Re: Re: Sender Spoofing via SMTP

[Barrie Dempster <barrie () reboot-robot net>]

On Mon, 2005-11-07 at 14:59 +0000, brandon.steili () gmail com wrote:
> Unfortunately this has already been done. Windows Server 2003 in it's
>  default configuration ships with the Telnet Service disabled. Unless
>  I'm missing something (like another service? - or executable ) it is
>  shut off despite the fact that it still works. 

telnet mail.example.com 25

This has absolutely nothing to do with the Telnet service! The telnet
*client* is being used to access the *SMTP Service* that's why we have a
port 25 there, the telnet service runs on port 23 by default. You could
shutdown Telnet, uninstall it, firewall the port but it doesn't affect
SMTP. If the SMTP port is open then any client can connect.

There is a common misunderstanding, which you seem to have, that the
Telnet client and Telnet service have some sort of magical binding (pun
intended), Telnet is not much more than a program for opening a
connection to a port, the protocol use after that is irrelevant. Since
many protocols such as FTP/HTTP/SMTP/POP3 etc... can be typed by hand
then you can use any of these from the Telnet client.

The best way to demonstrate this is to install netcat and run that
against port 25, there is not even a netcat service on your system so
how does this work? Again general purpose client directed at an open
port. You get your FTP client to connect to port 25 if you wanted to,
the only problem is it probably can't speak SMTP, this is why with
Telnet you the *user* speak the SMTP, not the client. Typing EHLO, RCPT
etc... is you talking to the SMTP server using the SMTP protocol.

The spoofing can be done with any mail client, just configure the
addresses in outlook express and it'll work. It's just common to use
Telnet to diagnose/demonstrate issues as it shows you all of the
protocol without having to setup a sniffer, it's a simple tool for a
simple job.

Some servers close connections if the protocol isn't followed fast
enough, this isn't usually an attempt to prevent clients other than mail
clients connecting it's actually more useful as a performance enhancing
technique, ie.. hung clients are quickly dropped.


It's also worth noting that spammers don't often use Telnet, outlook
express or any other general purpose mail client. They use a spamming
script/program of some kind, usually.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description: