be Smart.
be Secure.
Phone: 800-441-6612

How can Spammers and Hackers Send Forged Email?

Everyone has seen spam messages arrive with a “From” address that is your own address, a colleague’s, a friends, or that of some company that you work with or use.  These From addresses are forged to help the messages (a) get by your spam filters, and (b) get by your “eyeball filters”.

But how are these folks “allowed” to do that?

When email was first developed, there was no concept of the need for security; protections against identity theft and forgery were not part of the plan.  As a result, it is actually trivial for one to send an email with a forged “From” address and even some forged “Received” tracking lines by just connecting to your target’s email server and telling it whatever you want.

Let’s try to send an email to the address “” pretending to be from “Bank of America”.  The purpose of this exercise is not to teach you how to send forged email so much (this is not a new technique) as to set the stage for understanding how to detect and combat these kinds of messages.

Step 1: Get an example message from Bank of America

In order to send a compelling forged email message, we need an example of a message that came from the source that you are trying to forge … so you can make your message “look like” a typical message that they send (e.g. in terms of the subject, content, wording and grammar, images, etc.).  We are not going to consider the message subject or content in this article.  Instead, we are concerned with the headers … the part of the message that identifies who sent it, who it is to, and what path it took over the Internet.

Taking an example message from Bank of America, and looking at the headers, I see (this excerpt of interesting headers):

Return-Path: <>
Received: from unknown [] (EHLO
	by over TLS secured channel
	with ESMTP id
	Thu, 05 Feb 2015 04:50:03 -0700 (MST)

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608;;

Received: by id hqdcek163hsp for 
   Thu, 5 Feb 2015 05:49:51 -0600 (envelope-from 

From: "Bank of America" <>

Reply-To: "Bank of America" 

Message-ID: <af68828a-6c81-4032-b43d-8583607bdf99@xtnvs5mta406.xt.local>

We see from this example, typical From addresses, Reply-to addresses, “Return Path” addresses (for bounces), Message-ID formats, that they use DKIM, and an example of a server at Bank of America that talked to our server to deliver the message.

For items that look like unique IDs (e.g. the Message-ID, Return-Path), the Hacker would use a slightly altered but similar one.  S/he would use the same from address, omit the DKIM signature, and possibly use some fake “Received” lines to make the message appear to come from Bank of America’s servers.

Step 2: The Forged Message

Using this information, the Hacker would construct a forged message to be similar to this one.  I highlighted in RED things I changed and in BLUE, things I added new:

Return-Path: <>

Received: by id hqdcek163bnq for <>; 
   Thu, 5 Feb 2015 10:25:15 -0600 (envelope-from 

From: "Bank of America" <> 

Reply-To: "Bank of America" 
Message-ID: <af68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.local>

Subject: Alert! You Bank of America account has been compromised


(Add the actual body of the message, next)

Step 3: Where to send the message?

Next, the hacker would determine the servers that handle inbound email for the target’s domain —  This could be easily done using the “dig” command at the Linux/Unix/Mac command line:

 #>dig +short mx




This informs the hacker that s/he can use “” as the server to connect to to send the message.

Step 4: Sending the forged email message

Next, the hacker fires up the standard “telnet” program and connects to on port 25 (the standard port for inbound email delivery) and “talks SMTP” to that server… specifying who the message is from and to and what the message contains.  The server accepts that (hopefully) and then filters it and (maybe) delivers it to the unsuspecting recipient.

The BLUE indicates content entered by the hacker; the black, responses of the mail server.

 #>telnet 25


Connected to

Escape character is ‘^]’.

220 ESMTP Sendmail 8.14.4/8.13.8; Thu, 5 Feb 2015 15:31:49 GMT

ehlo Hello [], pleased to meet you




250-SIZE 209715200




250 HELP


250 2.1.0… Sender ok


250 2.1.5… Recipient ok


354 Enter mail, end with “.” on a line by itself

Return-Path: <>

Received: by id hqdcek163bnq for <>; …

From: “Bank of America” <>

Reply-To: “Bank of America” <>

Message-ID: <af68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.local>

Subject: Alert! You Bank of America account has been compromised




250 2.0.0 t15FVnRD023664 Message accepted for delivery


221 2.0.0 closing connection

Connection closed by foreign host.

You can see in this dialog, that:

  1. The hacker pretended to be coming from one of Bank of America’s servers (ehlo
  2. The hacker set the “envelope” from and to addresses to match that in the fake message (the “rcpt to” and “mail from” SMTP commands)
  3. The hacker send the full fake message
  4. The server was “ok” with it.

You can also see in this dialog, that there does not appear to be anywhere that the sender identity is validated or checked.  This is not actually the case.

The Received Forged Email

The unsuspecting recipient may soon find a message from “Bank of America” in his/her INBOX.

The recipient may believe it, click on it, and be sucked into some phishing scheme!

What are Your Defenses?

Since forged email has been around time, email has evolved and there are defenses against this that work to varying degrees.

Some of these include:

  1. SPF to verify that the server used to send email is authorized to do so
  2. DKIM to sign messages and prove that the sender is authorized to construct messages from this sender
  3. Filters to block wide-spread/common phishing attacks (doesn’t help with spear phishing — messages targeted at you, specifically)
  4. Allow and Deny lists that permit messages from specific IP addresses
  5. DMARC
  6. Common Sense

In our next post on this topic, we will analyze the message received by and see what tell-tale signs exist indicating that it is fraud and start to examine how messages such as this can be and are stopped every day by properly configured email systems.

We will see that there is a large burden on the owner of the sending domain to put measures in place to ensure that recipients of messages “from” them can properly differentiate good messages from forged messages.  We shall see, for example, how Bank of America does this.

Read Followup Post: Analyzing a Forged Email Message: How to Tell it was Forged?

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries