Naftali Harris

How to Forge an Email

December 22, 2014

Most people don't realize how easy it is to forge an email. Say my brother John Doe uses the email address If I get an email from that address, it's natural to assume that John actually sent it. In fact, it's also remarkably easy for an attacker to have sent it.

To illustrate this, in this post I describe one way to send an email that appears to come from someone else. I do this not to help attackers, (who already know how to forge emails), but rather to put everyone else on their guard by demonstrating how untrustworthy the "From" field of an email is. With that in mind, please use these directions responsibly.

1. Draft it

First, write up your fake email using this template:

$ cat email.txt
Subject: What's Mom's SSN again?

Hey Sis,

What's Mom's social security number again? I need it for some tax docs.



2. Send it

Then send it from a linux server that has sendmail installed and set up:

$ sendmail -f < email.txt

3. Done!

There, it's that simple. You sometimes have to play around a bit so that you bypass the recipient's spam filter, but it's usually not hard. To see this in action, take a look at what happened when I sent the above forged email to myself, (replacing Jane's address with my own, Gmail address):

gmail screenshot

As you can see, this little trick easily fooled Gmail. Amusingly, not only does Gmail not send this email to spam or warn me about phishing, but it also marks it as "important", perhaps out of concern for my brother John and his desperate need for Mom's social! (Okay, that's not fair: Gmail marks it as "Important mainly because of the people in the conversation").

Of course, in a real situation I'd be wary of a email asking me for my mom's social, from someone claiming to be my nonexistent brother John, and who on top of that mistakes the gender of his own sibling. But you can easily imagine an attacker carefully crafting a more convincing message to you with devastating effects. Be on your guard.

You might also enjoy...