How to forge email

How to forge emailIn my day job as the communications guy for ValiMail, I spend a lot of time explaining how easy it is to create fraudulent emails using an email address that doesn’t belong to you.

A faked “from” address, in fact, how the majority of email attacks happen . And email attacks (aka phishing) are how the majority (actually the vast majority ) of cyberattacks begin. So the ease of faking emails from people is a major vulnerability.

But, you ask, why would I bother faking an email from “company.com” when I could just register a fake lookalike domain (like c0mpany.com) and use that? Or create a Gmail account ([email protected]) and give it a friendly name that looks like the CEO of a company?

Well, actually, it’s significantly easier to forge the address of a real person at a real company than it is to register a fake domain, or even to create a throwaway Gmail account.

Here’s how easy it is.

Website mailer

Find a website like deadfake , which describes itself as “a site that lets you send free fake emails to anyone you like.” Or anonymailer.net. Or spoofbox.com. There are dozens. Many of them are free, some cost a little money to send mail. Then:

  1. Enter your recipient’s email address in the To: field.
  2. Put whatever email address you want in the From: field.
  3. Craft your message and press the Send Now! Button.

Here’s a message I sent to myself using President Trump’s address. Note that Gmail is a suspicious of the source — that’s why it put a little red question mark next to the address.

How to forge email

Unix command line

If you have a computer that’s set up with mail services — or you can telnet or SSH to a computer that has mail services — you can forge a from address with one line. Just type this:

That creates a message that says “[email protected]” in the From field. Type in a subject line and the rest of your message, press Ctrl-D when you’re done, and off the message goes.

This doesn’t work in every version of Unix, and whether it works at all depends on how your system is set up (whether it’s connected to Sendmail, etc.). Still, this is the basic idea and it works in many systems.

Because I’m not very sophisticated about programming I use PHP when I need to code stuff for my personal websites. It’s fast, easy, and used by about 90% of the people (like me) who don’t know any more about programming than they were able to pick up through Google searches and by stealing snippets of code published on various public forums. (Which is also why PHP is often accused of being insecure.) Hey, I built a whole website content management system in PHP. If I can figure it out, how hard can it be?

Without getting into all the pros and cons of PHP, I will say that it is perfect for email purposes. You can forge emails with five lines of very simple PHP code:

Note: These are actual lines of code used as an example in the online manual for PHP’s mail() function . I took out a couple of lines you don’t actually need.

Again: configurations vary; maybe this won’t work on every version of PHP on every server.

Email Is a Very Trusting Place

The email world, until quite recently, was an entirely trusting place. Most of it still is. No matter who I am, if I use the Unix mail command or PHP mail(), the email goes off into the internet and the internet obligingly delivers it to whomever, with the exact headers that I specified. Nobody checks to see if I own the address I used in the from field. Nobody cares.

Well, almost nobody: As I noted above, Gmail and some other mail clients are starting to flag mail that looks suspicious, like my anonymailer message. Still, that’s dependent on the client you use and/or the receiving mail server.

Granted, these spoofing tools are pretty simplistic. If I want to do some fancier formatting and make my messages look even more realistic, it takes a little more work. But the basic forgery is just that simple.

The only thing truly stopping fake From addresses is email authentication using a standard called DMARC . But that only works if the domain you’re trying to fake has published a DMARC record and set it to an enforcement policy. Then, and only then, will almost all email servers that receive messages (Gmail, Yahoo Mail, etc.) block the faked emails.

Fortunately for fraudsters, most of the Internet’s domains haven’t done this yet. For example, only about 4% of .gov domains have protected themselves.

As for other 96%? Fraudsters can forge emails from those domains all day long with no repercussions.

Domains like justice.gov. House.gov. Senate.gov. Whitehouse.gov.

And also domains like democrats.org, dnc.org, gop.com, rnc.org. And DonaldJTrump.com.

All of them can be easily faked by email scammers with access to a Unix command line or some rudimentary PHP skills. And, as we are learning, scammers have been taking advantage of that vulnerability. For instance, according to one source, one in four email messages from .gov domains are fraudulent .

And that’s why I am trying to get the message out: It’s way too easy to fake emails from most sources. We need to start authenticating our email, today.

With so many popular e-mail providers forcing users to log on using their SMTP servers, why is it still possible to forge “From: ” header in e-mails? What prevents users from simply discarding the e-mails in which the source domain of the sender doesn’t match the domain of SMTP server?

4 Answers 4

It’s very easy to spoof a domain even with SPF controls enabled.

The solution is to use DKIM + DMARC, or SPF + DMARC

The email client is responsible for telling you if the message passes DMARC Display From verification

The email protocol allows for legitimate spoofing using Resent-* headers and Sender headers. The email client (MUA) should display this exception whenever it exists.

There are a few misconceptions about SPF, namely:

  1. SPF does not prevent email spoofing.
  2. SPF alone doesn’t affect, influence or, control the RFC 2822 Display From.
  3. By default, the usefulness of SPF is to prevent backscatter issues and very simple spoofing scenarios.

Microsoft attempted to solve this issue with SenderID, (making SPF apply to the Display From address) but it was too complicated and didn’t really solve the whole problem.

Some background

First know that there are two “from” addresses and two “to” addresses in every SMTP message. One is known as the RFC2821 Envelope, the other is the RFC2822 Message. They serve different purposes

The Envelope: (RFC2821)

The envelope is metadata that doesn’t appear in the SMTP header. It disappears when the message goes to the next MTA.

The RCPT From: is where the NDRs will go. If a message is coming from Postmaster or a remailer service this is usually <> or [email protected] . It’s interesting to see that salesforce uses this similar to constantContact as a key in a database like [email protected] to see if the message bounced.

The RCPT TO: is who the message is actually being sent to. It is used for “to” and “bcc” users alike. This doesn’t usually affect the “display of addresses” in the mail client, but there are occasions where MTAs will display this field (if the RFC2822 headers are corrupt).

The Message (RFC2822)

The message portion begins when the data command is issued.

This information includes the SMTP headers you’re familiar with, the message, and its attachments. Imagine all this data being copied and pasted from each MTA to the next, in succession until the message reaches the inbox.

It is customary for each MTA to prefix the above mentioned copy and paste with information about the MTA (source IP, destination IP, etc). It also pastes the SPF check details.

This is the Display From is placed. This is important. Spoofers are able to modify this.

The Mail From: in the envelope is discarded and usually placed here as the return-path: address for NDRs

So how do we prevent people from modifying the Display From? Well DMARC redefines a second meaning for the SPF record. It recognizes that there is a difference between the Envelope From and the Display From, and that there are legitimate reasons for them to not match. Since SPF was originally defined to only care about Envelope From, if the Display From is different, DMARC will require a second DNS check to see if the message is allowed from that IP address.

To allow for forwarding scenarios, DMARC also allows the Display From to be cryptographically signed by DKIM, and if any unauthorized spammer or phisher were to attempt to assume that identity, the encryption would fail.

What is DKIM? DKIM is lightweight cryptographic technology that signs the data residing in the message. If you ever received a message from Gmail, Yahoo, or AOL then your messages were DKIM signed. Point being is that no one will ever know youre using DKIM encryption and signing unless you look in the headers. It’s transparent.

DKIM can usually survive being forwarded, and transfered to different MTAs. Something that SPF can’t do. Email administrators can use this to our advantage to prevent spoofing.

The problem lies with the SPF only checking the RFC2821 envelope, and not the Display From. Since most people care about the Display From shown in an email message, and not the return path NDR, we need a solution to protect and secure this piece.

This is where DMARC comes in. DMARC allows you to use a combination of a modified SPF check or DKIM to verify the Display From. DKIM allows you to cryptographically sign the RFC2822 Display From whenever the SPF doesn’t match the Display From (which happens frequently).

Why is it still possible to forge “From: ” header in e-mails?

Some server administrators haven’t implemented the latest technologies to prevent this sort of thing from happening. One of the major things preventing adoption of these technologies is “email forwarding services” such as a mailing list software, auto-forwarders, or school alumni remailer (.forwarder). Namely:

Either SPF or DKIM isn’t configured.

A DMARC policy isn’t set up.

The email client isn’t displaying the verification results of the Display From and the Resent-* or Sender field.

What prevents users from simply discarding the e-mails in which the source domain of the sender doesn’t match the domain of SMTP server?

What doesn’t match: the envelope or the body? Well according to email standards the envelope shouldn’t match if it’s going through a remailer. In that case we need to DKIM sign the Display From and make sure the MUA verifies this.

Finally, the MUA (email client) needs to show if the sender is DMARC verified, and if someone is trying to override that with a Sender or Resent-From header.

Andy Bailey, an Entrepreneurs’ Organization (EO) member in Nashville, is an author, CEO and head coach of business coaching firm Petra Coach, who serves in an advisory role on the Gazelles Council, leaders of the Scale Up movement. We asked Andy how companies can help their customers get through the Covid-19 pandemic. Here’s what he shared:

It’s clear that Covid-19 is a deadly serious global pandemic and that companies must implement necessary protocols to safeguard employees. Business leaders face the additional challenge of having to mitigate the very real threat of lost revenue, while also helping their clients through this crisis.

As a business owner and business coach, I’m witnessing firsthand the stress this pandemic is causing the member companies that we counsel. The disruption facing businesses today is in some ways similar to the issues that my previous company, NationLink Wireless, encountered during the Great Recession of 2007-2009.

At the time, clients were shutting off their cellphones right and left as their companies downsized and fired employees by the thousands. It truly was a painful time to be running a business, and I nearly lost the company. But with the support of dedicated team members, we made it through and ended up forging strong relationships with our clients.

The point I’m making here is this: The strategy and tactics you put in place now will define your legacy as a leader and how you interact with your customers in the future. There is no try, only do. Here’s how you do it:

1. Create a customer communications task force

Form a team that includes senior leaders from sales, customer support, marketing/PR, legal and accounting to determine customer communications strategy and protocols. Keep the team small, between five to seven people. As the leader, don’t be a dictator and rule with an iron fist. Bring ideas to the team and make sure you are listening to the insights of each group member. You need their buy-in to implement an effective client communications strategy. Done well, the way you communicate can enhance the entire customer experience.

2. Prioritize client issues and determine messaging

Once you have the team in place, start categorizing the issues that are affecting your clients. Rank your clients from the most affected by the pandemic to the least. Next, leverage the marketing communications tools you already have in place to send emails to clients. DO NOT market or sell. Messages should be focused on providing information and helping clients. Tell them you have their back.

One more point: Create a designated email address so clients can contact you with important questions. Make sure someone on your team is monitoring the emails and responding in a timely manner.

3. Talk to your customers–NOW!

Don’t delay reaching out to customers. Pick up the phone and talk to them. Emails and texts are valuable communications media, but the personal, two-way nature of a phone call will provide greater insight into how your clients are feeling and the challenges they are facing. Ask them the following questions:

  • How are you doing?
  • How is your company doing?
  • How is your industry doing?
  • How are we doing and is there anything we need to do better?

If your partners are struggling financially, work with them on payment terms or provide less expensive services on a temporary basis. Look for ways to save them money–even if it hurts your profitability in the short term–to help them ride out the storm. This is uncharted territory for most businesses, so be a resource during the crisis. Your clients won’t forget.

4. Always follow-up

Following up after the initial phone call is critical to building trust with your clients. It shows you care about them and their business–that your call was not a one-off, token expression of concern. Follow-up calls allow you to stay abreast of important changes with your clients, to gauge how their business is being affected and to continually offer different ways to help. End each conversation by determining next steps and scheduling the next call.

5. Regroup and review

When the pandemic ends–and it will end–bring your team together and identify three to five lessons learned and areas for improvement. Itemize and prioritize any short- or long-term actions that need to be taken to improve your product, service and relationship with your customers. Don’t rely on memory.

The lessons learned during this crisis and the takeaways will help you tackle future challenges. It will make you and your team stronger and your customers more committed to doing business with your company in the years ahead.

It’s no secret that it can be a little tricky to get ahold of Dollywood with your questions. In the midst of peak season with employee shortages all across the country, finding someone to talk to directly about your questions can sometimes feel like quite a challenge. If you are trying to contact Dollywood and not having any luck, here are our top suggestions.

How to forge email

Give Them A Call

We know what you may be thinking: “I’ve tried that already!” and while that may be the case, there is something that you may want to do differently. When you call Dollywood, you will typically get an option to stay on the line, or leave your number for a call back later in the day. We recommend leaving your number and carrying on with your day. It may take a few hours, but we’ve had plenty of luck getting call backs this way. The main line for Dollywood is (800) 365-5996.

How to forge email

Fill Out A Contact Form

On the Dollywood website Contact Us page, you will find a contact form at the bottom of the page. This form asks for basic information such as your name, email, address and question. Filling out this form is a different way to contact Dollywood if you are unable to call or have a little bit more time to get your question answered.

How to forge email

Dollywood Parkway Building

If you are already in town and looking to purchase tickets, upgrade to a season pass or ask general Dollywood questions, visit Dollywood’s remote ticket office on the Pigeon Forge parkway. You’ll find the office in the yellow building at traffic light #8 in Pigeon Forge. Here, you’ll be able to speak with someone in person and get all of your questions taken care of.

How to forge email

Do Your Own Research

Sometimes it’s easier to do your own research and find the answers to your questions online. We have a great Dollywood FAQ that addresses some popular questions, and the Dollywood website has a lengthly FAQ section for visitors as well. You’ll also find great “Dollywood Insider” blogs on many topics that address some frequently asked questions.

Other forums like Facebook groups are a great place to ask questions and see if other travelers are able to help you. While it may be frustrating to not have an immediate, personalized answer to your question, it is important to be patient and understanding. Use your resources and ask your questions far in advance to ensure that you are prepared for your upcoming trip to Dollywood.

More From Pigeon Forge

How to forge email

Dollywood Prices: 2021 Ticket Information

Dollywood prices vary by visitor age and seasonal specials. If you’re looking to buy tickets, you should…

How to forge email

A Mom’s Guide To A Day At Dollywood’s Splash Country

Dollywood’s Splash Country is the most well-known Pigeon Forge waterpark. If you are looking to make mem…

How to forge email

4 Things You Didn’t Know About Dollywood

It’s not a secret that we love Dolly Parton here in Pigeon Forge. She is a true icon and her theme park …

Congratulations on your decision to attend UCO! The opportunities for learning, growth, development and fun at UCO are limitless, and it is our goal to help introduce you to these opportunities during Forge.

Freshman Experience

Step 1: Sign Up for Forge – OPEN NOW!

Forge is your first step in becoming a Broncho! The Forge experience will allow students to stay the night on campus, meet student leaders, and to engage with faculty and staff through sessions offered during this two-day, one-night experience. When you complete the program, you will have met with an advisor and completed your class schedule to feel more prepared to start at Central. Due to COVID 19, participants will only be allowed one (1) family member or guest to attend the program with them. But our program doesn’t stop there! After your Forge experience, you will have the opportunity to participate in virtual affinity spaces and attend in-person Welcome Home Week and Stampede Week events!

Step 2: Register for Placement Testing

All students who score below a 19 on their English, Math or Reading ACT will need placement testing. If you must take a placement test, you can sign up for a time here.

This should be completed PRIOR to attending Forge. If you are unsure if you need to take a placement test, please email [email protected] with your name and student ID and someone will respond to let you know.

Step 3: Complete the Focus 2 Assessment

Prior to your Forge program, it will be helpful to complete the Focus 2 Assessment. This will help with conversations with advisors, as well as help you narrow down a major/meta major before attending the program. This assessment can be accessed HERE – Access code: careers

Step 4: Attend Your In-Person Forge Session

Three business days prior to your Forge program, you will receive an email with the information you need to ensure your success with our orientation. Be sure to check your email used when you signed-up for Forge to help create the best experience.

Step 5: Attend Stampede Week Events and the first day of class!

Note: Freshmen are first-year students who have not been full or part-time students at another institution of higher learning (excluding concurrent work). If you have questions about your admission status, contact our office at 405-974-3456.

Students who have been admitted for summer 2021 are encouraged to attend an early session. If you have questions regarding your admission status, please contact our office at 405-974-3456.

Forge & COVID-19

The safety of our incoming students, family members/guests, student leaders, and professional staff are very important to us. Your Forge program will follow all CDC Guidelines in place as well as UCO Policies to ensure your safety. In the event your program is transitioned to a different format due to COVID 19, you will receive communications alerting you on the changes and any steps you may need to take. To ensure our participants can physically distant from one another, incoming students will only be allowed ONE (1) guest for the program.

Transfer Experience

Non-traditional and transfer students can use an online guide to complete their orientation. You must complete the program before meeting with an academic adviser.

International Experience

Forge International is a great way for international students (non-immigrant visas such as F-1, J-1, etc.) to meet fellow students and learn about essential UCO and community resources while becoming a vital part of the UCO community. This program is a great tool for cultural adjustment, and you’ll get to know more about the local banking, transportation, safety and health systems. Meals are provided and you can even win great prizes like iPods, bicycles, computer accessories, gift cards, and more! Forge International is held at the beginning of each semester, and more info can be found on our Office of Global Affairs website.

Please note – participation in the UCO Global Conference is required by US Immigration law.

Family Experience

Forge Family gives you a chance to support your student while you learn about the UCO community. During the Online Forge Family experience, you’ll meet UCO administration members, learn about campus resources and even talk to current students about how their families helped them succeed. One family member or guest is included in your student’s Forge registration. All information for your online experience will arrive to the email provided during the sign-up process.

Family members are encouraged to join the Broncho Family Association. It is free and serves as your “backstage pass” to campus.

How to forge email

In countries all over the world, utility bills have traditionally been the gold standard for verifying someone’s residency because they have a name, an address, and a date, which makes them an easy way to prove that someone is actively paying for utilities at a specific address.

One might argue that a driver’s license is more authoritative (and less forgeable) than a utility bill, but the reality is that not everyone has a driver’s license or personal identity documentation, and the address listed on a driver’s license is only reflective of where the ID holder lived at the time they applied for it. Utility bills can be a more accurate representation of where someone currently lives, versus their “permanent” address.

The problem with relying on utility bills to verify addresses is that, because there are little to no security measures in place to send and receive them, they are easy to counterfeit. Some people wait for their bills to arrive in the mail before sending a paper check, but many have opted to go paperless with bills sent via email and payments made online with a credit card––a slightly more secure method, as it requires an account registration, but nevertheless risky.

Home owners or tenants are often required to show identity documentation in person to initiate city-funded utility services like water and trash pick-up, but few private utility companies (electric, gas, cable, etc.) have the bandwidth and technology to secure each and every monthly bill so that they cannot be tampered with or manipulated. Most don’t even implement proper identity verification, two-factor authentication, and other cybersecurity measures that protect individuals from identity theft.

Editing a real utility bill is easier than you might think. Even those who lack basic design skills can leverage questionable online resources to produce a very convincing imitation, essentially making fraud accessible to anyone.

How to forge email

Can you tell which bill is real and which is a fake? Trick question. They’re both forged bills, created in under 2 minutes using free software.

Ultimately, it’s illegal to falsify a utility bill when asked to submit proof of residency, but it’s even more serious when an address is forged in order to steal someone’s identity. In lieu of relying on paper and digital utility bills, Evident believes it’s in an organization’s best interest to verify residency with encrypted, protected utility data, and we think it’s important (and possible) for companies to do this without ever having to handle personal data. This approach mitigates the likelihood of hackers gaining access to a trove of sensitive information in the form of freely available, easily fabricated, non-password-protected utility bills.

Evident’s identity and credential verification API integrates with companies like Urjanet , a utility data aggregation and management service, to verify an individual’s address based on accurate, up-to-date utility data. This information helps confirm that an individual is who they say they are and, when paired with data from thousands of other authoritative sources, helps paint a holistic picture of the individual in question.

Are you looking for an easier, faster, and safer approach to verify users’ proof of residency? We’d love to help you streamline your process.

  1. Knowledge Base
  2. Account
  3. How can I continue my game on the Browser?

How can I continue my game on the Browser?

