How can Spammers and Hackers Send Forged Email?

February 5th, 2015

Everyone has seen spam messages arrive with a “From” address that is your own address, a colleague’s, a friends, or that of some company that you work with or use.  These From addresses are forged to help the messages (a) get by your spam filters, and (b) get by your “eyeball filters”.

But how are these folks “allowed” to do that?

When email was first developed, there was no concept of the need for security; protections against identity theft and forgery were not part of the plan.  As a result, it is actually trivial for one to send an email with a forged “From” address and even some forged “Received” tracking lines by just connecting to your target’s email server and telling it whatever you want.

Let’s try to send an email to the address “” pretending to be from “Bank of America”.  The purpose of this exercise is not to teach you how to send forged email so much (this is not a new technique) as to set the stage for understanding how to detect and combat these kinds of messages.

Step 1: Get an example message from Bank of America

In order to send a compelling forged email message, we need an example of a message that came from the source that you are trying to forge … so you can make your message “look like” a typical message that they send (e.g. in terms of the subject, content, wording and grammar, images, etc.).  We are not going to consider the message subject or content in this article.  Instead, we are concerned with the headers … the part of the message that identifies who sent it, who it is to, and what path it took over the Internet.

Taking an example message from Bank of America, and looking at the headers, I see (this excerpt of interesting headers):

Return-Path: <>
Received: from unknown [] (EHLO
	by over TLS secured channel
	with ESMTP id
	Thu, 05 Feb 2015 04:50:03 -0700 (MST)

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608;;

Received: by id hqdcek163hsp for 
   Thu, 5 Feb 2015 05:49:51 -0600 (envelope-from 

From: "Bank of America" <>

Reply-To: "Bank of America" 

Message-ID: <af68828a-6c81-4032-b43d-8583607bdf99@xtnvs5mta406.xt.local>

We see from this example, typical From addresses, Reply-to addresses, “Return Path” addresses (for bounces), Message-ID formats, that they use DKIM, and an example of a server at Bank of America that talked to our server to deliver the message.

For items that look like unique IDs (e.g. the Message-ID, Return-Path), the Hacker would use a slightly altered but similar one.  S/he would use the same from address, omit the DKIM signature, and possibly use some fake “Received” lines to make the message appear to come from Bank of America’s servers.

Step 2: The Forged Message

Using this information, the Hacker would construct a forged message to be similar to this one.  I highlighted in RED things I changed and in BLUE, things I added new:

Return-Path: <>

Received: by id hqdcek163bnq for <>; 
   Thu, 5 Feb 2015 10:25:15 -0600 (envelope-from 

From: "Bank of America" <> 

Reply-To: "Bank of America" 
Message-ID: <af68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.local>

Subject: Alert! You Bank of America account has been compromised


(Add the actual body of the message, next)

Step 3: Where to send the message?

Next, the hacker would determine the servers that handle inbound email for the target’s domain —  This could be easily done using the “dig” command at the Linux/Unix/Mac command line:

 #>dig +short mx




This informs the hacker that s/he can use “” as the server to connect to to send the message.

Step 4: Sending the forged email message

Next, the hacker fires up the standard “telnet” program and connects to on port 25 (the standard port for inbound email delivery) and “talks SMTP” to that server… specifying who the message is from and to and what the message contains.  The server accepts that (hopefully) and then filters it and (maybe) delivers it to the unsuspecting recipient.

The BLUE indicates content entered by the hacker; the black, responses of the mail server.

 #>telnet 25


Connected to

Escape character is ‘^]’.

220 ESMTP Sendmail 8.14.4/8.13.8; Thu, 5 Feb 2015 15:31:49 GMT

ehlo Hello [], pleased to meet you




250-SIZE 209715200




250 HELP


250 2.1.0… Sender ok


250 2.1.5… Recipient ok


354 Enter mail, end with “.” on a line by itself

Return-Path: <>

Received: by id hqdcek163bnq for <>; …

From: “Bank of America” <>

Reply-To: “Bank of America” <>

Message-ID: <af68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.local>

Subject: Alert! You Bank of America account has been compromised




250 2.0.0 t15FVnRD023664 Message accepted for delivery


221 2.0.0 closing connection

Connection closed by foreign host.

You can see in this dialog, that:

  1. The hacker pretended to be coming from one of Bank of America’s servers (ehlo
  2. The hacker set the “envelope” from and to addresses to match that in the fake message (the “rcpt to” and “mail from” SMTP commands)
  3. The hacker send the full fake message
  4. The server was “ok” with it.

You can also see in this dialog, that there does not appear to be anywhere that the sender identity is validated or checked.  This is not actually the case.

The Received Forged Email

The unsuspecting recipient may soon find a message from “Bank of America” in his/her INBOX.

The recipient may believe it, click on it, and be sucked into some phishing scheme!

What are Your Defenses?

Since forged email has been around time, email has evolved and there are defenses against this that work to varying degrees.

Some of these include:

  1. SPF to verify that the server used to send email is authorized to do so
  2. DKIM to sign messages and prove that the sender is authorized to construct messages from this sender
  3. Filters to block wide-spread/common phishing attacks (doesn’t help with spear phishing — messages targeted at you, specifically)
  4. Allow and Deny lists that permit messages from specific IP addresses
  5. DMARC
  6. Common Sense

In our next post on this topic, we will analyze the message received by and see what tell-tale signs exist indicating that it is fraud and start to examine how messages such as this can be and are stopped every day by properly configured email systems.

We will see that there is a large burden on the owner of the sending domain to put measures in place to ensure that recipients of messages “from” them can properly differentiate good messages from forged messages.  We shall see, for example, how Bank of America does this.

Read Followup Post: Analyzing a Forged Email Message: How to Tell it was Forged?