Forged Mail
Results 1 to 10 of 10

Thread: Forged Mail

  1. #1
    Junior Member
    Join Date
    Jul 2004
    Posts
    3

    Forged Mail

    How do you tell if you're the recipient of an anonymous email? Oh and do smtp servers like yahoo, hotmail only allow their usernames to be sent?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Forged Mail

    Originally posted here by Tony_S
    How do you tell if you're the recipient of an anonymous email?
    Look at the Recieved: headers. Make sure everything checks out.
    Oh and do smtp servers like yahoo, hotmail only allow their usernames to be sent?
    The senders address (From: ) doesn't have to exist (look at all those viruses that send email from non-existing addresses). You don't need to use their servers if you want your (faked) email to appear to come from hotmail, yahoo etc.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    just to clarify, an anonymous email will say 'anonymous' in the from field and come from a server set-up for this purpose. a forged email can say anything at all and while yahoo, hotmail and the others require authentication in the form of an account name and password a forged email can say its from anywhere at all including these domains and can spoof the ip address of these domains so that they are accepted by servers that check ips against domain names before accepting them
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    you can easily use www.MailStart.com to spoof e-mail addresses. I use it to play pranks on my friends all the time. (The only downside is it announces the client used in a banner at the bottom) and as always, you can always review the headers for information.

  5. #5
    Junior Member
    Join Date
    Jul 2004
    Posts
    3
    Using a university's server, I know this one guy sent mail to some of the basketball players saying that they were cut, the email address being the coach's. Funny but, not good.

  6. #6
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    running a mail server you can spoof any e-mail address you want, the problem is... The information to bust someone on it is located in the internet header.

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    running a mail server you can spoof any e-mail address you want, the problem is... The information to bust someone on it is located in the internet header.
    One of the many benefit's And Info Tech, your link doesn't work. So ya know.
    Space For Rent.. =]

  8. #8
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Just tested, it still works.

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, that's odd. When I first clicked it, it didn't work. Ahh oh well, I just woke up. Stop ****in' with me
    Space For Rent.. =]

  10. #10
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    A minor note about the Received: fields in regards to tracking an email (This is an expansion of what Tedob1 was saying). Previous Received: fields can also be spoofed making the email appear as if it traversed through valid servers even though it didn't. The numbers in brackets indicate 'transactions' and are not actually part of the email header.
    Transaction (2) is where the email actually originated from while transaction (1) is a completely faked Received: field that was never part of the actual email's traverse. (I've left out the For/Date/Time fields to simplify what I'm trying to convey).

    (4)Received: from download.grisoft.cz (download.grisoft.cz [212.67.74.214])
    by mail.totalputz.com (8.12.11/8.12.11) with ESMTP id i49H4AsK011650

    (3)Received: from biz.grisoft.cz (ms.grisoft.cz [193.85.188.248])
    by download.grisoft.cz with ESMTP id ADABE1D22E0

    Here's where the email was actually sent from by someone who telnetted into an open mail server. Assume the IP is valid for legit.mailserver.com.
    (2)Received: from legit.mailserver.com (legit.server.com [178.45.190.211])
    by biz.grisoft.cz with ESMTP id ERET11551g8GF

    Now, here's the completely faked transaction that never occured. Even if you traceroute the IP 65.17.208.110, it will correctly identify itself as being part of the domain, mail5.bestnest.com.
    (1)Received: from mail5.bestnest.com (mail5.bestnest.com [65.17.208.110])
    by legit.mailserver.com (8.12.11) with ESMTP id i4MKePfi023f

    So, for all practical purposes, this email will have seemed to originate from mail5.bestnest.com. It is completely possible to fake these prior Received: fields and even use legit domains and IP's. The origin of the email will be included in the header at some point but, if someone is clever enough to fake the Received: fields using real domains in prior transactions, it will make it nearly impossible to find the actual origin of the email using just the Received: fields.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •