How Does GMail Do This?

[NakaNaka]

Maybe a lot of e-mail services offer this but I have no idea how they do this. How, with just a simple verification e-mail, does it allow me to send mail from my gmail account from any other e-mail address I own. So it says its coming from i.e. me@nakanaka.com instead of me@gmail.com. It's a great feature, I just don't understand how it works.

Thanks
-Phil

 

[Vegitto]

I don't want to get in the technicalities, as I don't know them, but forging the FROM-field is REALLY, REALLY easy.

EDIT: PM me your e-mail address, I'll prove it 🙂.

 

[mwmorph]

Last time I checked the internet runs on back magic and singing hamsters.

 

[SearchMaster]

Yeah, it's easy to forge the From: address, but as more ISPs implement SPF verification, this technique will not work much longer.

 

[biggestmuff]

Originally posted by: mwmorph
Last time I checked the internet runs on back magic and singing hamsters.

...and for my next trick, I'm going to make my scapula disappear!

 

[Descartes]

Others have mostly covered it, but I'll elaborate on the details to allow it to make more sense.

Emails are largely text; that is, the headers used to communicate with mail servers are text. When you send an email, your mail client negotiates this header based on the information you have provided. It connects to the appropriate SMTP server over port 25 and negotiates a plaintext session with the server to send the email. It's been a while, but it basically goes like this:

First telnet to port 25 of your SMTP server. Then:

helo yourdomain.com
mail from: youremail@yourdomain.com
rcpt to: yourdestination@theirdomain.com
data
From: putwhateveremailyouwant@somedomain.com
To: puttheiremail@theirdomain.com

This is the content
.

That's essentially it. Some SMTP servers actually do additional validation, but not all. In fact, many years ago you used to be able to issue a VRFY command to the server to validate users. This was great for a lot of reasons, but most of those reasons are more nefarious in nature.

Keep in mind that many of the more common protocols are simply plaintext. Telnet, ftp, http, smtp, pop3, etc. can all be negotiated over a simple telnet session. This is precisely why security is so vulnerable at this level. There are not secure alternatives for almost all of these protocols though... few allow usernames and passwords to be transmitted in the open anymore.