_________ SWAT MAGAZINE ISSUE FIFTEEN: MARCH 1999 __________ / \___________________________________________/ \ / "Fake E-Mail" - Tutorial \ / by Spirou © v1.0 1997/98 \ Copyright © 1997/98 by Spirou. \ ----------------------------------------------------------------------- (Presented by Netw0rk Bug) Anyone may reproduce this document without notice of its author as long as no modifications of any kind are being made. Disclaimer: The author of this document, Spirou, does not take any responsibility for the information contained. This is for private and educational purpose only. You might also want to consider that some aspects being mentioned here may result in serious damage of systems and since you are reading this you probably don't know enough about how to completely avoid any traces back to you. - Don't be stupid and get busted for something not worth it. If do not agree to these terms, do not read on! The way of e-mail forgery described here is based on SMPT (Simple Mail Transfer Protocol) used by computers to send e-mail. Normally, computers would use this protocol when sending mail, but to fake e-mail you need to be pretend to be a computer who talks to another computer the way a computer would. This is really simple though, since Sendmail is just using ASCII commands (so a system administrator could find bugs easily). Basically the remote-computer will believe you anything you tell him, but Sendmail is getting more and more secure, and things aren't that easy any more. In fact, finding a server with low-security is the biggest concern, as they are getting more and more rare. You start by opening a telnet-connection to port 25 on the remote computer, as port 25 is the default Sendmail port. (Port 110 is for incoming mail - another thing quite interesting, but hard to come by.) You can use the telnet-client for Windows, or just any available where you can choose the port. Under Unix you would type: telnet (or tn) name.of.remote.computer 25 . So let's start a sample session, assuming we want to use the server CS.YALE.EDU for sending our forged e-mail. telnet cs.yale.edu 25 Trying 130.132.1.2 (cs.yale.edu) ... (1) <#1>Connected to cs.yale.edu 220 bulldog.CS.YALE.EDU ESMTP Sendmail 8.7.1/res.host.uucp.cf-4.1 ready at Sat, 21 Jun 1997 11:37:20 -0400 (EDT) (2) <#2>HELO fake.com \\ Identify yourself - better be fake (3) <#3>250 bulldog.CS.YALE.EDU Hello your.computer.name [xxx.your.ip.xxx], pleased to meet you (4) <#4>MAIL FROM: spirou@fake.com \\ say who the mail is from (5) <#5>250 spirou@fake.com... Sender ok (6) <#6>RCPT TO: me@server.com \\ say who the mail is for (7) <#7>250 Recipient ok (8) <#8>DATA \\ Command to start with the message (9) <#9>354 Enter mail, end with "." on a line by itself (10) <#10>Now you type your message - to tell Sendmail you are finished type a "." on a single line at the end. . (11) <#11>250 LAA00522 Message accepted for delivery (12) <#12>QUIT \\ when you are finished you say Quit (13) <#13>Connection Closed by Remote Host! \\ The remote server will then close the connection. (1) First the remote server greets you by identifying itself, gives the local system time and information about the Sendmail programm it is using. The latter might be interesting for you if you know about those specific versions. (2) Then it is your turn with identifying yourself. NOTE(1): The HELO command is very important if you really put value into staying anonymous. - Most servers will try to find out your true IP if not being told by you and put it into the message header. Also they might add the annoying line "... did not use HELO protocol!". Generally Sendmail believes you any value as host, so use this option! (3) Then the remote server will answer real politely, but usually use you real IP-address - don't worry though, this doesn't have to say anything yet. If you get a answer somewhat like:"Hello [your true IP], why do you call yourself fake.com?", you can probably forget about anonymity using this host already =;-/. (4) Then you can start by saying who the mail is from ("MAIL FROM: user@server.com" - Note(2): "MAIL FROM: somename" will make it look like the mail came from that username@the.host.you.are.connected.to! - the server thinks you are a local user) The command "VRFY" (verify) can be use in the way "VRFY name" to find out if a certain user exists on the remote system. (Hint: try combining it with Note(2)...