The first thing you need to recognize is that email is a very old protocol by computer standards and was developed in a time long before IT and internet security was understood or even a concern.

I once described basic email security as follows:

**HELLO I’m Microsoft.com**

**Hello Microsoft.com**

**Here’s an email from Bill Gates**

**OK! thanks!**

Is that email legit? Was it actually from Microsoft.com? Email at a very basic level doesn’t even bother to check…

While there’s a bunch of security features that have been added onto it over the years (like SPAM filters, encryption, SPF, DMARC, etc for those paying attention), it’s still an awfully old and basic protocol at its core and to be perfectly honest it’s shocking that we still use it. It’s just so ingrained in our lives and businesses at this point that it’s very hard to replace.

As for Spoofing the FROM address in an email can easily be altered to show a name that isn’t the RETURN address.

I could show you how to do that from DOS and Telnet session in about 5 minutes.

The process is roughly the same as putting a false name in a return address on a letter in snail mail. The letters return address is legit, but the name of the person that sent it is false.

So when you receive the email the name in the FROM field looks legit, but the return address is probably some GMAIL account.

Email has protections like SPF that forces a check to confirm the email was sent from an authorized source for that Domain, but A. that only works if you have a good SPAM filter in front of your email, and B. the sending Domain has bothered to setup their SPF properly and ho boy is there a lot of companies that don’t…

More sophisticated attacks will break into companies mail servers and use them (referred to as a zombie) to send email. If you have access to their mail server then you can send all the legit looking email you want. But you can also use this to spoof email, because there’s ways to fool the SPF check in SPAM filters because you are sending an email with a legit return address and from a legit source so the SPF check passes but the LABEL on the FROM field is false.

Email is very similar to a real-world letter and has a lot of crossover with the real-world postal service. The sequence of mail servers it goes through is not unlike the way a letter will be dropped into a post box and go through several steps to reach a person.

An email is an envelope. The message is the letter inside. On the front of the envelope, you write the recipient’s address. On the back, you write your address as the sender.

Well, just like a real letter, there is absolutely nothing stopping you writing anyone’s address as the sender. So you could pretend to be anyone you like. And because the return address is used by the email client to compose a reply, you see it pretty prominently. So if it says it’s coming from someone you trust, you’re more inclined to trust the contents and do what they say, which is how phishing works. Just this week at work we had a phishing campaign pretending to be from our internal security team (nice touch).

The only way to stop this would be for someone along the route to look at the envelope and say, wait a minute, that letter is coming from the wrong place to be from that sender – this is basically how SPF works.