Re: what's this (email question)

[James Fryman <jfryman.lists () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm pretty sure that by the time that this makes the list, it will be
answered, but my .02 anyway!

It is very easy to forge an address! Check out RFC 821.
http://www.faqs.org/rfcs/rfc821.html

The localhost could be spoofed simply by sending the
'HELO localhost'
before the e-mail. This is why the header showed 'Received from
"localhost'. One could make this header say anything, something stupid
like 'YourMamma.pwn3d', to 'mail1.microsoft.com' or 'smtp.paypal.com'...
designed specifically for phishing attacks.

The only SMTP commands that need to be defined are: (Straight from RFC)

MAIL <SP> FROM:<reverse-path> <CRLF>
RCPT <SP> TO:<forward-path> <CRLF>

After that, telling the SMTP server to begin receiving data for the
actual message, where any of the headers can be changed, including:

From:, To:, Subject:, Reply-To:, etc... the list goes on.

E-Mail is not the most secure medium around. A good place to learn more
about this would be by reading the RFC, as well as delving into some
scripting. I learned quite a bit about SMTP after doing some Perl
scripting using Net::SMTP. There are plenty of books and whitepapers out
there describing how SMTP works, and how open it really is.

Hope that helps!
- -James

- --
- --------------------------------------------
James D. Fryman
A+, Security+, MCSA, MCSE
E-Mail:  jfryman.lists () gmail com
GnuPG:   0x4222017D


Glenn English wrote:
| Email with headers similar to this has begun showing up in my spam box.
| The last (and only) Received: says it came from localhost.
|
| Am I owned? :-)
|
| I didn't think it is possible to forge the last Received:. I've been
| getting bounces for mail never sent from here, but I just assumed it was
| a spammer forging my domain name. Maybe not?? I notice Spamassassin says
| the HELO was forged -- I don't understand how this could happen.
|
| (server.slsware.com is my SMTP server. indra.net is a local ISP, with
| whom I have an account; I have a .forward to myself at slsware in my
| directory at indra.)
|
| --------------------------------------------------------------
| From faygaspar () flowcadillac com  Fri Feb 11 16:54:29 2005
| Received: from localhost by server.slsware.com
|         with SpamAssassin (2.64 2004-01-11);
|         Fri, 11 Feb 2005 16:54:31 -0700
| From: "Alfonso Sprague" <faygaspar () flowcadillac com>
| To: barrett () indra net
| Subject: ***SPAM*** Mortgage New Update
| Date: Sat, 12 Feb 2005 01:50:08 -0300
| Message-Id: <2QBVlvR91d () knowhow com>
| X-Spam-Flag: YES
| X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on
| server.slsware.com
| X-Spam-Pyzor:
| X-Spam-Status: Yes, hits=5.5 required=5.0
| tests=FORGED_RCVD_NET_HELO,NO_COST,
|         RATWARE_EMWAC autolearn=no version=2.64
| X-Spam-Level: *****
| MIME-Version: 1.0
| Content-Type: multipart/mixed; boundary="----------=_420D45B7.2C897397"
| X-Bogosity: Yes, tests=bogofilter, spamicity=0.999777, version=0.13.7.2,
| algorithm=fisher
| Status: RO
| X-Status:
| X-Keywords:
| X-UID: 37323
| --------------------------------------------------------------
|
| My MTA's Received: usually looks something like this:
|
| --------------------------------------------------------------
| Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net
|         [204.127.202.55]) by mail.slsware.com (Postfix) with ESMTP
|         id 81D13FB9D for <ghe () slsware com>; Fri, 29 Apr 2005
|         16:23:17 -0600 (MDT)
| --------------------------------------------------------------
|
| mail and server.slsware.com are the same machine and IP. Postfix calls
| it mail, and reverse DNS *on that machine* calls it server. Reverse DNS
| from the Internet calls it something having to do with an unused block
| (long story).
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCd5SNuaTBqkIiEH0RAgVFAKCe6DCMPqG88VW5Bz7POoQ0SWoFfQCfaWGb
R2yQPulfpJXaAyzMbovecOY=
=zjtJ
-----END PGP SIGNATURE-----