all you need to know about SPOOFING EMAIL

Posted on 14/11/2009 by

0



Hope this post will be as good as your, Ella. You in particular keep reading, maybe this will give you understanding from a different angle.

Most people, when looking at who thier emails have come from, assume that the name that appears there is in fact the name of the sender. By extension, they also assume that spam mail return addresses actually exist. This tutorial will explain how easy it is to send email with a forged source address to anyone you wish.

Before continuing, there are two definitions which should be explained.

Mail User Agent: A program which accepts input from an end user, formats that data into a form which mailservers will understand, and sends that data to a mailserver.

Mail Transfer Agent: Any program which will accept mail, either from a Mail User Agent or another Mail Transfer Agent, and forward it one step closer, to another MTA, or an MUA for final delivery.

In this tutorial, I am using telnet as my MUA.

The first thing you will need is the name of your ISP’s mailserver, or at least the one you usually use if you are on a large ISP. This can be found by examining the account settings in whatever email program you use.

Once you find this, open a telnet session to that mailserver on port 25, the standard SMTP port. SMTP, or Simple Mail Transfer Protocol, is the protocol by which mailservers communicate with each other. After opening a connection to the mailserver, you will essentially be giving it the same commands that your email program would be.

If you are using windows, open a command prompt first, and enter the following command:

Code:
telnet <mailserver> 25

You should get a banner telling you that you have indeed connectected to the mailserver. This banner typically consists of a message type number (usually 220), the name of the mailserver, which protocol it is using (this is usually either SMTP or ESMTP; for the purposes of this tutorial we will be using only SMTP), and the software it is using, which usually includes the version number. In my case, I get the following prompt:

Code:
Connected to mailserver.
Escape character is '^]'.
220 <mailserver> ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) ready Thu, 28 Apr 2005 03:42:03 -0400

At this point you identify to the mail server two things: which protocol (SMTP/ESMTP) you will be using, and your domain name. The protocol is identified with either the HELO command, indicating that you will be using SMTP, or the EHLO command, indicating that you will be using ESMTP. As stated, we will be using SMTP only for this tutorial. At this point you can give a false domain name to the mailserver. Beware, however, that many mailservers now verify that the domain you give it is in fact a valid domain; you may need to supply an existing domain name. My mailserver does not perform this validation. I will use the domain northpole.net.

The format of this command is as follows:

[HELO|EHLO] <domain name>

So for example, I identify myself to the mailserver as:

Code:
HELO northpole.net

You should now see message type 250. Some mailservers will reply with something like “Hello northpole.net”. In my case, it simply replies with message type 250 and its name again.

Now begins the process of actually writing the mail. To inform the server that you wish to send mail, issue the command

MAIL FROM: “Sender Name” <email address>

Including the “<” and “>”. I will be spoofing the address “santaclaus@northpole.net”. The from field should include both the name of the sender and his/her email address. So the command is:

Code:
MAIL FROM: "Santa Claus" <santaclaus@northpole.net>

At this point, the mailserver will verify that it is authorized to send from this address for you. If it is, you should see message type 250 again with the message text “Sender <email address> ok”. In my case, I see:

Code:
250 Sender "Santa Claus" <santaclaus@northpole.net> Ok

The server now requires the address you will be sending this mail to. The destination address should contain only the recipient email address. Multiple destination addresses can be specified at this point. These multiple addresses would be specified as additional RCPT TO: commands on subsequent lines. The command syntax is:

RCPT TO: <destination address>

So in my case, since I want to send fake email to Bill Gates, I will enter

Code:
RCPT TO: <billgates@microsoft.com>

The mailserver now validates that it is permitted to send mail to this address for you. This will include checks to ensure that if this email is not on its list of users, that it is allowed to relay mail for you. An open mail realy, a common tool of spammers, would at this point not verify that you are a valid sender, instead relaying mail for anyone connecting to it. The message I recieve at this point is:

Code:
250 Recipient <billgates@microsoft.com> Ok

Since this is my local mailserver, it is allowed to relay mail to billgates@microsoft.com for me.

