How To Spoof Email

Most people, when looking at who their emails have come from, assume that the name that appears there is in fact the name of the sender. By extension, they also assume that spam mail return addresses actually exist. This tutorial will explain how easy it is to send email with a forged source address to anyone you wish. Before continuing, there are two definitions which should be explained. Mail User Agent: A program which accepts input from an end user, formats that data into a form which mail servers will understand, and sends that data to a mail server. Mail Transfer Agent: Any program which will accept mail, either from a Mail User Agent or another Mail Transfer Agent, and forward it one step closer, to another MTA, or an MUA for final delivery. In this tutorial, I am using telnet as my MUA. The first thing you will need is the name of your ISP's mail server, or at least the one you usually use if you are on a large ISP. This can be found by examining the account settings in whatever email program you use. Once you find this, open a telnet session to that mail server on port 25, the standard SMTP port. SMTP, or Simple Mail Transfer Protocol, is the protocol by which mail servers communicate with each other. After opening a connection to the mail server, you will essentially be giving it the same commands that your email program would be. If you are using windows, open a command prompt first, and enter the following command: Code:
telnet <mailserver> 25

You should get a banner telling you that you have indeed connected to the mail server. This banner typically consists of a message type number (usually 220), the name of the mail server, which protocol it is using (this is usually either SMTP or ESMTP; for the purposes of this tutorial we will be using only SMTP), and the software it is using, which usually includes the version number. In my case, I get the following prompt: Code:
Connected to mailserver. Escape character is '^]'. 220 <mailserver> ESMTP server (InterMail vM.5.01.06.10 201-253-122-130110-20040306) ready Thu, 28 Apr 2005 03:42:03 -0400

At this point you identify to the mail server two things: which protocol (SMTP/ESMTP) you will be using, and your domain name. The protocol is identified with either the HELO command,

indicating that you will be using SMTP, or the EHLO command, indicating that you will be using ESMTP. As stated, we will be using SMTP only for this tutorial. At this point you can give a false domain name to the mail server. Beware, however, that many mail servers now verify that the domain you give it is in fact a valid domain; you may need to supply an existing domain name. My mail server does not perform this validation. I will use the domain northpole.net. The format of this command is as follows: [HELO|EHLO] <domain name> So for example, I identify myself to the mail server as: Code:
HELO northpole.net

You should now see message type 250. Some mail servers will reply with something like "Hello northpole.net". In my case, it simply replies with message type 250 and its name again. Now begins the process of actually writing the mail. To inform the server that you wish to send mail, issue the command MAIL FROM: "Sender Name" <email address> Including the "<" and ">". I will be spoofing the address "santaclaus@northpole.net". The from field should include both the name of the sender and his/her email address. So the command is: Code:
MAIL FROM: "Santa Claus" <santaclaus@northpole.net>

At this point, the mailserver will verify that it is authorized to send from this address for you. If it is, you should see message type 250 again with the message text "Sender <email address> ok". In my case, I see: Code:
250 Sender "Santa Claus" <santaclaus@northpole.net> Ok

The server now requires the address you will be sending this mail to. The destination address should contain only the recipient email address. Multiple destination addresses can be specified at this point. These multiple addresses would be specified as additional RCPT TO: commands on subsequent lines. The command syntax is: RCPT TO: <destination address>

So in my case, since I want to send fake email to Bill Gates, I will enter Code:
RCPT TO: <billgates@microsoft.com>

The mail server now validates that it is permitted to send mail to this address for you. This will include checks to ensure that if this email is not on its list of users, that it is allowed to relay mail for you. An open mail really, a common tool of spammers, would at this point not verify that you are a valid sender, instead relaying mail for anyone connecting to it. The message I receive at this point is: Code:
250 Recipient <billgates@microsoft.com> Ok

Since this is my local mail server, it is allowed to relay mail to billgates@microsoft.com for me. Now we begin the actual data that the email will consist of. This will begin with the simple statement DATA. Most mail servers will now inform you that to end the email, you should enter as the last line, a line containing only a period. It should look something like: Code:
354 Ok Send data ending with <CRLF>.<CRLF>

