Tricks, Hacks and Fixes for Everyday Problems.

Email addresses, much like the caller-id on a phone, are something most people just take for granted as being correct. What if I was to tell you that with 30 seconds of time someone could change their email address to yours (or anyone’s, for that matter) and email whomever they wanted? It’s called Email Spoofing, and I am going to show you that this can (and does) happen.

What is email spoofing? Wikipedia defines it as “a term used to describe (usually fraudulent) e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source”

In this article I will show you how to make your email address appear to be whatever you want it to be. I will also show you how to identify spoofed emails and protect yourself from becoming a victim of this form of attack.

*The standard Josh-can’t-get-in-trouble disclaimer*

Everything in this article is either hypothetical, educational and/or for illustrative purposes only. In order for you to understand how to protect yourself, you must understand how the attack works. I would not do this myself, nor do I promote its use.

For this spoof you will need 2 things.

1. An email account.
You’ll need an email account either from your internet service provider (e.g., joeblow@telus.com), website (e.g., info@yourwebsite.com) or a free Hotmail, Live or MSN email account. (I haven’t tested spoofing with Gmail, Yahoo or anyone else, but it might work too)
Don’t have an email address? Go here and get one: http://www.hotmail.com

2. An Email program.
For the this article I am using Windows Live Mail because it’s free. You can also use Outlook Express or almost any other email program.
Don’t have a Windows Live Mail? Go here and get it: http://download.live.com/wlmail

Setting up and spoofing with a Hotmail, Live or Msn Email address.

If you are not spoofing with a Hotmail, Live or MSN account and are instead using an ISP based email account (Rogers, Telus, Bell, etc) please skip to the next section called “Setting up and spoofing with a ISP or website email address.”

From this point on, I am going to use “Hotmail” to refer to all Hotmail, Live and MSN (There is no difference in setting them up). Let’s get started!

If you already have a Hotmail account setup with Windows Live Mail or Outlook Express skip to Step Three!

Step One: Open Windows Live Mail and click ‘Add a new email account’.

Step Two: Fill out your actual email address, password, name and click ‘Next’. On the next screen click ‘Finish’. Congrats your Email account is setup!

Step Three: While in Window’s Live Mail, right click the Hotmail account and left click on ‘Properties’.

Step Four: Now onto the spoofing! You can change your name and email address to whatever you want them to show up as. Click ‘Apply’ then ‘Ok’.

Any email you send will now appear to be from the email address and name you just supplied.

***Note that you can only spoof hotmail/MSN/live accounts with a hotmail/MSN/live account, because they send a note along with with the email saying it was delivered by hotmail/MSN/live. ***

Step Five: Sending an email! Click ‘New’ then ‘Email message’. Type your email as normal and send away! Your Email will show up like this to the person you sent it to.

***To change your email back, go back Step Three and fill out your real information, otherwise the emails you send will continue to be appear to be sent from the spoofed account***

Setting up and spoofing with a ISP or website email address

If you already have an account setup with your ISP or website, skip to Step Four!

Step One: Open Windows Live Mail and click ‘Add a new email account’.

Step Two: Fill out your actual email address, password, name and click the checkbox at the bottom ‘Manually configure server settings……’ and then click ‘Next’.

Step Three: Fill out your actual POP/IMAP server address, login ID and outgoing server info and click ‘Next’ (if you are unsure about these, call your internet service provider or your website host and they should be able to help you out). On the next screen click ‘Finish’. Congrats! Your Email account is setup.

Step Four: While in Windows Live Mail, right click the Email account and left click on ‘Properties’. .

Step Five: Now onto the spoofing! You can change your name and email address to whatever you want them to show up as. Click ‘Apply’ then ‘Ok’.

Any email you send now will be from the fake email address and name you just supplied.

***You can change your Email address and name to whatever you want, but remember Email address’s with sexual/drug or other spam related topics, could be sent right to a junk mail folder.***

Step Six: Sending an email! Click ‘New’ then ‘Email Message’. Type your email as normal and send away! Your Email will show up like this.

***To change your email back, go to Step Four and fill out your real information, otherwise the emails you send will continue to be appear to be sent from the spoofed account***

How to Identify a Spoofed Email.

Identifying a spoofed email is pretty easy stuff. Basically, you just have to look at the email header. What is an email header? Basically it contains all of the info regarding where the email came from originally and how it got there.

To view the email header when logged into Hotmail/MSN/Live, from your inbox right click the email in question and click ‘View Message Source’.

To view the email header in Gmail, open the email in question and look in the top right hand corner for an arrow pointing down beside the reply button. Click the arrow and then click ‘Show Original’

To view the email header with Windows Live Mail, in the inbox right click on the email in question and click ‘Properties’. Click the ‘Details’ tab on the top and you should be veiwing the header.

Let’s take a look at the Email header from the spoofed Hotmail email I sent earlier in this article.
The real email address I used is ninjagaiden12038@hotmail.com and the fake address I used is ChangeMe@hotmail.com. I will bold these so you can see the problem.

