Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spam question

From: chort <chort () amaunetsgothique com>
Date: 02 Sep 2003 09:26:18 -0700
On Mon, 2003-09-01 at 04:12, Tomas Wolf wrote:

Hello,

 I'm reading some sources of spam I've got and I have a question that 
has crossed my mind... Is it possible to malform e-mail's header?

What I have in mind is that some of the headers come with different 
header composition in which up to two *Received:* records are from 
registered range... And also some of these e-mails have *Return-Path:* 
inserted on the bottom of the header, following *Received: from 
bla.bla.com [xxx.xxx.xxx.xxx] by bla.bla.com (MAILSERVER NAME vX) with 
PROTOCOL, DATE*... While the original Return-path: with an e-mail 
address, as it supposed to, is one of the top ones...

 I have a theory about this... Could there be a program that connects 
directly to the end-user SMTP server by telnet and makes sends to a 
localhost? I know that would be a lot of traffic and time spent on this, 
but isn't this another possibility? I remember when I was playing with 
SMTP server at home, I was capable of sending any kind of e-mail to 
anybody@localhost... So then I've tried it on several "real" SMTP 
servers where I knew my friends had an account and it worked as well... 
Which means if I know the user and the end server, I'm able to send 
pretty much anything and by forming the commands well, it is possible to 
try to malform the header so one of the records might trick somebody 
into believing, that it is one of the SMTP relay hops.

Thanks for your input...
Tomas


So what you want to do is obfuscate the Received: headers so it appears
that the e-mail is coming from 127.0.0.1?  This will be added to the
header, but when the SMTP host sends it out to the Internet, the next
host will stamp it with the _external_ IP of the SMTP host it was sent
from, so it will be obvious where the message actually came from.  All
you end up doing is adding an extra unnecessary Received: header.

-- 
Brian Keefer


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: