be Smart.
be Secure.
Phone: 800-441-6612

Analyzing a Forged Email Message: How to Tell It Was Forged?

In our previous posting, we looked at exactly how Spammers and hackers can send forged email — how its is possible and how it is done.  Therein, we gave an example how one could send an email forged to be from Bank of America.

In this post, we will look at that forged Bank of America email to see technically what it looks like and how it differs from legitimate email from Bank of America.

What can we learn that allows us to detect forged email in the future?

The Forgery: Received.

The forged email from Bank of America was based on a legitimate email message, so that the forgery could look as close as possible to actual email from them.

In truth, the majority of forged email simply changes the “From” address and does not bother with anything else.  These forged messages are used for Spam and hope the forgery fools enough people to be worth it, through numbers.  What we are looking at here is a more carefully crafted message designed to fool filters and a careful eye.  These kinds of fakes might be used in spear phishing attacks on an individual or in more sophisticated Spam campaigns.

The the forged Bank of America email that arrived in the recipient’s mail box looked like this (the raw headers):

Received: via dmail-2010.19 for +INBOX; Thu, 5 Feb 2015 10:33:28 -0500 (EST)
Received: from ([])
	by (8.14.4/8.13.8) with ESMTP id t15FXRxh018470
	(version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=128 verify=NOT)
	for <>; Thu, 5 Feb 2015 10:33:27 -0500
Received: from (localhost.localdomain [])
	by (8.14.4/8.13.8) with ESMTP id t15FXRrH031568
	for <>; Thu, 5 Feb 2015 15:33:27 GMT
Received: (from mail@localhost)
	by (8.14.4/8.13.8/Submit) id t15FXRUB031563
	for; Thu, 5 Feb 2015 15:33:27 GMT
Return-Path: <>
Received: from ( [])
	by (8.14.4/8.13.8) with ESMTP id t15FVnRD023664
	for; Thu, 5 Feb 2015 15:32:39 GMT
Date: Thu, 5 Feb 2015 15:31:49 GMT
Received: by id hqdcek163bnq for <>;
        Thu, 5 Feb 2015 05:49:51 -0600 (envelope-from
From: "Bank of America" <> 
Reply-To: "Bank of America" <> 
Message-ID: <af68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.local> 
Subject: Alert! You Bank of America account has been compromised 
X-Lux-Processed-For: <> 
X-Lux-Ruleset: #YYYYY on 
X-Lux-Rule: Deliver
X-Lux-Delivered-To: "INBOX"

Analyzing the Forgery

We have color coded the headers from the received forgery to help us visually see where the parts came from:

  1. The BLACK lines were provided by the hacker.  These could contain anything and cannot be trusted.  E.g. headers like “From”, “Reply-To”, “Subject”, “Message-ID”, “date”, “Return-Path” and even all “Received” headers added before the message arrived at your inbound email servers are completely suspect.
  2. The BLUE lines were added by the LuxSci inbound email processing servers (and are analogous to lines that would be added by any other email processing system).  These include: additional “Received” lines, tracking lines, Spam filtering results lines, etc.  A clever hacker may try to inject additional header lines that look like ones that your mailing system would normally add (e.g. Spam Filtering success headers, etc.)
  3. The RED lines are more subtle efforts at forgery; we will look at these next.

Subtle Forgery: Trying to Fake the Mail Delivery Path

First, you must understand that the “Received” lines are added by all servers and interactions in the path sending, processing, and delivering a message.  They are important for identifying what servers touched the message when and how (e.g. was TLS used?  Who was it for? etc.)  As each new server in the mail delivery pathway “does its thing,” it adds more Received headers on (to the top of the message), leaving any existing ones “as is”.

There is no way to know if any “Received” headers already present in the message are legitimate or not.

In this example, the hacker added a FAKE received line that was poached from a real message from Bank of America (with slight tweaks to make it not identical).

Received: by id hqdcek163bnq for <>;
        Thu, 5 Feb 2015 05:49:51 -0600 (envelope-from

The purpose of this FAKE Received line is to make everyone believe that the message originated from the real Bank of America server ““.  Indeed, this header looks exactly like a legitimate one — there is no way for the recipient to differentiate.

The next header that has red is the one that records the receipt of this message by the recipient’s server from the hacker.  E.g. the first Received header the recipient’s servers added themselves and the first one that we can be sure is not lying.  It says:

Received: from ( [])
	by (8.14.4/8.13.8) with ESMTP id t15FVnRD023664
	for; Thu, 5 Feb 2015 15:32:39 GMT

To break this apart:

  1. The message was received by the server “” at LuxSci
  2. The message was for (based on the “envelope to” … the recipient address specified in the SMTP dialog — which could be different from the “To” and “Cc” addresses in the headers).
  3. The ID code  t15FVnRD023664 was assigned to the message for tracking on LuxSci
  4. The message was received on: Thu, 5 Feb 2015 15:32:39 GMT
  5. A computer at IP Address (which appears to have the name (based on reverse DNS) delivered the message TO
  6. That computer said its name was

Everything here is real and verifiable except for the name that the hacker’s computer was pretending to be (in the HELO or EHLO SMTP command).  In this case, s/he was still pretending to be Bank of America — the same server as that in the FAKE Received header.

However, the hacker cannot forge the IP address that s/he is coming from.  In this case that IP address,, appears to be used by a Verizon FIOS customer (it was mime at the time, actually, because I did that test).  This is clearly NOT this IP address of

In fact, this is the only part of the headers in the received, forged email message that one can point to to say: “That looks wrong“.  That doesn’t really give us a lot to work with!

You Can’t Forge The Sender’s IP Address

Unless the hacker has infiltrated Bank of America’s servers, s/he cannot send a forged email message that actually comes from any of Bank of America’s server’s IP Addresses.  We can always identify the IP Address of the server delivering an email message.  Everything else in the headers can be fabricated, replayed, and look completely legitimate (at least to the degree that the hacker did his/her homework).

What are Your Defenses?

In the next article, we will look at SPF (Sender Policy Framework) to see how it is used to combat forged email by allowing domain owners to specify what servers are allowed to send email on their behalf.  We’ll also look at the limitations of SPF and how those can allow forged email to slip through anyway.  We’ll follow that with an analysis of further escalations to the war against forged email (e.g. DKIM, DMARC, other encryption methods, and closed systems).

Read Next: Stopping Forged Email 1: SPF to the Rescue

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries