How to spoof sender email address? - email

Recently I found a web application that can send email to my kindle foo#kindle.com on my behalf myemail#gmail.com. I am curious that how they can spoof the email sender to my gmail address without any permission. It's Kindle policy that only email addresses from an allowed list can send email to my kindle.
Your help is really appreciated.

In an email, you can change the 'from:' field to whatever you want. They simply changed the text in that field to your email address. If you would like to read more, here's the technical document describing how email should work: RFC 2822 Internet Message Format

Related

sendgrid/mail wont allow sending 'from' to be dynamically

I have a form on my portfolio that allows a user fill in a form with a question they have and send that to me by email.
When i try to use sendgrid it only allows me as a verified user to send emails from my own email address. but i want the 'from' field to be dynamically filled in by that user and then sent to me.
note: I also tried 'emailjs' but that works fine in development but fails in production.
Any suggestions on how to fix this or any other platforms i can use for that preferabally free since it is a hobby project.
Thanks
Twilio SendGrid developer evangelist here.
You do need to use a verified email address to send emails from SendGrid, this is to stop people using a form like you describe to spoof anyone's email address.
A better idea is to send emails created in your form from a verified email address and set the reply-to address as the submitted email. That way you can send with SendGrid and then when you reply in your email client it will return to the person that submitted the form.
I added more detail and example code (in Python) in this answer.

hide the fact that an email is sent from gmail's web interface

Does anyone know if you can hide or modify some of the header fields from the sent email via the Gmail web interface?
such as:
X-Gmail-Original-Message-ID: xxxxxxxxxxxx#mail.gmail.com
Message-ID: xxxxxxxxxxxxx#mail.gmail.com
My idea would be to completely fake (hide the fact) that the said email was sent from the Gmail web interface. The goal of that would be simple - use Gmail even if the company you work for, does not allow it.
Perhaps there is a Gmail extension for that?
AFAIK, you can only change the from email when sending email from Gmail. Take a look at Send emails from a different address or alias.
Also, there are techniques to really find out where an email came from; forging email headers and/or spoofing emails is something that spammers do and will get your IP address blacklisted by your ISP.
You can also check How can I find out where an email really came from?. The headers can also be put in SpamCop and let them do the trace work with an option of sending a SPAM notice to the responsible sysadmin.

Is there a way to prevent mail clients from caching an email address?

We have an application that allows users exchange messages, and delivers the message through email. But we don't reveal sender's email, instead; every time a message is sent out a new email address gets generated for the "From" field. Something similar to the way Facebook or LinkedIn send out messages.
Everything works fine, except the recipient's email client caches all these email addresses.
For instance, if Jack sends two messages to Jill, the sender's addresses can be: a123#FakeEmail.com and a456#FakeEmail.com, so next time Jill composes a new message and starts typing Jack's name, the email client suggests two addresses for Jack.
So my question is, how we can prevent email caching on client's machine? Is there something similar to HTTP header Pragma: no-cache for SMTP?
Thanks
Nivresh
OK, here is what I ended up doing. To prevent Outlook and other mail clients from suggesting several dummy email addresses generated for the same contact name, I add a special character to the beginning of the sender's name. This can be a space or if you use Unicode, you can add a zero-width space (\u200B) to the beginning of the name.
So in my example, the email is sent from "\u200BJack" which will be shown as "Jack". The dummy email address will be saved in mail client under the name of "\u200BJack" and when the recipient later on tries to send an email to Jack, email client won't suggest this address.
Hope this helps someone.

spoof from address through gmail

I am trying to send a spoofed email using gmail. before people freak out, no I am not spamming anybody (if you have to know why, an explanation is below). Using this question and answer, I was able to send a test email to myself with a spoofed to address (it appeared as I wanted), however, regardless of what I enter in the MAIL FROM field or the From: field in the DATA, it always appears from the address I used to authenticate.
My question is whether it's possible to spoof the from address as well. The goal would be for the from address to appear as something other than an email address. (again, explanation is below)
EXPLANATION
For those who want to know why I am doing this, my brother recently got promoted, and he and I are both fans of the show How I Met Your Mother. As such, I would like to send him a The Bro Code approved congratulatory email, which is required to be of the form:
To: Bro
From: Bro
Subject: Bro!
Nice, Bro!
Therefore, I need the From address to appear to be simply "Bro"
I believe the short answer is no.
Email headers are just text, so if you are using sendmail or something, you can use whatever you want. However, it might (see: will likely) end up in his spam folder.
Gmail needs to protect it's reputation, so they will always add a breadcrumb to say who actually sent the email. For instance, you can setup gmail to send email "from" non-gmail addresses, but the message will be sent from your gmail address "on behalf" of your non-gmail address.

