Email Spoofing: A Short How-to (For Educational Purposes Only)

Published : February 19, 2012

Email spoofing is the fact to send emails using the identity of another individual or company, e.g. spam or phishing.

Suppose that we wish to send a fake email to one of our friends, using the identity of Barack Obama or Nicolas Sarkozy. We would just need to use a PHP mailer such as http://emkei.cz/ and the trick is done!

Indeed, given the open architecture of the Internet, email spoofing is theoretically pretty easy to achieve and simply rests on the modifications of headers within the mail function of a PHP form. To understand how it works, consider the short script below written for education purposes only. To note that the capabilities of the script have been intentionally limited.

In the latter script, we start by declaring and retrieving the variables necessary to the creation of the email such as our "genuine" email address (me[:@]example.com), the email address of our target (you[:@]example.com), the fake sender email address (sarkozy[:@]elysee.fr), the fake domain corresponding to the fake email address (elysee.fr) and the fake name (Nicolas Sarkozy). We then do the same for the title and body of the email.

Written by ...

Florian Bersier is a D.Phil (read Ph.D) candidate at the Oxford Internet Institute, University of Oxford, researching the formation of on-line reputation and on-line trust. He is a microeconomist and an engineer by training, and a geek by Nature. more →

This done, comes the crucial part of every email spoofing script, that is the creation of the email's headers.

Bypass Email services Protection: The Case of Gmail™

Consider the case of Gmail, a popular and safe email service that checks the origin of an email using three different methods: domain/SPF/DKIM and soon DMARC. Now, here are the results of different spoofing tests:
  1. A spoofing attack with x-priority "normal" & x-sender "fake domain" leads to : Received-SPF: neutral/Authentication-Results: mx.google.com; spf=neutral as long as the server of origin (X-Identified-User) is not blacklisted by Google.
  2. A spoofing attack with x-priority "normal", x-mailer "Apple Mail" & $additional = "-f $FakeEmail" (i.e. hiding the "mailed-by") leads to: Received-SPF: fail / Authentication-Results: mx.google.com; spf=hardfail BUT the email still appears in your inbox (not in spam) as long as the server of origin is correctly configured for spoofing and not blacklisted. Try http://emkei.cz/ to check this.
  3. All other spoofing attacks are categorized as spam by Gmail.

Unmask Spoofed Emails

Finally, to check whether an email you received is a spam or a spoofing joke/attack, always open the email in its original version/format. For instance, in Gmail, just go the top/right of your email, close to the "reply" button, click on the arrow and then on "show original". The important fields to check are the "Received" ones (see screenshot below).

Shares and +1 encouraged :) Questions and comments welcome below. Private reactions can be sent to . Thanks in advance.