We now enter the email data. However, do not start writing out the text of the email yet. This would be caught by most mail servers as spam, since it does not look like most emails do. You would also have an email with no subject, as the subject heading is sent as part of the message data. At minimum, you should include the sender name and address, the recipient address, as well as a subject line. The sender address in the message data would be specified as it was in the MAIL FROM: command, but without the quotes around the sender's name, and "From: " in front of it. The syntax is as follows: From: "Recipient Name" &lt;name@domain.name&gt; Without the quotes around the sender's name. So in my case, I enter: Code:
From: Santa Claus &lt;santaclaus@northpole.net&gt;

The destination address is specified in exactly the same manner as it was in the RCPT TO: command, but with "To: " in front of it. The syntax is as follows:

To: &lt;name@domain.name&gt; So in my case, since I am sending this mail to billgates@microsoft.com, I would enter: Code:
To: billgates@microsoft.com

And I imagine at this point you can guess how the subject line will be specified. With the syntax: Subject: &lt;enter your subject here&gt; Without the "&lt;" or "&gt;" I will enter: Code:
Subject: Linux is better

This should be enough information to fool most mailservers into thinking that this is a legitamite email. At this point you can begin entering the actual message text. This can obviously be anything you wish. I will enter: Code:
Roses are #FF0000 Violets are #0000FF All my base Are belong to you!

To inform the mail server that you are finished entering data, enter as data a single line with only a period. This is what mail servers mean when they send the message "End data with &lt;CRLF&gt;.&lt;CRLF&gt;". You should now see a message, type 250, informing you that the message has been accepted for delivery, and giving you the message ID number for tracking. In my case, I see the following: Code:
250 Message received: 20050428081348.PSBZ1623.&lt;mailserver&gt;@[my ip address]

The message is now ready to be sent, and likely already has. All you must do at this point is enter Code:
QUIT

And the mail server will terminate the connection with you gracefully.

The entire communication, including server responses, looked like this: Code:
striek@localhost:~$ telnet mailserver 25 Trying mailserver... Connected to mailserver. Escape character is '^]'. 220 mailserver ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-11020040306) ready Thu, 28 Apr 2005 04:26:56 -0400 HELO 250 mailserver MAIL FROM: "Santa Claus" &lt;santaclaus@northpole.net&gt; 250 Sender &lt;santaclaus@northpole.net&gt; Ok RCPT TO: &lt;billgates@microsoft.com&gt; 250 Recipient &lt;billgates@microsoft.com&gt; Ok DATA 354 Ok Send data ending with &lt;CRLF&gt;.&lt;CRLF&gt; From: Santa Claus &lt;santaclaus@northpole.net&gt; To: billgates@microsoft.com Subject: Linux is better Roses are #0000FF Violets are #FF0000 All my base Are belong to you! . 250 Message received: 20050428082735.WVIK1597.mailservert@[my IP address] quit 221 mailserver ESMTP server closing connection Connection closed by foreign host.

Although this will effectively spoof the email, making it appear that it is from someone which it is not, your IP address has still been logged and you are still traceable. Do not assume that this is a form of anonymous email. Your IP address will show up in the message headers when it is received, and this can be cross-referenced with your ISP's DHCP records to determine who sent the email. It will, however, fool Aunt Sally into believing the email really did come from the bank. More data can be placed at the beginning of the message data, just after the DATA command. Mail User Agents put a variety of information here, such as message ID numbers, date and time stamps, priority, encoding type, which program sent the mail, MIME types, character sets used, etc... Try experimenting to see what works and what doesn't. I hope this has given a clear example of how easy it is to spoof an email address to appear as if it were from a different sender. The from field is not determined by the mail server. It is given by

the user (or the Mail User Agent) connecting to it, and therefore easily falsified. The email address you see in the from field on spam addresses does not even have to exist to appear there. And if you don't need convincing, maybe dad or Aunt Sally do. <EDIT> As per SirDice's recommendation, see the following RFC's for more information: RFC 821 - Simple Mail Transfer Protocol RFC 2822 - Internet Message Format, which superseded RFC 821 in April 2001. Unfortunately, RFC 2822 does not list commands necessary to SMTP server communication.