=;-) (5) Then you hopefully get the "250 whoever@wherever.com... Sender ok" - Note(3): Some hosts might not return the sender you specified, so you have to be knowing what you typed. (6) Then you specify who the mail is intended for by saying "RCPT TO: user@server.domain" You can also specify more than one recipient. (7) Some hosts might give you the error message "relaying denied" - so obviously they won't let you send any mail to a different system. If it says ok, you continue... (8) You type DATA to let Senmail know that you want to begin with the message input. (9) You will get a reply to start entering your message. (10) Now you can begin writing your message. It would be a smart thing to start off by typing: From: Some Name Subject: Some Subject Now your message here. . Those first two lines will appear in the message header, and also make it look more real since the message will have a real Subject and a sender name in the mail folder of the recipient! Note(4): You will not see what you typed at all. A backspace will leave crap, so don't use it. Some telnet clients might allow you to paste text, but don't rely on that. At the end you type a "." on a single line so Sendmail knows the message is finished. (You could then start over with MAIL FROM: for another message.) (11) Sendmail will return a "250 Message accepted for delivery" (12) When you are finished you say "QUIT". (13) And the remote host will then close the connection. back to top of sample session <#telnet> You may have wondered about those numbers in front of everything the remote host says. Now this has a simple meaning: Those numbers have the same meaning as the clear output readable by you. A computer though would only care about those numbers - sometimes even only about the first digit. Here follows a short explaination: Numbers with a 2 at the beginning always imply that the next step has to be taken by you, e.g. 250 Recipient ok. You then continue with the next command. The 345 lets you know that all the following is being considered part of the message, until you type "." A reply with a 4 in front refers to some temporary error, for example a lack of memory in the remote system - you would then know that you could try again later. A reply with a 5 in front now refers to a fatal error, such as 500 Command unrecognized. About: Anonymity Now we get to the point of real anonymity. Note(5): You are not sending an anonymous mail if just the sender is faked! Mostly Sendmail will include the IP address of the computer the mail actually came from in the header of the message. This will for example look like this: Received: from servername (server.name [xxx.your.ip.xxx]) by host.you.used.to.send.this.mail (8.8.6/8.8.6) with ESMTP id XAA16776 for ; So in this case the recipient of your mail can find out where this mail actually came from by simply having a look at the headers. In serious cases he could then easily contact your ISP and tell him the IP address of where the forged e-mail came from, and you might get in serious trouble. And now an example of a host that doesn't attach your IP in the header: Return-Path: Delivered-To: recipient@server.com Received: (qmail 5010 invoked from smtpd); 13 Jun 1997 19:33:49 -0000 Received: from eli.CS.YALE.EDU (130.132.1.1) by 194.162.196.145 with SMTP; 13 Jun 1997 19:33:48 -0000 Received: from faked.host by eli.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with SMTP id PAA22086; Fri, 13 Jun 1997 15:33:43 -0400 (EDT) sender name.you.choose@whatever.com for Date: Fri, 13 Jun 1997 15:33:43 -0400 (EDT) Message-Id: <199706131933.PAA22086@eli.CS.YALE.EDU> From: To: The colored lines are the ones of importance. Note that it simply accepts the faked.host you used for the HELO command. It does not resolve your true IP! There is one other thing you might wanna have a look for. Some hosts might add a line that looks like this: "Apparently-To: recipient@server.com" to the header. Somebody who receives an e-mail like this will, if experienced, know that something might be wrong with the sender. Now you should know almost everything important about e-mail forgery. Note(6): Always make a test with every host you are using to fake e-mail! (also look Note(5) <#note5>) - First send an e-mail to yourself and check the headers! If you read this document carefully, you should know enough about how e-mail bombing works. Obviously such programm does nothing else than exactly the described above and repeating it several hundred times. Any e-mail bomber, such as Avalanche, Up Yours, Kaboom!, Unabomber,... can be used easily to send anonymous / forged mail. by SPIROU