Request for help with mail spoofing

Wed Feb 17 15:32:22 IST 2010

On Wed, 17 Feb 2010, Nadav Har'El wrote:

> You didn't attach the script,

No, because I was concerned that perhaps this might not be wanted here, 
since it seems to instruct how to send spam.  But since there have been 
two requests to send it, here it is:

#!/bin/bash
#spam script mark III
#needed tools: tor, tsocks, screen, and a good socks proxy
#fill the file addresses with lines of the form full name <email at domain>
#make sure tsocks is configured for tor.
#Run this script with screen active. Screen's paste buffer will be filled with the mail.
#example: ./spam.sh gw-info at gwmicro.com "When will WE 8.0 be released" <body.txt
#where body.txt contains the message content. if a file sigs/from_email 
exists it will be appended to the end.
#then run something like
#tsocks socat -d -d readline,history=/dev/null socks4:${s}:mail.gwmicro.com:25,crnl,socksuser=test
#replace ${s} with your proxy's ip, or just set s=ip in your shell.
#When the welcome banner appears (it starts with 220), press control-a ] to 
paste and watch the mail send.
#a good knowledge of the smtp protocol is helpful, because some servers won't
#let you spam multiple commands and you'll have to split into two parts (helo/mail/rcpt and data/spam).
if [ -z "$2" ];then
echo usage: $0 to-addr subject >&2
exit 1
fi
rcpt="$1"
subj="$2"
#we need this as a function for output redirection below
generate() {
#addresses should contain lines in the form Aaron Smith <aaron at gwmicro.com>
from=$(shuf -n 1 addresses)
email=$(perl -ne'print $1 if /<(.*?)>/' <<<"$from")
cat << eof
mail from: <$email>
rcpt to: <$rcpt>
data
From: $from
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
To: $rcpt
Message-ID: <$(date +%Y%m%d%H%M%S).x at y>
Date: $(date -R)
Subject: $subj

eof
cat - #read stdin
#for Raul, Aaron, etc who have a sig
[ -f "sigs/$email" ] && cat "sigs/$email"
echo .
}
generate >/tmp/screen-exchange
screen -r -X readbuf

> but basically "forging" mail on the Internet is trivial.

I know this.  This is not what I was asking.  I want to know how this 
person is sending mail through the affected host.

> Anyway, even though the "From" envelope and "From:" header can be easily
> forged this way, something you can't avoid is the "Received:" trail - the
> mail will contain a list of IP address which relayed this message, including
> your host - the host that initiated that SMTP session and pretended to
> be president at whitehouse.gov.

Yes.  I used this to identify the compromised hosts.  But this only shows 
where the SMTP session started, and blocking these will surely be a 
cat-and-mouse game.  I want to get this guy.

> Trying to track down the origin of such connections is quite hopeless unless
> this guy makes a big mistake. But filtering them is somewhat easier.
> Perhaps the most reliable thing you can do is to blacklist email arriving
> through any known socks proxies or similar open machines. Numerous blacklists
> exist to this effect (e.g., http://www.us.sorbs.net/) and scripts to process
> each mail and filter out the suspicious ones.

I'll look at this, though as I said before, I'm not so concerned about 
blocking it, as some of the lists are on Yahoogroups and trying to report 
spam there is like pulling teeth.  I want to find out how he's doing it so 
that hosts can be guarded against it, and I want to try to track this 
idiot down.

Geoff.