Few days ago I wrote a blog post titled “Your Secret Life and Email From Yourself? Were You Really Hacked?“, where I explained regarding the famous Phishing email which is sent using your own email address with your password (read on the post if you haven’t). I did get some questions on Twitter on how is this basically done?
I will try to make it easy to understand for everyone and also a sample code for programmers who need it (Neeh, don’t use it for illegal activity as I am not going to be responsible, since the code can be used for many good things as well in web programming).
During the good old days, I used to create Web-Forms for sending email to myself from my website. I used CGI Perl script using the Mail::Sendmail function to do it. Later on after a few years I discovered the PHP Mail() function which makes things a bit more easier. Basically what it does is, it uses your server’s (hosting server) built in PHP function to send out an email. This eliminates the use of other functions which relies on SMTP servers where you need to input the SMTP details in your code (eg. Python’s smptlib protocol).
Let’s have a look at a sample code which allows you to send an email to yourself using your own email address by just replacing some strings in the Variables.
<?p
//The variables which are used and can be changed as needed.
$victim = "yourownemail@youremail.com";
$subject = "Your account was hacked";
$message = "Hi, Sending this email from your own email";
$headers = "From: yourownemail@youremail.com" . "\r\n";
//The function which sends out the email using PHP built in function.
mail($victim,$subject,$message,$headers);
?>
As you can see in the above code, The “Victim” can be any email address that you want to send the email to, with the “Subject” that you desire and also the body “Message” which is intended and the “Headers” is the part that makes the code/script send email in a more legit way. In this script I have used the “From” headers with my own email address, but you can choose any sender email if you want. There are many options that you can declare (Content-type, Mime, HTML, etc) in the headers to make the email more legit.
So what do i mean by Legit? Most of the email clients / email providers would mark an incomplete email (with no proper headers) as spam. So your “Victim” would not get the email to his Inbox. A bit of simple “Social Engineering” will allow you to send a really believable email to your victim.
So is this method of sending email traceable? It depends on your server/hosting settings to allow their details to be viewable in the headers section of any emails. Some cloud based hosting or private servers hides this details, so be smart.
Note: If you are still getting those Phishing emails, just block your email address from sending you emails. It doesn’t make any sense anyway to receive emails from yourself.