Best way to send email from my web app so it looks like it came from my users account

I'm working on a web application. A user will create an email message that will be sent to another person.
I would like the e-mail that gets sent to appear from the user's name and e-mail address of the user on my system. And if they reply to the e-mail then it should go directly to the sender's email address.
However I am worried about the email message looking like spam to email filters along the way.
Is there a proper way to do this?
I noticed on a "contact" page on a WordPress blog that something very similar is done. The e-mail headers look like:
To: email#domain.com
Subject: [Test Blog] =?UTF-8?B?aGVsbA==?=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
From:=?UTF-8?B?aGVsbA==?=<sender#senderdomain.com>
Message-Id: <20090207234737.39C9522802F3#web7.sat.wordpress.com>
Date: Sat, 7 Feb 2009 23:47:37 +0000 (UTC)
Return-Path: donotreply#wordpress.com
What is interesting is that the display name in the "from" tag and the name that shows up in the subject line is encoded. I do not know if this helps with the spam filters or not, but thought it was at least worth mentioning.
Also, who would receive an undeliverable notification in this example? Would it go to sender#senderdomain.com or would it go to donotreply#wordpress.com?
Basically all you need to do is set the From header to the email address of the user sending the email. The value of From is what is displayed in a recipient's email client. Most spam detection systems in place today look only at the message content, not the email headers, so you currently wouldn't have that much of a problem based on what you set the From header to.
However, there are some systems which are gaining popularity which could prevent you from sending email with somebody else's email address - most notably SPF, the Sender Policy Framework Basically, a mail server that implements SPF will check the domain of the From address of each email it receives and check with that domain directly to see if it authorizes the email. For example, if your server is mydomain.com, the email address of the user is abcdef#gmail.com, and the recipient is blah#example.com,
mydomain.com contacts example.com via SMTP to try to send the email
example.com looks up the SPF records for gmail.com
example.com checks whether mydomain.com is on the list of domains allowed to send email with the domain gmail.com
If it's not, the email is blocked
Also, I found a forum post suggesting that Return-Path is the intended destination for undeliverable notifications. Apparently that header is set based on the value of the SMTP MAIL FROM command.
Setting email fields is generally trivial, but the exact method of doing so depends on the language and framework you are using, which you don't mention. Usually it is a matter of creating a new email object, and just doing something along the lines of:
email.from = "From Name <fromemailaddress#example.com>";
You can set the specific from address to your user's, if you like, it is not at all uncommon though I personally am not a fan. You could also set the from field to something like: "Sender Name (via Your Site Name) <yourresponseaddress#example.com>".
Don't do this.
It really depends on how your mail relay is set up, but actually just don't do it. From header should contain the email address that sent the email, in your case webmaster#whatever.com. If you want people to reply to a different address, you can always use the Reply-To header. Here are some notes.
If I understand the standard (RFC 822) correctly, this is exactly what the Sender header is for (see ยง4.4.2. SENDER / RESENT-SENDER). Still, I'd go with a different approach and use your sites official contact address in the From header and put the user's address in the Reply-To header. Maybe add some boilerplate text that clearly states where the mail is coming from.
One further advice besides the technical stuff: don't let anonymous users use this facility, you'd become a perfect platform for spamming. Also, out of kindness, you probably want to make sure that your (registered) users know that their email addresses are exposed to the recipients.
Be aware that doing this will make spam filters more suspicious of your email. Combined with suspicious looking content your email may get filtered.
Whoever is in the "From" header will receive the undeliverable notification.
For the filtering - it really depends more on the subject and body of your message than the From address. So with that said, a couple ideas....
Use HTML encoding rather than Plain Text with simple formatting (I know there's probably an argument going the other way but in my personal experience HTML gets through more often)
Always include a footer with ("This e-mail was sent to you from ... blah blah") to identify it; if you don't want people to know it's coming from your system (i.e. really impersonated from the "From" user) then you need to find a more legit way to take care of the requirement.
If at all possible, use a real address from your system as the "From" address with the address of the user as the "Reply-To".