceived
headers.