Part of my job at work is to monitor our email system. I receive all emails sent to postmaster and webmaster through our system. In the past few weeks, I have received dozens of undeliverable emails returned from other domains to these addresses. Most of these have dozens of email addresses listed that were undeliverable. Some are email rejected for viruses or suspected spam. Since our email system delivers thousands of emails to our clients daily, I was concerned that we were configured as an open-relay and would be blacklisted. After verifying that our server was not configured as an open relay I looked through the email logs looking for the undeliverable emails. I was unable to find the spam email anywhere in our logs, so I came to the conclusion that someone was spoofing our email addresses to send spam. Digging further in our email logs, I found other undeliverable emails sent to nonexistent email addresses. So I realized that they were spoofing other email addresses then just the postmaster. Some of the addresses were random strings of letters, but most looked like fake usernames. Because of this, I have done quite a bit of research on email and email address spoofing, and I thought that I would write up some of what I have learned. I have also provided a script that will allow you to send spoofed emails to your friends.
Spoofed email is email that appears to come from one source, when it actually does not. Because of the simplicity of Simple Mail Transfer Protocol (SMTP), email spoofing is extremely easy to do.
Some background on SMTP. SMTP is one of the earliest email protocols developed. It was written by Jonathan Postel in 1982 and is officially documented in RFC 821. SMTP was designed to be reliable and easily usable. It has been the standard for transferring email for the last 23 years. Virtually every mail server in existence uses SMTP. However, its ease of use has allowed spammers and phishers to abuse the email system.
The first step in transferring an email through SMTP is to establish a connection. SMTP uses TCP port 25 for this. The client host then sends the HELO or EHLO command to the server. Some servers require that a domain be specified along with the HELO. But this can be spoofed, for example HELO xyz.com is usually valid. Most servers only check the IP address. Next the client sends the MAIL FROM: command. The email address entered here can be anything. Most servers do not check to see if it is valid. Some servers even accept a blank address. SMTP really has no way of even checking that the email address is valid since it is not from their system anyway. The domain on the address does not have to be the domain specified earlier in the HELO. The next command is the RCPT TO: command. An open relay will allow any email address to be entered here, but a properly configured server will only accept an email address with the same domain as the mail server. The next command is the DATA command. This notifies the SMTP server that everything else that follows is part of the message. This can be simply the message, but it also includes all the client header information. This is the information that is interpreted by the email client. It includes date, to, from, cc, subject, and more depending on the email client. The simplest way to enter header information is to enter the field, ie Subject: this is the subject. You can also enter to and from information here. This is how email can show up as being sent from Joe Schmoe instead of joeschmoe@email.com. This is a very nice feature of email clients, but it also makes email spoofing very easy.
This all sounds really confusing, so to understand this better, you can use telnet to communicate with an SMTP server. Here is an example of a spoofed email being sent to frankdzedzy@frankdzedzy.com.
C:\>telnet mail.frankdzedzy.com 25
220 ss71.shared.server-system.net ESMTP Sendmail 8.12.11/8.12.11; Fri, 9 Dec 2005 10:17:19 -0800
helo xyz.com
250 ss71.shared.server-system.net Hello [12.178.219.195], pleased to meet you
mail from: joeschmoe@emailserver.com
250 2.1.0 joeschmoe@emailserver.com… Sender ok
rcpt to: frankdzedzy@frankdzedzy.com
250 2.1.5 frankdzedzy@frankdzedzy.com… Recipient ok
data
354 Enter mail, end with “.” on a line by itself
subject: this is a spoofed email
you have just been spoofed
.
250 2.0.0 jB9IHJIY001987 Message accepted for delivery
quit
221 2.0.0 ss71.shared.server-system.net closing connection
When I open up the email, it shows it as being from joeschmoe@emailserver.com. If I don’t know who this is I could open up the source. This is what the source looks like:
Return-Path: <joeschmoe@emailserver.com>
Received: from ss71.shared.server-system.net (root@localhost)
by frankdzedzy.com (8.12.11/8.12.11) with ESMTP id jB9IJ4Sd002707
for <frankdzedzy@frankdzedzy.com> Fri, 9 Dec 2005 10:19:04 -0800
X-ClientAddr: 12.178.219.195
Received: from xyz.com ([12.178.219.195])
by ss71.shared.server-system.net (8.12.11/8.12.11) with SMTP id jB9IHJIY001987
for frankdzedzy@frankdzedzy.com; Fri, 9 Dec 2005 10:18:30 -0800
Date: Fri, 9 Dec 2005 10:17:19 -0800
From: joeschmoe@emailserver.com
Message-Id: <200512091818.jB9IHJIY001987@ss71.shared.server-system.net>
subject: this is a spoofed email
you have just been spoofed
I use the RoundCube webmail client, which is a very nice looking and simple email client. Other email systems and clients will probably add a lot of other stuff to the header, but this here is nice and simple. As you can see, the only item that can really identify who I actually am is the IP address. Everything else is either related to my email server, or is fake information. Obviously, this is a great way to pull pranks on your friends. I have done it on a couple of occasions at college, with great results. However, you can use spoofing to pretend to be someone you are not. This is a form of social engineering known as phishing. This is fast becoming a major problem, as phishers send spoofed emails that are carefully constructed to look like a reputable organization. They then direct you to a website, which collects information from people who can’t tell they are being misled. Spammers also use spoofing to disguise their real identity and to help get the email past spam filters.
After looking through the headers of the emails, I was sent back, I was able to tell that most of them were just generic spam emails. The subjects had product names, celebrity names, and phrases like “Your Password” in them. Also a lot of them had viruses in them. I was able to find the originating IP addresses in the headers I got back too. (Probably 80% of the undeliverable email did not send back any of the original header information, which was really irritating.) Out of all the emails, I have received, I have found about 14 different IP addresses. Most were only used once, but some have been used dozens of times. All are IP addresses that are part of various home broadband ISPs, around the US. I have not been able to ping any of the addresses successfully. This makes me wonder if the spammer is spoofing IP addresses. A better explanation for this would be that he is sending his emails through these unsecured home PCs. They may be part of some small zombie network. I received dozens of undeliverable emails sent to me over the last weekend, but very few the last few days. So either he is no longer using our emails, or he is sending emails to valid addresses.
So what can you do if somebody is spoofing your email address? Well, nothing at all. Since they are able to enter all the fake information into the email there is no way you can stop them. If you have a similar situation with your email server that I described here, I would recommend making sure your server is not an open relay. Because of the many open relay databases out there, there are few open relay servers in the United States. If your server is relaying mail, it won’t be long before you start getting blocked from sending mail, by other email servers. I would also recommend keeping a close eye on your logs, to make sure that the emails really aren’t coming from your server. This would be happening if one of your users was sending out spam, or if you had a worm sending out emails. If so, you would notice the local IP address in the log information, and could easily find the culprit.
Now here’s how you spoof your email address, if you only want to prank your friends. The easiest way is to change your display name and return address in your email client. I mostly use Outlook (because we use Exchange), Thunderbird, or Gmail, but you can do similar things in other email clients. I have been unable to do it very well with Outlook. It does work well in Thunderbird though. Go to your accounts settings, and change the display name and email address to whatever you want them to be. Most clients have a separate place to enter your logon information, and don’t use the email address for this. Just remember that whatever email address you set here, will be the address any reply is sent to. After you have sent the message, the only way to identify you is the IP address in the header. Depending on the client, this can be tricky to find.
You can also use this form here to send a basic email with a spoofed address. It will send a simple email that can disguise your name and email address. The script does place a link in the source header to this webpage. This is only visible if the victim looks at the header though. Script downloaded from www.digi-dl.com.
I have provided this information to educate on the SMTP protocol and methods used by spammers and phishers. It is not intended to be used for the purpose of phishing. Email spoofing is not considered illegal by the FBI, because no hacking is involved. However, most spamming and phishing is illegal. I would recommend only using email spoofing techniques for pranks, and even then remember to use your discretion.
Holy crap man that was a good long read…I learned a lot lol….and thats saying a lot cause I didn’t know shit about it before I read what you wrote.
Ty
http://www.coffeetornado.com
Coffee
Found your site through digg.
Hm. Sorry, but I think that you spent way too much time writing about something trivial. Anyone smart enough to fire up a telnet client and send some SMTP data already knows how SMTP works :).
Also, to do this in Outlook is easy as well. Tools->Mail Accounts->View or Change Existing Accounts. Select an account to change, and hit “Change”, and then modify the Your Name and Email fields.
Your article does point to one of the many glaring flaws with SMTP, however. It is a wonder that the protocol has not been replaced.
I think many people who knew about this already, but still, a good read.
In reply to the second comment, Josh.
Dude you’re lame. The web is all about information. If you find something trivial then good for you, move on and don’t waste your time replying. Which is worse? Taking the time to write something that may be trivial to some, but a good source of knowledge to others… or… replying to something that you find trivial? You sort of contradict yourself my friend.
Yes, telnet and OE both have some rad features to help spoof email. As does php and several other scripting languages, not to mention downloadable tools. In any event, I commend the author for the article. It was well written and will probably benefit several people, which is what the web is all about… Information! Kudos to the author!
Excellent story. So how can you spoof an IP Address?
I’ll have to agree with Josh. This is exceedingly trivial, and is possibly one of the first things that script kiddies learn. This article could have been boiled down to:
telnet mailhost:25
helo domain.com
mail from: anybody@anybody.com
rctp to: anybody@localdomain.com
data
Subject: w00t!
To: Yo Mama
From: Nobody
j00 sux0r!
.
This is good info Thanks for taking the time to write this
@ #6: You impress NO ONE. Re-read #4. Buffoon.
Thanks for the article - great information to share with PEOPLE WHO MAY NOT KNOW.
(freaking geek snobs…grumble grumble…they didn’t know much once…grumble)
Hi,
Your article is mostly correct however there is something you can do to try and stop your email address been spoofed.You can add an SPF (Sender Policy Framework) record (which is just a TXT record with a special syntax) to your DNS server that states which hosts etc are allowed to send mail from your domain.
If the recieving mailserver supports SPF it will check to make sure the mail was sent from a valid host and discard it it wasn’t. If the recieving mailserver does not support SPF it will just accept the email.
Some big mail providers are getting behind SPF (Hotmail for instance) so hopefully the days of spoofed emails are numbered…
Have a read about SPF at http://www.openspf.org/ and get patches for postfix, qmail and other popular MTAs at http://www.openspf.org/downloads.html
Matt
Very well written. And Zorlak is right. I remember when I was just getting into the internet scene and wanted to know all about it. I was so thankfull when google turned up articles, just like this one, that people had taken the time to write just so they could educate some curious kid like me.
Again, well written, well explained. Good Job
HELO I.second.nobodys.comments
250 frankdzedzy.com
MAIL FROM:
250 Ok
RCPT TO:
250 Ok
data
354 End data with .
Subject: spoofing? where?
Seconding `nobody’, comments.
SMTP is nothing new, there’s no magic in `spoofing’ - as it’s an authorative client protocol when it comes to the FROM header. I wouldn’t even call it trivial, as it’s normal SMTP handling. Flexible MUA’s will even let you change e.g. from headers before you send the email, without a need to set up `accounts’.
`Zorlak’ - when did a simple interactive tcp connection client become a `feature’? - it’s not OE, telnet or whatever you might chuck inthere as other sources of `rad featured programs’ that’s providing the functionality - it’s SMTP itself.
however - I’m sure script-kiddies looking to make a quick buck will be quick to pounce on things like this to make our mailboxen even more miserable.
.
ofcourse - you couldn’t safely assume that he’d html-handle input - so, headers are off. gah - stupid.
dude youre on digg…
Jesus man, it’s not called SPOOFING it is called relaying, and that technique has been around as long as email (since 1971: http://www.wbglinks.net/pages/history/ ).
And if you want to see real spoofing:
http://www.wbglinks.net/pages/reads/wbgreads/ipspoof/
This is not relaying. Relaying is sending mail to someone through a different email server, than the mail server recieving the email.
although to someone who is educated in the ways of email this article does seem rather pointless, it is incredibly informative to the ‘end users’ we all despise. ive worked in support for a couple of ISPs and trying to explain to a customer that we cannot stop some idiot with a virus spoofing addresses on their domain name is near impossible without explaining some of the shortfallings of the SMTP protocol.
nowadays one of the tasks in my job is handling abuse reports to a major UK ISP, and email address spoofing is something i encounter every hour of every day, but i do think anyone responsible for administrating a high traffic mail server should already know this and be well versed in in the protocol to an even greater extent.
telling people not to configure their mail servers as open relays is a bit like telling someone not to leave their front door wide open when they go on holiday, so fair enough the article does come across more like an “OMG LOOK WHAT I DISCOVERED!!11″ to those of us with experience, but the number of “IT Professionals” with Exchange servers sat there blasting the same email out thousands of times just because they failed to apply a patch i’ve dealt with is astounding. personally i think it should be illegal to put a mail server on the internet without some form of license. (ok maybe thats a little harsh)
to add to your article though, might i mention it is also possible to spoof the source IP address in the headers by simply adding a pre-written “Received: From” block right after the SMTP data command. the real source IP will still exist within the headers but to the untrained eye the mail will appear to have come from somewhere else.
there are of course ways of getting around some of these flaws, SPF records for example, but they rely on everyone conforming to the standard. i have such a record int he zone file for my personal domain name meaning any mail servers that implement it will know exactly what IP addresses are allowed to send mail with that address. another one we actually use on the mail cluster at my work, in which the mail server will look up the MX records of the domain given in the MAIL FROM command to check the domain exists, then it will connect to the MX with the lowest available metric and attempt to deliver an email to the user specified as the sender. it will of course then “rset” the trasfer before supplying a message body and decide if it should accept the email based on the response from the MX. of course this only verifies that the address actually exists, not that it’s owner sent it.
duclicsic and Matt
Thanks for the info. I will have to do some more research!
You should really take down your “script” at http://frankdzedzy.com/email/sendMail.html
Some spammer is going to start using it to send out to every address on the planet and your mail server will end up on a black list.
Frank, wrong. It’s a variant of relaying. You can relay off of your own server, it doesn’t have to be others. You are simply lying to the server (which is set up to relay). You are NOT spoofing ANYTHING.
no problem frank, i have to agree with Martin though, that script is leaving you out in the open for attack.
Martin
That is a point I had thought about. I have set up Mint, the web stats program I use to watch the “script” closely. So far, only about 15% of the hits on this page have used the script. If I notice the number growing out of hand, I will pull it. Also it is designed to only handle one email at a time. Plus, there are a whole lot better scripts out their for sending out better spoofed emails.
I also can spoof any blog comment easyly, i’ll teach u next week dude !
steve jobs
LOL. How did you get my name ?!!!
Anybody want an IPod?
cool post! i always wondered why many web hosts disable telnet access!
I would have to agree with the posters that argue that the knowledge presented in this blog entry is pretty much E-mail 101. I rememer how I experimented with the basics of the SMTP protocol through a Telnet client back in ‘95 and was surprised to learn how easy it was to fake sender information.
However this is all very fine . The net is full of newcomers eager to learn and any contributions that can make the somewhat arcane RFC’s more accessible to people is pure goodness and contributory to the democratisation of technology, which the internet is supposed to represent in the first place anyway.
What befalls me as surprising however is that this blog post is featured among the popular reads on del.icio.us with all of 50 users having found the entry so noteworthy as to merit a place on their list of bookmarks. This seems to me to suggest something about the makeup of del.icio.us users. Up until now I would have thought that del.icio.us users were mostly at the forefront of technology savvy (it is a pretty inaccessible site, which until the acquisition by Yahoo! has led pretty much a niche existence). The fact that a blog entry discussing simple e-mail address spoofing can make it to be among the popular reads in del.icio.us suggest to me that the composition of del.icio.us users is shifting to include more people of less technological aptitude and experience. If that is indeed the case it is an interesting development.
A quick survey seems to support my hypothesis: Of a sample 10 del.icio.us users, who bookmarked this entry 7 joined the service in September 2005 or later. Only the remaining 3 have a longer history with del.icio.us. This would suggest that del.icio.us is indeed gaining momentum and making inroads among more novice users - hooray for that!
I hope that Yahoo! has learned from their earlier acquisitions in social networking (i.e. the former eGroups - now YahooGroups!) that spam is an issue that should be addressed, when one tries to popularise one’s offerings and bring it into the mainstream. It took about four years for Yahoo to learn that after acquiring eGroups - hopefully they will be more proactive with regards to del.icio.us postings.
Kristoffer Nilaus Olsen
Interesting observations on del.icio.us. I had never been on the site until I noticed that people were visiting my post from that site. Perhaps, del.icio.us users have spent so much time gaining experience in newer technologies (AJAX, Ruby, etc.) that they have not learned about much of our older technology that is in use. I know that is the case with me. I find so many links on new stuff, that I never learn the old.
Aww…you lost me at, ‘Part of my job at work…..’
Ok, I’ve been trying to do this thing over DOS (telnet mx*.*.com replace stars w/ appropriate servers, and i also ran a nslookup and found server with lowest pref). After, i followed the format required, but at the end, it says Mail queued for delivery….The test i sent to myself hasn’t reached even after 2 days. Any advice, guyz?
Hi,
I’m having a different kind of problem. I hope this isn’t too “left-field”:
I send an email to a person, an email address I know. I then get returned mail from email address/es I don’t know!
Has someone hacked my system? My ISP?
Thanks,
James Forsyth
Is the returned mail from the same person that you sent the email to? If so, the person may be replying with a different email address. The address you sent the mail to may be forwarded to another address, or it may be an alias.
Hi Frank,
Stopped by your blog while browsing for this topic. It is a nice and simple read for those starting to learn about the topic of SMTP flaws. Keep it up for those tech newbies on the hunt for intro tutorials to internet security.
That is nice
spamm@freemail.gr
I use incredimail.
It has pop mail and imap.
Is it possible to spoof through that one?
salam
Very informative article.
To you geeks that were reading it. It’s easy to sit back and critisize. Granted you thought it was nothing new, But what did you learn?
Hey! Great work! What about attachments? I think it would be kind of fun to set something up that looks like a full-fledged email service — for spoofing! (complete with random word generator, file attachment etc.) I suppose it sounds a little evil now, but dude! Think of how cool that would be!
I am recieving email that is not being sent to my address example from: “Gilda”
to: vinhnu@yahoo.com
And i will recieve several of these during the day in my bulk mail
Excellent story. So how can you spoof an email
Is there a reason for the 403 forbidden to the script?
Sorry about the 403, but my web host made me take it down. It seems that someone spoofed the Department of Defense Inspector General and the DOD got pissed and called my web host about it. Just like our crappy government to not take a joke. Must have clogged someones tubes. If you want the code to the script so you could run it on your own server, email me and I can help you set it up.
I never recieve a 250 after i do the mail from command:(
I don’t even know where to type all that telnet stuff
I get an authentication error… i’m using your mailserver as i can’t find any other ones without needing an account, i don’t understand what “helo” does, so i just shoved google.com in there.
Relaying denied. Proper authentication required.
asd
email
please i wont to configure outlouk in order to make email spoofing . some one can help me by the way the email required is via internet. thank u
An email spoofing program, thats really easy to use and spoofs date and from headers is available on http://pageofrage.net
Thanks man I learned allot from this story I hope you find the culprit.
Yes, spoofing is both 1) concealing the true origin of spam and 2) concealing the true identity of the spammer (using fake email address). A fake email address is a spoofed email address. Look up the meaning in your dictionary (fits both senarios).
Good article for explanation.
Also, it IS a major problem for people running mail servers (Josh, Zorlak, nobody, etc.: get a clue—it’s far from a trivial problem when you get thousands of bounced messages each day because of email address spoofing and your mail server is forced to handle this extra workload)
However I wish that you didn’t provide the answer on how to spoof. I know they can get the answer somewhere else, but at least you do not need to be another conduit for helping new spammers to spam this way too. I see a link to a spoofing script (also not a good idea), but the link does not work which suits me fine.
BTW, “you” = “frank”. Should’ve labeled the comment about providing spoofing instruction to frank—clarification.
Still a good article explanation, kudos.
hi , thanks for the tutorial but when i connect to the mx().–.com ans stuff
been welcomed but when i try to enter a (for example.)
lala@lala.com
or
mail from: lala@lala.com
it says
500 unrecognized command
so can you help..please
waiting for any suggestion..
thanks guys.
I be a novice, the read was confusing for me at first but will re read it, I have become alarmed because I get emails back to me marked as spam with my email address on them, was really confused, my ISP has advised me with essentially the same information as yours, except you seem to be in more depth. Thank you for posting this. Warm Regards Tom
OK..so I just received an email sent from the same email address that I have. It said “It is so funny that we have the same name and the same email. I guess you can read all my emails as I can read all yours” and my password to my account constantly keeps changing. Nobody else knows my account info. Is somebody just screwing with me or what?
i can’t get it to connect for hotmail.co.uk adresses
its amazing to me the amount of time geeks have to post going on and on about somebody else blog instead of writing python scripts, web apps ,etc.I wasted a small portion of my life reading this “pretty much email 101″ and “no duh next I’ll spoof my comment next” sh*t. Pretty fuc*ing lame.Go write your own page if your so Uber Geek. Geez self righteous idiots
Oh yeah, and if you can’t send an email using this technique then create your own SMTP server .Postfix for example will relay spoofed emails for you .like stated above though.Some like yahoo will not accept this as is.Its up to you to figure your way around this .read above for clues. And by the way.Spam isn’t dead, isn’t just beginning .
Nice call Mike. This helped me as my gmail got spoofed recently. Information is power. Lots of people make lots of money off of trivial information…I bet Josh knows lots of trivial information. He probably has lots of other trivial attributes as well…;>
Nice read. I tried this with Yahoo, and got it to connect the first time, but then my IP got banned…? It won’t allow me to connect to it anymore. It sends me to Spamhaus PBl http://www.spamhaus.org/pbl/
Anyone else get this?