Thread: How To Spoof Email
How To Spoof Email
Most people, when looking at who thier emails have come from, assume that the name that appears there is in fact the name of the sender. By extension, they also assume that spam mail return addresses actually exist. This tutorial will explain how easy it is to send email with a forged source address to anyone you wish.
Before continuing, there are two definitions which should be explained.
Mail User Agent: A program which accepts input from an end user, formats that data into a form which mailservers will understand, and sends that data to a mailserver.
Mail Transfer Agent: Any program which will accept mail, either from a Mail User Agent or another Mail Transfer Agent, and forward it one step closer, to another MTA, or an MUA for final delivery.
In this tutorial, I am using telnet as my MUA.
The first thing you will need is the name of your ISP’s mailserver, or at least the one you usually use if you are on a large ISP. This can be found by examining the account settings in whatever email program you use.
Once you find this, open a telnet session to that mailserver on port 25, the standard SMTP port. SMTP, or Simple Mail Transfer Protocol, is the protocol by which mailservers communicate with each other. After opening a connection to the mailserver, you will essentially be giving it the same commands that your email program would be.
If you are using windows, open a command prompt first, and enter the following command:
You should get a banner telling you that you have indeed connectected to the mailserver. This banner typically consists of a message type number (usually 220), the name of the mailserver, which protocol it is using (this is usually either SMTP or ESMTP; for the purposes of this tutorial we will be using only SMTP), and the software it is using, which usually includes the version number. In my case, I get the following prompt:
At this point you identify to the mail server two things: which protocol (SMTP/ESMTP) you will be using, and your domain name. The protocol is identified with either the HELO command, indicating that you will be using SMTP, or the EHLO command, indicating that you will be using ESMTP. As stated, we will be using SMTP only for this tutorial. At this point you can give a false domain name to the mailserver. Beware, however, that many mailservers now verify that the domain you give it is in fact a valid domain; you may need to supply an existing domain name. My mailserver does not perform this validation. I will use the domain northpole.net.
The format of this command is as follows:
[HELO|EHLO] lt;domain name gt;
So for example, I identify myself to the mailserver as:
You should now see message type 250. Some mailservers will reply with something like Hello northpole.net . In my case, it simply replies with message type 250 and its name again.
Now begins the process of actually writing the mail. To inform the server that you wish to send mail, issue the command
MAIL FROM: Sender Name lt;email address gt;
At this point, the mailserver will verify that it is authorized to send from this address for you. If it is, you should see message type 250 again with the message text Sender lt;email address gt; ok . In my case, I see:
The server now requires the address you will be sending this mail to. The destination address should contain only the recipient email address. Multiple destination addresses can be specified at this point. These multiple addresses would be specified as additional RCPT TO: commands on subsequent lines. The command syntax is:
RCPT TO: lt;destination address gt;
So in my case, since I want to send fake email to Bill Gates, I will enter
The mailserver now validates that it is permitted to send mail to this address for you. This will include checks to ensure that if this email is not on its list of users, that it is allowed to relay mail for you. An open mail realy, a common tool of spammers, would at this point not verify that you are a valid sender, instead relaying mail for anyone connecting to it. The message I recieve at this point is:
Now we begin the actual data that the email will consist of. This will begin with the simple statement DATA. Most mailservers will now inform you that to end the email, you should enter as the last line, a line containing only a period. It should look something like:
We now enter the email data. However, do not start writing out the text of the email yet. This would be caught by most mailservers as spam, since it does not look like most emails do. You would also have an email with no subject, as the subject heading is sent as part of the message data. At minimum, you should include the sender name and address, the recipient address, as well as a subject line.
The sender address in the message data would be specified as it was in the MAIL FROM: command, but without the quotes around the sender’s name, and From: in front of it. The syntax is as follows:
Without the quotes around the sender’s name. So in my case, I enter:
The destination address is specified in exactly the same manner as it was in the RCPT TO: command, but with To: in front of it. The syntax is as follows:
And I imagine at this point you can guess how the subject line will be specified. With the syntax:
Subject: lt;enter your subject here gt;
Without the lt; or gt;
This should be enough information to fool most mailservers into thinking that this is a legitamite email.
At this point you can begin entering the actual message text. This can obviously be anything you wish. I will enter:
To inform the mailserver that you are finished entering data, enter as data a single line with only a period. This is what mailservers mean when they send the message End data with lt;CRLF gt;. lt;CRLF gt; .
You should now see a message, type 250, informing you that the message has been accepted for delivery, and giving you the message ID number for tracking. In my case, I see the following:
The message is now ready to be sent, and likely already has. All you must do at this point is enter
And the mailserver will terminate the connection with you gracefully.
The entire communication, including server responses, looked like this:
Although this will effectively spoof the email, making it appear that it is from someone which it is not, your IP address has still been logged and you are still traceable. Do not assume that this is a form of anonymous email. Your IP address will show up in the message headers when it is recieved, and this can be crossreferenced with your ISP’s DHCP records to determine who sent the email. It will, however, fool Aunt Sally into believeing the email really did come from the bank.
More data can be placed at the beginning of the message data, just after the DATA command. Mail User Agents put a variety of information here, such as message ID numbers, date and time stamps, priority, encoding type, which program sent the mail, MIME types, character sets used, etc. Try experimenting to see what works and what doesn’t.
I hope this has given a clear example of how easy it is to spoof an email address to appear as if it were from a different sender. The from field is not determined by the mailserver. It is given by the user (or the Mail User Agent) connecting to it, and therfore easily falsified. The email address you see in the from field on spam addresses does not even have to exist to appear there. And if you don’t need convincing, maybe dad or Aunt Sally do.
As per SirDice’s recommendation, see the following RFC’s for more information:
RFC 821 – Simple Mail Transfer Protocol
RFC 2822 – Internet Message Format. which superseded RFC 821 in April 2001. Unfortunately, RFC 2822 does not list commands necessary to SMTP server communication.
Server names and IP addresses have been changed to protect the innocent.
Government is like fire – a handy servant, but a dangerous master – George Washington
Government is not reason, it is not eloquence – it is force. – George Washington.
Join the UnError community!
I have two small comments, which I find worth mentioning:
1. if mailserver is not microsoft.com (or northpole.net if if), it may be an open relay
(or does by configuration at least relay to microsoft.com). mailserver then should be
reported to an ORDB, for example ordb.org, such that emails originating from
mailserver can be filtered on individual mailservers, who make use of those lists.
The reason: Most likely mailserver will be misused for spamming purposes.
2. One can perform what has been presented here even with Outlook, ie any email-client.
Simply put as outgoing mailserver the destination server of the recipients address. If one
listens to the talk between the email client and the mail server, it reflects the above.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)