Email Spoofing Attack

Emails are an integral part of our daily communication. We all need to use them for every-day lives. But, the email technology (and a lot of the internet for that matter) is built upon notions that we take for granted. In this article, I intend to show you that getting phished or pranked by email spoofing can be a very possible reality for anyone.

Disclaimer: This is for an educational purpose only. Email Spoofing attacks can lead you to serious troubles, and I seriously discourage you from trying this out on anybody unless they will forgive you!

Introduction

When we receive an email in any email client app like Gmail or Outlook these days, we get to see the sender’s name and his or her email address, and we make the basic assumption that the email we have received did come from the said person. But, and as I will show you later on this page, it is possible to spoof the email so that the email is sent by somebody who’s name or email address does not appear in the sender information in the client. This is called an Email Spoofing Attack.

I took a class on Computer Security recently. A month ago, someone close to me was a victim of the email spoofing attack. So, armed with some knowledge from my class, I decided to study this attack more and write some code, showing just how easy it is to spoof email.

How We Think Emails Work

Gmail shows the name of the sender and the subject

Email clients are programmed in such a way that when you send an email, the client automatically puts your name and email address in the email packets before sending them out. When the email client receives emails, it processes the email packets for important information such as sender name and email address and displays that information in a neat fashion on the page.

As an example, I have used my Gmail client to receive an email by Indeed that shows fields such as “from”, “mailed-by” etc.

What Happens Behind The Scenes

As everything on the internet, emails are sent using packets. Emails are sent using a protocol called SMTP, or Simple Mail Transfer Protocol. The purpose of SMTP is to reliably pass the email packets across the network from the sender’s mail client all the way to the recipient’s mail server (the transfer of emails from the any mail server to the actual application or the client where you view those emails is done through IMAP or POP, and that is beyond the scope of this article).

The mail client packages critical information in the email packets such as the “from”, “to” and the “subject” fields, and then the actual body of the email. But here is the interesting part: you could change the ‘from’ field to be whatever you want.

Emails are still going to be sent regardless of whether the ‘from’ field contains your email address and name or not. The SMTP servers do verify whether the sent and received email addresses are actual valid email addresses, but they do not verify whether the sender email address in the email actually belongs to the sender.

An abstraction on how emails are sent and received

The image on the left shows how an email from Alice <alice@email-a.com> could be sent to Bob <bob@email-a.com>. Bob would receive an email in his mail application and notice that it came from somebody named Alice with an email address of alice@email-a.com.

But in reality, it is possible that the email was created by a malicious person, who spoofed the “from” field in the email to match Alice’s. There would be no way for Bob to tell the two emails apart, except for looking into the actual email file that was received by his email client.

An Example of This Attack, In Python

In some ways, sending an email is not very different to sending a physical mail, where you have a “from” and a “to” on the envelope, as well as a “from”, “to” and possibly a “subject” on the actual letter. Using the envelope analogy, emails have:

• “Return-Path” — this is the email address of the sender on the actual envelope. This is generally hidden by the receiving mail client.
• “From” — this is the email address of the send inside the envelope, on the actual letter. This is the field that determines what email address you see on your mail client.

Using this knowledge, here is how we can carry out this attack in Python3:

In this code, I am emailing myself from and to different addresses. The “return_path” is the sending address and the “receiver_email” is the receiving address of the email, similar to the envelope analogy. The message has a “From” and a “To” field, and these can be spoofed to be whatever the malicious sender wants the recipient to actually see in his or her email client.

Lines 17–21 create a secure connection with “mail.samarthjain.me”, which is the SMTP server I am using to send this mail from.

Left: how the client displays emails in my inbox | Right: how the email header file looks like

The images show how the email application displays my email. Notice how the sender email is different from the “return_path” email I used in the code. Email clients will generally not show this email address unless you look for the entire email file.

The source file of this email will have all the necessary information that is tagged on to this email when it makes its journey from the sender to the recipient, passing through multiple hops on its way.

Conclusion

Email spoofing attacks are very common because of their ease. It is up to us to stay vigilant and avoid being phished for money by an evil party pretending to be our bank, or being pranked. We must always try to verify the source and the content of the email as much as possible.

References:

• https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_vs_mail_retrieval
• https://en.wikipedia.org/wiki/Email_authentication#Authentication_methods_in_widespread_use
• https://en.wikipedia.org/wiki/Email_spoofing
• https://www.proofpoint.com/us/corporate-blog/post/how-does-email-spoofing-work-and-why-it-so-easy
• https://support.rackspace.com/how-to/email-spoofing-best-practices/