I recently came across some articles online about a couple people who were sending mass text messages to people in the US. Previously, these hackers had used improperly-secured printers to send their message. Having alerted owners of insecure printers, this group graduated to a larger audience: every American with a mobile phone.

I looked into what they were doing, and I discovered that their trick is simple and quick. I searched for “SMS Gateways” on Google, and found this Wikipedia page. Once I reached the “Email clients” heading, I knew I had found relevant information, because a Wired article mentioned the use of “mailx”, a Unix mailing program.

According to Wikipedia, each major carrier has an email domain (such as msg.fi.google.com), which has a virtual email address for every number that carrier controls. Every email sent to that address becomes a text because the server for that carrier forwards the subject and content of the email to the number specified.

This isn’t the first time I’ve seen emails and phone numbers get their wires crossed. Sometimes, people with Android phones will accidentally send an email to me by sending a text. I don’t know the exact process to reproduce this, but I’ve known that somehow there is a way to get emails converted into texts, and vice-versa.

A few years ago, I made a simple PHP script to spoof emails. It can spoof the “From” address very easily, and most mail clients besides Gmail don’t even know the difference AFAIK – or at least they don’t notify the user. So, I tried using this simple script to send myself a text. And who would’ve guessed? It works.

Wait, that’s not Microsoft!

So there you have it. Anyone can send you texts and pretend to be someone else. Good luck finding out who actually sent it! You can’t view the original header information and find origin for the message because it’s a text. With SMS that information would only be available from the carrier. So unless these mobile carriers take action, I bet these hacktivists won’t be stopped any time soon.