Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "E-mail Spoofing"

From NetSec
Jump to: navigation, search
m
(No difference)

Revision as of 10:43, 16 December 2010

Spoofing is the closest thing that the internet has to theft of electronic identity. Because of the way that TCP/IP works, packets can easily be forged containing false sender addresses. It’s about the same as writing a fake return address on a letter to someone. Of course, like sending a letter with a fake return address, there is a hitch. If one was to order something using an order form and put down a fake return address, how would the delivery ever arrive? In order for packet spoofing to be fully effective, an attacker must be able to somehow sniff, or intercept the data being sent back to the fake IP address, in order to fully leverage the capabilities of lying about his online identity.

Email spoofing is a way to forge an email from one person to another. This can be done several different ways, through PHP, ASP, and other web languages, and also can be done through an open relay. An open relay refers to an SMTP (Simple Mail Transfer Protocol) server (see "Protocols") that isn’t properly configured and allows for an attacker or user to send email from anywhere to anywhere. To forge an email using an open relay, an attacker would have to use the telnet command (see MS-DOS) to open a connection to the open relay on port 25. The attacker wants to send an email from [email protected] to [email protected] so he clicks start, then goes to the run dialogue, and types cmd.exe, pressing enter before typing the following:


 telnet openrelay.net 25
 HELO joe.i.am
 MAIL FROM : [email protected]
 RCPT TO : [email protected]
 data
 Subject : Off Work
 I’ll be off work from Tuesday until Friday but I’ve assigned John Doe to take my place while I’m out of the office.
 Thanks,
 Joe
 .

Commands in more detail can be found in the RFC referenced in protocols, but this is a line-by-line explanation:

Opens a connection to openrelay.net on TCP port 25

 telnet openrelay.net 25

The attacker identifies his machine as joe.i.am using the HELO command, which precedes all SMTP communications

 HELO joe.i.am

Sets the email address in the “From:” field of an email to [email protected]

 MAIL FROM : [email protected]

Sets the recipient to [email protected]

 RCPT TO : [email protected]

This tells the SMTP server that the attacker is ready to enter the subject and body of his or her spoofed email. At the end of the body, the attacker must tell the server that the email is finished by inputting a period by itself on a line.

 data

This tells the SMTP server that the subject of the email is “Off Work”, then the attacker types the body of the email

 Subject : Off Work

Tells the SMTP Server that the end of the email has been reached and it is time to send the email.

 .

As mentioned previously, this technique can also be done with virtually any web language. PHP code is as follows for the same email:

<syntaxhighlight lang="php"> <? $message = "I’ll be off work from Tuesday until Friday but I’ve”; $message .= “ assigned John Doe to take my place while I’m out of”; $message .= “the office.\r\nThanks,\r\nJoe”; $subject = "Off Work"; $toEmail="[email protected]"; $headers = 'From: <[email protected]>'; mail($toEmail, $subject, $message, $headers); ?> </syntaxhighlight>

The above code written to a .php file and accessed over HTTP will send an email. The attacker might save the code in a file called mailspoof.php and upload it to atax.net, then request the URL http://atax.net/mailspoof.php and the email will be sent.

There are a few other problems posed by internet protocol spoofing. Those who can spoof IP addresses and have a 0day exploit may only need to send one packet to take over a machine, and may spoof-exploit their way into a server leaving even the ISP with no real record of who committed the crime. Another problem with spoofing is that during scanning phases an attacker could spoof multiple scans from multiple machines, filling up an IDS’s allowed event space and slipping through the IDS unnoticed. Another flaw is that using spoofing and multi-encapsulated packets an attacker could quite easily jump directly through a firewall by exploiting design flaws in the TCP/IP stack. This would enable an attacker to not only transverse and step through a firewall, but even allow the attacker to use a Cisco PIX device as a proxy (using segmentation/fragmented packets).