eudora bug used to send spoofed mail
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: eudora bug used to send spoofed mail

  1. #1
    Junior Member
    Join Date
    Jun 2005
    Posts
    12

    eudora bug used to send spoofed mail

    There is a bug found in Eudora version 6.2.1.2.The bug has been used for sending spoofed mails.Normally a client is used to send mails via the smtp server provided by his ISP or by the mail server used by yahoo,hotmail etc.In some cases where a user wants to send the mail via his own readymade smtp server such as postcast server he/she can use the Eudora email client to send the spoofed email.The problem even get worsed as the domain name from which the email pretends to be come from can also be spoofed.The "message ID" part in the header can also be spoofed to look the email as if it has come from the pre guessed or fake domain.The person willing to send the spoofed mail has to configure the Eudora installation in a way to send the fake mail.The address of the smtp server filled in the box can be pointed to the name of the postcast server(which may be the name of the computer).Suppose the name of someone's computer is 'xct123' and the person is willing to send the mail on behalf of domain whitehouse.gov.The user will as fill Eudora entry where it says the 'smtp server' with whitehouse.gov and will send the mail but as it is obvious the mail will fail and results in a undelivered error in Eudora.Now the bug in the Eudora lies in the fact that those messages which are undelivered are queued up for further delivery. This is the exploit used for sending the spoofed mail.In his next attempt the user will change the smtp server name to 'xct123' (which is also the name of the postcast server) and the same mail via Eudora again with postcast server running.?Now unfortunately bothe the message i.e the even the previous message which was initially targeted to whitehouse.gov will also be delivered to postcast server.Now the latter email can be deleted from the postcast server and when this message is sent then it will be delivred and if anyone will look into the headers of the message it will look like something this in the message ID :
    Let us say that I want to send the mail to Myself(pushmohit@gmail.com) from Britney Spears(say britneyspears@hollywood.com).The header which I recieve at my gmail account is :

    Header:
    *************************************************************************
    X-Gmail-Received: 1a5687cd502d5376ec2d97b439de07d55e691837
    Delivered-To: pushmohit@gmail.com
    Received: by 10.54.32.30 with SMTP id f30cs40971wrf;
    Wed, 22 Jun 2005 18:35:44 -0700 (PDT)
    Received: by 10.38.207.73 with SMTP id e73mr611151rng;
    Wed, 22 Jun 2005 18:35:44 -0700 (PDT)
    Return-Path: <britneyspears@hollywood.com>
    Received: from 0.0.0.0 ([221.134.238.40])
    by mx.gmail.com with SMTP id 79si898642rnc.2005.06.22.18.35.42;
    Wed, 22 Jun 2005 18:35:44 -0700 (PDT)
    Received-SPF: neutral (gmail.com: 221.134.238.40 is neither permitted nor denied by best guess record for domain of britneyspears@hollywood.com)
    Message-Id: <6.2.1.2.2.20050623070417.01ddfcc0@hollywood.com>
    X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2
    Date: Thu, 23 Jun 2005 07:04:53 +0530
    To: pushmohit@gmail.com
    From: britney <britneyspears@hollywood.com>
    Subject: hi mohit britney here
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"; format=flowed

    the first spoofed mail
    **************************************************************************

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    yet the IP remians legit, and most blaklists consist of IP addresses. Some use domain names, but few since they are so easily spoofed. Doesnt changing the from field in out look do the same thing as this?
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Junior Member
    Join Date
    Jun 2005
    Posts
    12
    Thanks XCT46 for your reply.you are a senior member of antionline and your every post must be respected.
    As you r suspicious about ip but as much as i know the ip can also be spoofed and that can further strengthen our email spoofing.The ip spoofing article has been published in the phrack magazine article:The article has been written by by daemon9 / route / infinity

    Yes the same can be achieved by using the from field in outlook but how would u configure the domain name spoofing.The hollywood.com in the message id will not appear.(I think so)

  4. #4
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    You cant spoof your IP while maintaining an SMTP connection. As far as I knew the only way to spoof your IP was with connectionless protocals, or something like that. You cannot maintain a connection with a spoofed ip.

    Lets say you send a spoofed packet to smtp.ev1.net, spoofing your IP as 207.212.22.45. That SMTP server is going to send the responce to that IP address. Do you see what im saying?
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    yes the IP can be spoofed, but it would be a hell of a lot more complicated then what you are doing. You are just changing the return path, wich would sort of be spoofing, but not a very effective way. Bu the point remains the same that you are completly missing the point of this site. Now why dont you post a reply on how to DEFEND aganist this type of deception. Yes, to protect against something its good to know how to do it, but this IS a security site, include the secuirty portions and you will be accepted into the community much better (and not get negged) and people will give what you say more credit.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    So the mail has already been queued with whitehouse.gov as the domain name, but is then later sent to a different SMTP server if I understand correctly?

    This has always been possible with mail servers. They ask for the domain name your are sending mail from but generally do not verify this. So the vulnerability has always existed in the SMTP protocol and numerous mailservers, but Eudora has provided a way to do it with a fancy GUI.

    Defending against this would be no different than defending against any other spoofed mail. Either use Sender Policy Framework, which will check that the server sending the mail IS actually in the whitehouse.goc domain, or if in doubt, check the stamps each mailserver places on the email as it travels through them. If a mail claiming to be from whitehouse.gov has no mailserver stamp from that domain, it is likely the mail was spoofed.

    This may make it easier for script kiddies to send spoofed mail, however, the underlying principles have been used by spammers and investigators for years. Sufficient defense mechanism should already be in place.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Striek,
    Yes, I know that the defenses should be there. My point was his posts are absolutley useless unless he goes full circle with them and explains the security side of the event. I want him to stop posting the easy skript kiddie side of things (just like his last post) and get more in to why these things work, if he doesnt do that then he may as well not post. Even if it is old.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Since this:-

    221.134.238.40
    is there in the header there are no significant security issues with this. You are traceable, period. Furthermore, I agree with XTC, stop wasting your bandwidth and ours with this stuff. The only real use you can put this to is playing pranks on your friends.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    as XTC pointed out the same can be done with outlook or any mail client using your os's smtp server or an open relay as long as your not worried about being traced.

    so whats wrong with someone posting something like this on AO. Or do you think this kind of info should be hidden from the "honest" crowd and reveled only on skiddie sites so only they know what can be done. i believe there are many who come to this site who are not up to speed on smtp and security. just maybe they learned something besides 'dont post on AO'.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    so whats wrong with someone posting something like this on AO.
    Do a search here on AO for "Spoof email". It returns 88 topics at least a dozen of which refer directly to the same material the OP insists on posting. Add to that the fact that spoofing an email without managing to hide the IP address of the sending machine is hardly a big deal. Add to that the fact the SPF will block this quite nicely from many domains now it all becomes a bit of a waste of time. Lastly, blindly repeating largely useless information that the poster clearly doesn't properly grasp and provides no information as to mitigation without seeing if it has been posted before just to see if you can garner some "greens" gets up my nose.....

    'Nuff said?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •