Thursday, September 6, 2007

You've got spoofed mail

You've got mailHave you ever receive mails that claims to be from "microsoft" or "paypal", which is actually a spoofed mail?

Do you know that you can easily send a spoofed email without even using any special software or application?

For people who understand SMTP, it is very easy to send an spoofed email using simple SMTP commands. You will see how it can be done with a few simple steps below.

DNS lookupFor any mail server or application that needs to send out emails, they will need to know the address of the destination mail server.

A DNS query on the MX (Mail Exchange) record is required to know the address of the mail server of the recipent domain (e.g Disney.com - shown in the picture).

From the command prompt, type nslookup, to query the DNS. (You can see that the DNS server i am accessing was from Maxonline)
You can query the IP address by simpling typing the URL (eg. http://www.disney.com/).
To query the MX record, type set type=mx, to change the DNS query mode. Then follow with the domain (disney.com)

Disney MX RecordFrom the MX record of "disney.com", you can see 4 mail servers' name and also their IP address
-mx1.disney.com
-mx2.disney.com
-mx3.disney.com
-mx4.disney.com

Spoofed MailAfter getting the mail servers' address, you can use some simple SMTP command to send a spoofed mail.

Connect to Disney mail server
- telnet mx1.disney.com 25

When connected, you will see the banner that "welcome" you. Type "helo" to initiated the SMTP service with the server. you will see your IP address in the reply (covered in the picture). It will be logged in the Disney's mail server.
To set the sender address, you can use any address, even a spoofed one (like the example below)
- mail from:hacker@hacker.org
For the Recipient address, make sure you type in the correct recipient address.
- rcpt to:mickeymouse@disney.com
To send Subject and email message, use "data" command and enter them after it. Use a "." on an empty line to end the email.

Open Relay
If you notice, even if your have spoofed the sender address of the email, the recipient mail server have already logged your system IP address. One of the ways to hide the your IP is to use an open relay to forward your email to the actual recipient mail server.

Open relayTo see whether the mail server is an open relay, you can try to send to the recipient of another domain (e.g. sending to "openrelay@hacker.org" using Disney.com mail server).

Make sure your mail server is configured to only allow recipients of your domain. If your mail server is use for Disney.com, it will only allow recipient for Disney.com.
If you want to further protect it, you can configure to query your email directory to only allow valid recipient. This will protect against Footprinting.

2 comments:

Anonymous said...

why doesn't this work with google mail? when i connect to aspmx2.l.googlemail.com after establishing communication using "helo" it gives me syntax error when i tried setting it to mail from:hacker@hacker.org

w01f said...

Googlemail (gmail) SMTP gateway is "gmail-smtp-in.l.google.com".

Do not seems to find "aspmx2.l.googlemail.com". Maybe an invalid address. Try Nslookup the MX record of gmail.com to check on the SMTP gateway.

If you hav more question, can Email me at: hack[dot]werew01f[at]gmail[dot]com