Forged Mail

[Tony_S]

How do you tell if you're the recipient of an anonymous email? Oh and do smtp servers like yahoo, hotmail only allow their usernames to be sent?

[SirDice]

Originally posted here by Tony_S
How do you tell if you're the recipient of an anonymous email?

Look at the Recieved: headers. Make sure everything checks out.

Oh and do smtp servers like yahoo, hotmail only allow their usernames to be sent?

The senders address (From: ) doesn't have to exist (look at all those viruses that send email from non-existing addresses). You don't need to use their servers if you want your (faked) email to appear to come from hotmail, yahoo etc.

[Tedob1]

just to clarify, an anonymous email will say 'anonymous' in the from field and come from a server set-up for this purpose. a forged email can say anything at all and while yahoo, hotmail and the others require authentication in the form of an account name and password a forged email can say its from anywhere at all including these domains and can spoof the ip address of these domains so that they are accepted by servers that check ips against domain names before accepting them

[Info Tech Geek]

you can easily use www.MailStart.com to spoof e-mail addresses. I use it to play pranks on my friends all the time. (The only downside is it announces the client used in a banner at the bottom) and as always, you can always review the headers for information.

[Tony_S]

Using a university's server, I know this one guy sent mail to some of the basketball players saying that they were cut, the email address being the coach's. Funny but, not good.

[Info Tech Geek]

running a mail server you can spoof any e-mail address you want, the problem is... The information to bust someone on it is located in the internet header.

[Spyder32]

running a mail server you can spoof any e-mail address you want, the problem is... The information to bust someone on it is located in the internet header.

One of the many benefit's And Info Tech, your link doesn't work. So ya know.

[Info Tech Geek]

Just tested, it still works.

[Spyder32]

Hrmm, that's odd. When I first clicked it, it didn't work. Ahh oh well, I just woke up. Stop ****in' with me

[ShagDevil]

A minor note about the Received: fields in regards to tracking an email (This is an expansion of what Tedob1 was saying). Previous Received: fields can also be spoofed making the email appear as if it traversed through valid servers even though it didn't. The numbers in brackets indicate 'transactions' and are not actually part of the email header.
Transaction (2) is where the email actually originated from while transaction (1) is a completely faked Received: field that was never part of the actual email's traverse. (I've left out the For/Date/Time fields to simplify what I'm trying to convey).

(4)Received: from download.grisoft.cz (download.grisoft.cz [212.67.74.214])
by mail.totalputz.com (8.12.11/8.12.11) with ESMTP id i49H4AsK011650

(3)Received: from biz.grisoft.cz (ms.grisoft.cz [193.85.188.248])
by download.grisoft.cz with ESMTP id ADABE1D22E0

Here's where the email was actually sent from by someone who telnetted into an open mail server. Assume the IP is valid for legit.mailserver.com.
(2)Received: from legit.mailserver.com (legit.server.com [178.45.190.211])
by biz.grisoft.cz with ESMTP id ERET11551g8GF

Now, here's the completely faked transaction that never occured. Even if you traceroute the IP 65.17.208.110, it will correctly identify itself as being part of the domain, mail5.bestnest.com.
(1)Received: from mail5.bestnest.com (mail5.bestnest.com [65.17.208.110])
by legit.mailserver.com (8.12.11) with ESMTP id i4MKePfi023f

So, for all practical purposes, this email will have seemed to originate from mail5.bestnest.com. It is completely possible to fake these prior Received: fields and even use legit domains and IP's. The origin of the email will be included in the header at some point but, if someone is clever enough to fake the Received: fields using real domains in prior transactions, it will make it nearly impossible to find the actual origin of the email using just the Received: fields.