(Unless you know you sent them to yourself, that is!)

Earlier today I got an email from a client claiming that his email had been hacked. That obviously worried me, so I jumped into action to investigate. It turned out that he hadn’t been hacked, but rather been “spoofed”.

It’s a common technique of spammers and hackers to mess with outgoing email headers to make it seem like an email is coming for your own account. Generally these emails will have an attachment (which you should never open) and not much else.

Natural curiosity means that you’ll want to open it, or at least investigate it, especially if somehow you think you sent the file to yourself. More than likely, these hackers are hoping that you did recently send a file to yourself, and you confuse the real one with their virus. It’s a long shot, but 1 in 1000 sent a couple million times is a pretty good take.

Real World Example

Check out this email:

I didn't send that!

I didn’t send that!

Weird, I didn’t send that. So I open it:

I still didn't send that!

I still didn’t send that!

What in the world? I don’t remember sending this to myself. But it says it’s from me.

How I Did It

It’s an incredibly simple thing to do. When talking about sending emails programmatically, programmers have full control over all of the superficial headers that get placed on the email. Here’s my code:

<?php
$headers = 'From: jon@castlamp.com' . "\r\n" .
 'Reply-To: random_other_person@anothersite.com' . "\r\n" .
 'X-Mailer: PHP/' . phpversion();

$send = mail('jon@castlamp.com', 'See, I can pretend to be anyone!', 'But headers never lie! Always check the headers or better yet, delete emails you know you did not send!', $headers);

But having full control does not mean that your email server won’t be able to tell a fake from a real email, and almost always does.

The Takeaway

No, you’re not going crazy, you didn’t forget about an email you sent yourself. Hackers are giving you a bait-and-switch hoping you’re having an off day and willing to click an email that appears to be from yourself.

But look again at the headers on the programmatic email I sent, and compare it to an email I actually sent myself:

Open the raw headers on an email

Open the raw headers on an email

A fake email pretending to be from myself

A fake email pretending to be from myself

A real email actually from myself

A real email actually from myself

Notice anything different between the two? One set off a bunch of red flags, the real one did not.

Be safe, and always be careful with email!