There are many ways to register an account in Forge of Empires that will not ask you for a password upon logging in. If you have a guest account, please make sure to have a look at our registration article, which you can find here:

If you created your account via Facebook, Google Play or Apple Game Center on your mobile device, you won’t be able to use the same login-method on your Browser. As such, you will need to set a password for the account first. In some cases, this is possible by using the “Reset Password”-Function on the Login Screen or our Website:

If you’re playing in the international English version, you can reset your password here: https://en.forgeofempires.com/#/glps/forgotpassword

If you’re playing in the US-Version of the game, the reset can be done here: https://us.forgeofempires.com/#/glps/forgotpassword

After the password reset has been requested, you can choose a password for your account by following the link in the email we have sent you. Then, you can log into the game using your username and newly chosen password.

If you’re unable to set a new password for your account this way, please contact our support directly from your account. We’ll be happy to help you!

Suppose you have a list of names, perhaps a roster of employee names, and you wish to generate email addresses for these individuals. If you work at a company that has an established standard for email addresses (i.e. first initial of first name with last name) then you have a few options. The preferred strategy depends largely on the version of Excel you are using as well as the naming pattern used in the emails addresses.

Flash Fill (Excel 2013 / Excel 2016)

If you are not familiar with Flash Fill, this tool allows you to type a pattern next to existing data and Flash Fill will repeat the pattern for the remaining data but on a per-record/per-line basis.

Let us take a look at the following example:

You have a list of first and last names and you wish to convert those names to an email format that takes the first letter of the first name, adds a “dot”, then adds the last name with an “@” sign and the company domain name. If we had an employee named “Fred Smith” who worked at “widget.com”, we would need to assign the email address “[email protected]” to the user.

Imagine a list like the following:

How to forge email

After you have manually typed the email address for the first user, click the Data tab and then in the Data Tools group, click the Flash Fill button (or press CTRL-e on the keyboard.)

How to forge email

You will see all of the remaining email addresses generated based on the pattern of the first email address.

How to forge email

Flash Fill is a fantastic tool for shortcutting data entry based on existing data, but it is not without its flaws. If you wanted to generate email addresses that are the same as above but without the period, the Flash Fill tool gets a little “iffy” and assumes you want the first person’s initial to be used throughout all of the remaining email addresses.

How to forge email

This is obviously a problem. Additionally, because Flash Fill is a one-time creation of data, if you add names to the list, or modify existing names due to spelling errors or name changes, those names will not automatically generate email addresses.

Enter the Formulas (all Excel versions)

If you are running Excel 2010 or earlier, or you would like to have the list monitored for additions or changes, a formula may be the tool you need.

There is no “magic bullet” function that will perform this task, but with a combination of a few functions, a “super-formula” can generate the desired result.

Let’s first identify the components of the email and then determine the functions needed to assemble the pieces.

First initial of the first name

This can be extracted with the LEFT function. The LEFT function extracts letters from text starting from the left side. The only information required is the text to extract from and the number of characters to extract. If we wanted to get the first letter from the name in cell A2, the formula would look like the following:

=LEFT(A2,1)

Full last name

Since we want the last name (located in cell B2) in its unaltered entirety, we will just concatenate the last name to the result of the LEFT function’s result. (NOTE: addition to formula in RED )

=LEFT(A2,1) &B2

Domain name

Next, we will concatenate the “@” sign with the company domain name “widget.com” to the previous step’s result.

=LEFT(A2,1)&B2 &”@widget.com”

This is normally where most people would stop, but the result would yield capital letters in our email addresses.

How to forge email

Convert all letters to lower-case

The cherry on top is to place the current formula inside a LOWER function. This function’s job is to convert all text to lower case.

= LOWER( LEFT(A1,1)&B2&”@widget.com” )

After executing a fill-series to repeat the newly created formula down the entirety of the column, we now have a list with all of the names in a format that meets corporate naming conventions.

How to forge email

A word of warning

If you have two or more employees with the same last name and the same first initial of the first name, this will not create unique email addresses for these individuals. It would be possible to create a much more complex formula to detect such occurrences and assign a unique number to each duplicate (i.e. jsmith1, jsmith2, etc…), but for this tutorial a simpler approach would be to apply Conditional Formatting / Duplicate Values… on the column of email addresses to flag any email addresses that occur more than once.

How to forge email

How to forge email

Once the duplicates have been identified, manual changes can be made based on the standardized email rules.