If sent from a Hotmail/MSN/Live account, the header will look like this:

Delivered-To: XXXXXXXXXXX@gmail.com <- This is who I sent the email to.
Received: by 10.151.144.13 with SMTP id w13cs51203ybn;
Fri, 16 Oct 2009 22:05:26 -0700 (PDT)
Received: by 10.224.101.206 with SMTP id d14mr1493693qao.238.1255755925934;
Fri, 16 Oct 2009 22:05:25 -0700 (PDT)
Return-Path: ninjagaiden12038@hotmail.com
Received: from col0-omc1-s6.col0.hotmail.com (col0-omc1-s6.col0.hotmail.com [65.55.34.16])
by mx.google.com with ESMTP id 42si5538165qyk.64.2009.10.16.22.05.25;
Fri, 16 Oct 2009 22:05:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of ninjagaiden12038@hotmail.com designates 65.55.34.16 as permitted sender) client-ip=65.55.34.16;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of ninjagaiden12038@hotmail.com designates 65.55.34.16 as permitted sender) smtp.mail=ninjagaiden12038@hotmail.com
Received: from COL124-DS24 ([65.55.34.9]) by col0-omc1-s6.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 16 Oct 2009 22:05:13 -0700
X-Originating-IP: [XX.XX.XX.XXX] <- My real Ip address is here as well (I blocked it out).
X-Originating-Email: [ninjagaiden12038@hotmail.com]
Message-ID:
Return-Path: ninjagaiden12038@hotmail.com
From: “Change Name to Whatever!” ChangeMe@hotmail.com
To: XXXXXXXXXXX@gmail.com

As you can see the original hotmail email address is contained in the header, most people just never look.

Now let’s take a look at the email header from the spoofed ISP email I sent earlier in the article.
The real email address I used is me@myfriendjosh.com and the fake address I used is ninja@faekeemailcom. I will bold these so you can see the problem.

If sent from an internet service provider email account the header will look like this:

Delivered-To: XXXXXXXX@gmail.com <- This is who I sent the email to.
Received: by 10.151.144.13 with SMTP id w13cs50893ybn;
Fri, 16 Oct 2009 21:50:42 -0700 (PDT)
Received: by 10.231.83.75 with SMTP id e11mr7721225ibl.11.1255755042354;
Fri, 16 Oct 2009 21:50:42 -0700 (PDT)
Return-Path: ninja@fakeemail.com
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194])
by mx.google.com with ESMTP id 1si7083784iwn.102.2009.10.16.21.50.42;
Fri, 16 Oct 2009 21:50:42 -0700 (PDT)
Received-SPF: neutral (google.com: 74.208.4.194 is neither permitted nor denied by best guess record for domain of ninja@fakeemail.com) client-ip=74.208.4.194;
Authentication-Results: mx.google.com; spf=neutral (google.com: 74.208.4.194 is neither permitted nor denied by best guess record for domain of ninja@fakeemail.com) smtp.mail=ninja@fakeemail.com
Received: from Josh (S0106001b246d2dd2.gv.XXXXXXXXX.net [XX.XX.XX.XXX]) <- My Real IP
by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis)
id 0MTS0N-1MrYbn0vlX-00RzhX; Sat, 17 Oct 2009 00:50:41 -0400
Message-ID:
From: “ninja” ninja@fakeemail.com
To:  XXXXXXXXX@gmail.com

So as you can see, it’s not so obvious that this address is being spoofed. In fact, all we have is there real IP address (XX.XX.XX.XXX), which can change if they are sending you emails from different locations. Luckily, their IP address can be reversed, like looking up a phone number, with a lookup tool.
If we were to go to http://www.whatismyip.com/tools/ip-address-lookup.asp and punch in the IP address I blanked out it would tell you what city I was in when I sent the email and with what internet service provider I was connected to the internet with. So you will at least know it’s the right city.

So the best way to tell if this is actually them is to email them back, the person who actually owns ninja@fakeemail.com will receive your email, if they have no idea what you are talking about there is a good chance you were just spoofed.

Why would anyone want to spoof an email?

Well for starters it could be used to cause some mischief. The spoofer could email someone’s significant other pretending to be them. Even worse, some investment agencies make you sign a contract stating that they are allowed to follow your instructions if sent to them by email. If someone were to withdrawal $10000’s of dollars worth of your RSP’s to your banking account you would have to pay $100’s in early withdrawal fees, and $1000’s in taxes for the year.These situations would be extremely annoying, but are probably less common.

The most common reasons that email addresses are spoofed are for phising attacks and viruses. You are a lot more likely to click a link for Paypal.com if the email address it’s coming from  is help@paypal.com. Meanwhile, this link will take you to a fake copy of the real site to try to steal your Paypal password. The best defense against this is never click any links in emails! Instead, go to the actual site by typing it in your address bar.

Stay fit and have fun,

Joshizu Umezawa