Request for help with mail spoofing
Nadav Har'El
nyh at math.technion.ac.il
Wed Feb 17 14:50:08 IST 2010
On Wed, Feb 17, 2010, Geoff Shang wrote about "Request for help with mail spoofing":
> Given that I have this script which I am willing to send on, my questions
> are:
> 1. What exactly is being done?
You didn't attach the script, but basically "forging" mail on the Internet
is trivial.
The key point to understand is that SMTP, the "simple mail transfer protocol",
has absolutely no authentication mechanism for the "From" address. If I send
mail from nyh at math.technion.ac.il, my host simply writes the line
MAIL FROM: <nyh at math.technion.ac.il>
as part of the SMTP session with the receiving mail server. It could have
just as easily wrote president at whitehouse.gov.
Traditionally, on Unix hosts, the mail program such as sendmail automatically
fills this address, and only root can override it (sendmail -f...). But this
is completely irrelevant protection, because somebody can use any other
software, or even manually doing direct SMTP connection ("telnet host 25"),
to send mail pretending to be "from" anyone. When I was in a Technion
freshman, circa 18 years ago, I used to amuse my fellow students by sending
them mail from president at whitehouse.gov :-)
Anyway, even though the "From" envelope and "From:" header can be easily
forged this way, something you can't avoid is the "Received:" trail - the
mail will contain a list of IP address which relayed this message, including
your host - the host that initiated that SMTP session and pretended to
be president at whitehouse.gov. As you saw, getting around this "annoyance" is
easy - all you need to do is find a host that will agree to take any crap
that you send it and spew it out to your choice of address. socks proxies,
tor, and so on, let you do exactly that - you can initiate a connection to
some mail server port 25, but the server will get the connection through
some intermediate server(s) which will hide who you are.
Trying to track down the origin of such connections is quite hopeless unless
this guy makes a big mistake. But filtering them is somewhat easier.
Perhaps the most reliable thing you can do is to blacklist email arriving
through any known socks proxies or similar open machines. Numerous blacklists
exist to this effect (e.g., http://www.us.sorbs.net/) and scripts to process
each mail and filter out the suspicious ones.
Nadav.
--
Nadav Har'El | Wednesday, Feb 17 2010, 3 Adar 5770
nyh at math.technion.ac.il |-----------------------------------------
Phone +972-523-790466, ICQ 13349191 |Lottery: A tax on people who are bad at
http://nadav.harel.org.il |math.
More information about the Linux-il
mailing list