Now we begin the actual data that the email will consist of. This will begin with the simple statement DATA. Most mailservers will now inform you that to end the email, you should enter as the last line, a line containing only a period. It should look something like:

Code:
354 Ok Send data ending with <CRLF>.<CRLF>

We now enter the email data. However, do not start writing out the text of the email yet. This would be caught by most mailservers as spam, since it does not look like most emails do. You would also have an email with no subject, as the subject heading is sent as part of the message data. At minimum, you should include the sender name and address, the recipient address, as well as a subject line.

The sender address in the message data would be specified as it was in the MAIL FROM: command, but without the quotes around the sender’s name, and “From: ” in front of it. The syntax is as follows:

From: “Recipient Name” &lt;name@domain.name&gt;

Without the quotes around the sender’s name. So in my case, I enter:

Code:
From: Santa Claus &lt;santaclaus@northpole.net&gt;

The destination address is specified in exactly the same manner as it was in the RCPT TO: command, but with “To: ” in front of it. The syntax is as follows:

To: &lt;name@domain.name&gt;

So in my case, since I am sending this mail to billgates@microsoft.com, I would enter:

And I imagine at this point you can guess how the subject line will be specified. With the syntax:

Subject: &lt;enter your subject here&gt;

Without the “&lt;” or “&gt;”

I will enter:

Code:
Subject: Linux is better

This should be enough information to fool most mailservers into thinking that this is a legitamite email.

At this point you can begin entering the actual message text. This can obviously be anything you wish. I will enter:

Code:
Roses are #FF0000
Violets are #0000FF
All my base
Are belong to you!

To inform the mailserver that you are finished entering data, enter as data a single line with only a period. This is what mailservers mean when they send the message “End data with &lt;CRLF&gt;.&lt;CRLF&gt;”.

You should now see a message, type 250, informing you that the message has been accepted for delivery, and giving you the message ID number for tracking. In my case, I see the following:

Code:
250 Message received: 20050428081348.PSBZ1623.&lt;mailserver&gt;@[my ip address]

The message is now ready to be sent, and likely already has. All you must do at this point is enter

Code:
QUIT

And the mailserver will terminate the connection with you gracefully.

The entire communication, including server responses, looked like this:

Code:
striek@localhost:~$ telnet mailserver 25
Trying mailserver...
Connected to mailserver.
Escape character is '^]'.
220 mailserver ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) ready Thu, 28 Apr 2005 04:26:56 -0400
HELO
250 mailserver
MAIL FROM: "Santa Claus" &lt;santaclaus@northpole.net&gt;
250 Sender &lt;santaclaus@northpole.net&gt; Ok
RCPT TO: &lt;billgates@microsoft.com&gt;
250 Recipient &lt;billgates@microsoft.com&gt; Ok
DATA
354 Ok Send data ending with &lt;CRLF&gt;.&lt;CRLF&gt;
From: Santa Claus &lt;santaclaus@northpole.net&gt;
To: billgates@microsoft.com
Subject: Linux is better
Roses are #0000FF
Violets are #FF0000
All my base
Are belong to you!
.
250 Message received: 20050428082735.WVIK1597.mailservert@[my IP address]
quit
221 mailserver ESMTP server closing connection
Connection closed by foreign host.

Although this will effectively spoof the email, making it appear that it is from someone which it is not, your IP address has still been logged and you are still traceable. Do not assume that this is a form of anonymous email. Your IP address will show up in the message headers when it is recieved, and this can be crossreferenced with your ISP’s DHCP records to determine who sent the email. It will, however, fool Aunt Sally into believeing the email really did come from the bank.

More data can be placed at the beginning of the message data, just after the DATA command. Mail User Agents put a variety of information here, such as message ID numbers, date and time stamps, priority, encoding type, which program sent the mail, MIME types, character sets used, etc… Try experimenting to see what works and what doesn’t.

I hope this has given a clear example of how easy it is to spoof an email address to appear as if it were from a different sender. The from field is not determined by the mailserver. It is given by the user (or the Mail User Agent) connecting to it, and therfore easily falsified. The email address you see in the from field on spam addresses does not even have to exist to appear there. And if you don’t need convincing, maybe dad or Aunt Sally

a very small note: this tutorial has been made with the aid of another.cheers

Happy Hacking

EZZK07

Advertisements
Posted in: Hacking, Web Hacing