Spoofing Ip Addresses in E-mail 2 ways.
Results 1 to 4 of 4

Thread: Spoofing Ip Addresses in E-mail 2 ways.

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    3

    Thumbs down Spoofing Ip Addresses in E-mail 2 ways.

    I've read about programmers being able to spoof Ip addresses in E-mail in two ways. One by sending an e-mail using two ethernet (spoofing and sniffing) connections spoofing the ip address. However you would need to be on an ISP with no Anti-Spoof Firewalls on any of the upstream servers which is non exsistent in the U.S. and running Windows2000 or earlier (for some reason). So there would be no need to worry there.

    The Second way to spoof an Ip in an E-mail address is to cause a particular error (I think it has something to do with an incomplete transaction) making most Mx servers drop the received header (allowing you to replace it) while still allowing the message to be sent. Once the "caller-Id" protocols go into full effect this could be the main method for spam since it isn't illegal to give phoney header information from outside the United States and it dosen't involve real Ip Spoofing so Anti-Spoofing Firewalls wouldn't do anything. The worst part about it is that since the header gets deleted and is instantly replaceable blocking spam by Ip addresses would be useless.
    Post "Caller-ID" Email could end up with more spam. Anyway I can't even proove that it works to send the E-mail to the appropriate RFC people? I could refer them to somebody but that guy actually benefits from being able to spoof the Ip in E-mails so he wouldn't help.
    none

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    ...since the header gets deleted and is instantly replaceable blocking spam by Ip addresses would be useless.
    If someone is attempting to block SPAM using this single technique then they are pretty dopey or they've had their head in the sand for a long time. For the past few years SPAM filters have used a concoction of techniques to filter SPAM which makes header forging much less effective. One factor in all of this is ISP mail server Port 25 blocking and/or mail server spam filters. This limits the effectiveness of using faked or forged email headers, IPs or email domains with no MX Records.

    This leaves the following avenues open for SPAMMERS:

    * Use throw-away email domains (with fake, forged or stolen ids)
    * Use throw-away free email addresses (with fake or stolen ids)
    * Use throw-away ISP access accounts (with forged or stolen ids)
    * Hijack mail servers
    * Hijack PCs by installing Spam Zombies
    * Open relay mail servers around the world
    * Using a filter-evading script that randomizes subject lines, source addresses and entire domains to avoid or make it harder to be identified as bulk emails
    * Using programs that automatically randomize different internet access accounts and then quickly log out


    Anyway...

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Sylonious , I think I'm with thehorse13 on this one. My other issue is why anyone would even bother going through the effort to spoof an IP or dump the header when there's a much more simple method. thehorse13 mentions a bunch of methods people use to avoid spam filters, I'd like to elaborate on the one of the more simple methods he mentioned.
    In particular,
    Hijack mail servers
    and
    randomizes subject lines, source addresses and entire domains to avoid or make it harder to be identified as bulk emails
    Any dedicated spammer could (with minimal effort) find open mail servers, use these as a send point for the email and just alter the received fields accordingly to his/her purposes. Considering they could use legit spoofed received fields, meaning the domains and IP's attached to those domains are legit and even seem to have been part of the actual email traverse(when in fact they weren't). In a case like this, even Reverse DNS is of no help in finding the culprit. The only give away, is that at some point in the email's traverse (the received fields in the header) there will be a real originating point for the email, in this case the open mail server that the spammer tapped in to (which in and of itself may be legit). Being that there's probably thousands of open mail servers around the world, I would assume this would be the easiest way for a spammer to approach avoiding email filters. It just seems that with such an easy method to forge headers, why would a spammer even bother spoofing the IP?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  4. #4
    Junior Member
    Join Date
    Dec 2002
    Posts
    3
    Originally posted here by thehorse13
    If someone is attempting to block SPAM using this single technique then they are pretty dopey or they've had their head in the sand for a long time. For the past few years SPAM filters have used a concoction of techniques to filter SPAM which makes header forging much less effective. One factor in all of this is ISP mail server Port 25 blocking and/or mail server spam filters. This limits the effectiveness of using faked or forged email headers, IPs or email domains with no MX Records.

    This leaves the following avenues open for SPAMMERS:

    * Use throw-away email domains (with fake, forged or stolen ids)
    * Use throw-away free email addresses (with fake or stolen ids)
    * Use throw-away ISP access accounts (with forged or stolen ids)
    * Hijack mail servers
    * Hijack PCs by installing Spam Zombies
    * Open relay mail servers around the world
    * Using a filter-evading script that randomizes subject lines, source addresses and entire domains to avoid or make it harder to be identified as bulk emails
    * Using programs that automatically randomize different internet access accounts and then quickly log out


    Anyway...

    --TH13
    I am referring to a full TCP/IP spoof spoofing the Ip and Sniffing the traffic for the answers and their are some ready made programs that send millions of spoofed messages easily.


    When the Domain-Id Registeration is put in place only E-mails with SMTP's in the database (safelist) will be able to send mail to ISP's using Domain-ID Registration and those ISP's will be thoroughly tested and monitered. No new Ip's will be able to send mail meaning no open relays, Hijacked PCs (mostly Dyanmic Ip addresses) or throw-away email domains. Also ISP access accounts open them up for lawsuits and possibly extradition If stolen credit cards are used. Free-Email admins could just severly restrict the amount of E-mails used BCC and CC and bulk up security in general if need be and most users wouldn't even beware of the changes. Hotmail made alot of restrictions and they could go alot further if they see a huge increase in spam from their servers.

    Spoofing Ip addresses in E-mail messages now is highy accessible unlike a couple of years ago.
    Programmers sell programs that can Spoof Ip addresses in E-mails relatively cheap. So it will be more feasible to actually spoof the Ip address than any one of the other methods you mentioned once the Microsoft and Yahoo Safelist Ip Address systems are put in place. They could very well just Highjack a bigname mailserver like an AOL server but again that would be more costly and dangerous towards their bussiness than just spoofing the Ip address.

    However, the second form of Ip address spoofing that I mentioned probably isn't very reliable and probably could be easily fixed with a few changes in the RFC, so I don't know exactly how big of a problem that would be and full TCP/Ip spoofing can still be monitored by Sniffing programs which could already be in place.


    Originally posted here by ShagDevil
    In a case like this, even Reverse DNS is of no help in finding the culprit. The only give away, is that at some point in the email's traverse (the received fields in the header) there will be a real originating point for the email, in this case the open mail server that the spammer tapped in to (which in and of itself may be legit).
    My point is that their is absoultely no real orginating point in a fully (TCP/IP: Spoof and Sniff) spoofed E-mail header or a SMTP RFC glitch that completely drops the real received headers. Everything would be fake. The only defense against this is that the routers use Anti-Spoofing Firewalls and some small countries like Cyprus don't have anti-spoofing Routers. Ready made spam programs that can fully spoof the Ip address are alot more common than they once were.

    My point being that Yahoo Domain Keys and the like might not slow down spam as signifigantly as they planned and free e-mail could possibly suffer a great deal.
    none

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides