How To Spoof Email
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How To Spoof Email

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130

    How To Spoof Email

    Most people, when looking at who thier emails have come from, assume that the name that appears there is in fact the name of the sender. By extension, they also assume that spam mail return addresses actually exist. This tutorial will explain how easy it is to send email with a forged source address to anyone you wish.

    Before continuing, there are two definitions which should be explained.

    Mail User Agent: A program which accepts input from an end user, formats that data into a form which mailservers will understand, and sends that data to a mailserver.

    Mail Transfer Agent: Any program which will accept mail, either from a Mail User Agent or another Mail Transfer Agent, and forward it one step closer, to another MTA, or an MUA for final delivery.

    In this tutorial, I am using telnet as my MUA.

    The first thing you will need is the name of your ISP's mailserver, or at least the one you usually use if you are on a large ISP. This can be found by examining the account settings in whatever email program you use.

    Once you find this, open a telnet session to that mailserver on port 25, the standard SMTP port. SMTP, or Simple Mail Transfer Protocol, is the protocol by which mailservers communicate with each other. After opening a connection to the mailserver, you will essentially be giving it the same commands that your email program would be.

    If you are using windows, open a command prompt first, and enter the following command:

    Code:
    telnet <mailserver> 25
    You should get a banner telling you that you have indeed connectected to the mailserver. This banner typically consists of a message type number (usually 220), the name of the mailserver, which protocol it is using (this is usually either SMTP or ESMTP; for the purposes of this tutorial we will be using only SMTP), and the software it is using, which usually includes the version number. In my case, I get the following prompt:

    Code:
    Connected to mailserver.
    Escape character is '^]'.
    220 <mailserver> ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) ready Thu, 28 Apr 2005 03:42:03 -0400
    At this point you identify to the mail server two things: which protocol (SMTP/ESMTP) you will be using, and your domain name. The protocol is identified with either the HELO command, indicating that you will be using SMTP, or the EHLO command, indicating that you will be using ESMTP. As stated, we will be using SMTP only for this tutorial. At this point you can give a false domain name to the mailserver. Beware, however, that many mailservers now verify that the domain you give it is in fact a valid domain; you may need to supply an existing domain name. My mailserver does not perform this validation. I will use the domain northpole.net.

    The format of this command is as follows:

    [HELO|EHLO] <domain name>

    So for example, I identify myself to the mailserver as:

    Code:
    HELO northpole.net
    You should now see message type 250. Some mailservers will reply with something like "Hello northpole.net". In my case, it simply replies with message type 250 and its name again.

    Now begins the process of actually writing the mail. To inform the server that you wish to send mail, issue the command

    MAIL FROM: "Sender Name" <email address>

    Including the "<" and ">". I will be spoofing the address "santaclaus@northpole.net". The from field should include both the name of the sender and his/her email address. So the command is:

    Code:
    MAIL FROM: "Santa Claus" <santaclaus@northpole.net>
    At this point, the mailserver will verify that it is authorized to send from this address for you. If it is, you should see message type 250 again with the message text "Sender <email address> ok". In my case, I see:

    Code:
    250 Sender "Santa Claus" <santaclaus@northpole.net> Ok
    The server now requires the address you will be sending this mail to. The destination address should contain only the recipient email address. Multiple destination addresses can be specified at this point. These multiple addresses would be specified as additional RCPT TO: commands on subsequent lines. The command syntax is:

    RCPT TO: <destination address>

    So in my case, since I want to send fake email to Bill Gates, I will enter

    Code:
    RCPT TO: <billgates@microsoft.com>
    The mailserver now validates that it is permitted to send mail to this address for you. This will include checks to ensure that if this email is not on its list of users, that it is allowed to relay mail for you. An open mail realy, a common tool of spammers, would at this point not verify that you are a valid sender, instead relaying mail for anyone connecting to it. The message I recieve at this point is:

    Code:
    250 Recipient <billgates@microsoft.com> Ok
    Since this is my local mailserver, it is allowed to relay mail to billgates@microsoft.com for me.

    Now we begin the actual data that the email will consist of. This will begin with the simple statement DATA. Most mailservers will now inform you that to end the email, you should enter as the last line, a line containing only a period. It should look something like:

    Code:
    354 Ok Send data ending with <CRLF>.<CRLF>
    We now enter the email data. However, do not start writing out the text of the email yet. This would be caught by most mailservers as spam, since it does not look like most emails do. You would also have an email with no subject, as the subject heading is sent as part of the message data. At minimum, you should include the sender name and address, the recipient address, as well as a subject line.

    The sender address in the message data would be specified as it was in the MAIL FROM: command, but without the quotes around the sender's name, and "From: " in front of it. The syntax is as follows:

    From: "Recipient Name" &lt;name@domain.name&gt;

    Without the quotes around the sender's name. So in my case, I enter:

    Code:
    From: Santa Claus &lt;santaclaus@northpole.net&gt;
    The destination address is specified in exactly the same manner as it was in the RCPT TO: command, but with "To: " in front of it. The syntax is as follows:

    To: &lt;name@domain.name&gt;

    So in my case, since I am sending this mail to billgates@microsoft.com, I would enter:

    And I imagine at this point you can guess how the subject line will be specified. With the syntax:

    Subject: &lt;enter your subject here&gt;

    Without the "&lt;" or "&gt;"

    I will enter:

    Code:
    Subject: Linux is better
    This should be enough information to fool most mailservers into thinking that this is a legitamite email.

    At this point you can begin entering the actual message text. This can obviously be anything you wish. I will enter:

    Code:
    Roses are #FF0000
    Violets are #0000FF
    All my base
    Are belong to you!
    To inform the mailserver that you are finished entering data, enter as data a single line with only a period. This is what mailservers mean when they send the message "End data with &lt;CRLF&gt;.&lt;CRLF&gt;".

    You should now see a message, type 250, informing you that the message has been accepted for delivery, and giving you the message ID number for tracking. In my case, I see the following:

    Code:
    250 Message received: 20050428081348.PSBZ1623.&lt;mailserver&gt;@[my ip address]
    The message is now ready to be sent, and likely already has. All you must do at this point is enter

    Code:
    QUIT
    And the mailserver will terminate the connection with you gracefully.

    The entire communication, including server responses, looked like this:

    Code:
    striek@localhost:~$ telnet mailserver 25
    Trying mailserver...
    Connected to mailserver.
    Escape character is '^]'.
    220 mailserver ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) ready Thu, 28 Apr 2005 04:26:56 -0400
    HELO
    250 mailserver
    MAIL FROM: "Santa Claus" &lt;santaclaus@northpole.net&gt;
    250 Sender &lt;santaclaus@northpole.net&gt; Ok
    RCPT TO: &lt;billgates@microsoft.com&gt;
    250 Recipient &lt;billgates@microsoft.com&gt; Ok
    DATA
    354 Ok Send data ending with &lt;CRLF&gt;.&lt;CRLF&gt;
    From: Santa Claus &lt;santaclaus@northpole.net&gt;
    To: billgates@microsoft.com
    Subject: Linux is better
    Roses are #0000FF
    Violets are #FF0000
    All my base
    Are belong to you!
    .
    250 Message received: 20050428082735.WVIK1597.mailservert@[my IP address]
    quit
    221 mailserver ESMTP server closing connection
    Connection closed by foreign host.

    Although this will effectively spoof the email, making it appear that it is from someone which it is not, your IP address has still been logged and you are still traceable. Do not assume that this is a form of anonymous email. Your IP address will show up in the message headers when it is recieved, and this can be crossreferenced with your ISP's DHCP records to determine who sent the email. It will, however, fool Aunt Sally into believeing the email really did come from the bank.

    More data can be placed at the beginning of the message data, just after the DATA command. Mail User Agents put a variety of information here, such as message ID numbers, date and time stamps, priority, encoding type, which program sent the mail, MIME types, character sets used, etc... Try experimenting to see what works and what doesn't.

    I hope this has given a clear example of how easy it is to spoof an email address to appear as if it were from a different sender. The from field is not determined by the mailserver. It is given by the user (or the Mail User Agent) connecting to it, and therfore easily falsified. The email address you see in the from field on spam addresses does not even have to exist to appear there. And if you don't need convincing, maybe dad or Aunt Sally do.

    <EDIT>
    As per SirDice's recommendation, see the following RFC's for more information:
    RFC 821 - Simple Mail Transfer Protocol
    RFC 2822 - Internet Message Format, which superseded RFC 821 in April 2001. Unfortunately, RFC 2822 does not list commands necessary to SMTP server communication.
    </EDIT>

    Server names and IP addresses have been changed to protect the innocent.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    175

    ...some more SMTP commands

    Great tut Striek. I liked the thing
    Roses are #FF0000.
    Violets are #0000FF...
    For more SMTP commands have a visit to http://www.the-welters.com/professional/smtp.html

    and for SMTP server replies http://www.good-stuff.co.uk/useful/smtp.php

    cheers !!
    \"And life is what we make it. Always has been, always will be.\"

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    This is a well written piece of work, congratulations


    I have two small comments, which I find worth mentioning:

    1. if "mailserver" is not microsoft.com (or northpole.net if if), it may be an open relay
    (or does by configuration at least relay to microsoft.com). "mailserver" then should be
    reported to an ORDB, for example ordb.org[1], such that emails originating from
    "mailserver" can be filtered on individual mailservers, who make use of those lists.
    The reason: Most likely "mailserver" will be misused for spamming purposes.

    2. One can perform what has been presented here even with Outlook, ie any email-client.
    Simply put as outgoing mailserver the destination server of the recipients address. If one
    listens to the talk between the email client and the mail server, it reflects the above.

    Cheers.

    [1] http://www.ordb.org/preferences/index.php?setlang=en
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Good article

    It may be a good idea to mention RFC-2822.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Good tutorial indeed. I enjoyed reading it ......

    sec_ware's comments are really nice ....

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If SPF, (Sender Policy Framework), is enabled on the receiving domain and northpole.com has an appropriate SPF record this will be classified as spam and dropped....

    Nice tute though Striek....

    /me hugs my SPF
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Banned
    Join Date
    Apr 2005
    Posts
    31
    *Yawns* This of course only applies to anyone clueless enough to not know how to read a message header.

    Not to mention why do it the hard way? This will produce the same result, with a fraction of the work.

    '--Snip Spoof.vbs----


    Set cdo = CreateObject("CDONTS.NewMail")
    cdo.to = "user@whereever.com"
    cdo.from="YourMom@bangbus.com"
    cdo.Subject="Spoof"
    cdo.Body="message body"
    cdo.send
    set cdo=nothing


    '---End spoof.vbs---

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    Striek gerat job best mail spoofing tutorial i have read in a long time, and SuperDooper great point.

  9. #9
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    How many times has this one been done. You must forgive me, as I have seen this thread about 4 times in as many years... But it was definatly well written.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  10. #10
    Junior Member
    Join Date
    Apr 2005
    Posts
    3
    I did this long back, good posting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •