How to Spoof the “From” Field in Email Headers Using SMTP Manipulation


2 views

Email spoofing involves modifying MIME headers to display a different sender address than the actual originating server. While SMTP (Simple Mail Transfer Protocol) has safeguards against this, certain configurations allow header manipulation.

Here are three common approaches to modify the "From" field:

// PHP example using mail() function
$to = "recipient@example.com";
$subject = "Test Spoofed Email";
$headers = "From: \"Fake Name\" <spoofed@domain.com>\r\n";
mail($to, $subject, $message, $headers);

# Python example using smtplib
import smtplib
from email.mime.text import MIMEText

msg = MIMEText("Email content here")
msg['Subject'] = 'Test Email'
msg['From'] = 'Fake Sender <fake@domain.com>'
msg['To'] = 'real-recipient@domain.com'

s = smtplib.SMTP('localhost')
s.sendmail('actual-sender@real-domain.com', 
          ['real-recipient@domain.com'], 
          msg.as_string())
s.quit()

At the SMTP protocol level, you can directly interact with the mail server:

HELO client.example.com
MAIL FROM: <real-sender@real-domain.com>
RCPT TO: <recipient@target.com>
DATA
From: "Fake Display Name" <spoofed-email@domain.com>
To: Recipient <recipient@target.com>
Subject: Test Message

This appears to come from the spoofed address.
.
QUIT

Modern email systems implement several protections:

  • SPF (Sender Policy Framework) records
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication)

When testing spoofed emails, always use:

  1. Your own test domains
  2. Sandbox email accounts
  3. Local SMTP servers (like MailHog)

Never attempt this against production systems or without permission, as email spoofing may violate laws in many jurisdictions.

For more sophisticated forgeries, you can manipulate additional headers:

// PHP example with full headers
$headers = "From: \"CEO\" <ceo@company.com>\r\n";
$headers .= "Reply-To: \"Support\" <support@legit-domain.com>\r\n";
$headers .= "Return-Path: <bounce@other-domain.com>\r\n";
$headers .= "X-Mailer: PHP/" . phpversion();

The "From" field in emails actually consists of two distinct components in SMTP protocols:

From: "Display Name" <actual@address.com>

While the envelope sender (Return-Path) is used for delivery, the displayed "From" field can be modified through header manipulation. This technique is commonly called email spoofing, though it has legitimate uses in certain system notification scenarios.

Using Raw SMTP Commands

Here's how to manually craft an email with telnet:

EHLO yourdomain.com
MAIL FROM:<real_sender@domain.com>
RCPT TO:<recipient@domain.com>
DATA
From: "Fake Display Name" <real_sender@domain.com>
To: recipient@domain.com
Subject: Test email
Date: Thu, 02 Nov 2023 12:00:00 +0000
Message-ID: <unique123@domain.com>

This is a test message.
.
QUIT

PHP Example Using mail() Function

$to = 'recipient@example.com';
$subject = 'Important Notice';
$message = 'Your account needs verification';
$headers = 'From: "System Administrator" <noreply@mydomain.com>' . "\r\n";

mail($to, $subject, $message, $headers);

Most email providers now implement these protection mechanisms:

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication)

This technique can be properly used for:

  • System notifications showing descriptive sender names
  • Customer support aliases
  • Departmental email addresses
import smtplib
from email.message import EmailMessage

msg = EmailMessage()
msg['From'] = '"IT Support Team" <support@company.com>'
msg['To'] = 'user@example.com'
msg['Subject'] = 'Your support ticket'
msg.set_content('We have received your request')

with smtplib.SMTP('smtp.company.com', 587) as smtp:
    smtp.starttls()
    smtp.login('username', 'password')
    smtp.send_message(msg)

Always ensure you have proper authorization before implementing these techniques in production systems.