On Wed, Feb 17, 2010, Geoff Shang wrote about "Request for help with mail spoofing": > Given that I have this script which I am willing to send on, my questions > are: > 1. What exactly is being done?
You didn't attach the script, but basically "forging" mail on the Internet is trivial. The key point to understand is that SMTP, the "simple mail transfer protocol", has absolutely no authentication mechanism for the "From" address. If I send mail from n...@math.technion.ac.il, my host simply writes the line MAIL FROM: <n...@math.technion.ac.il> as part of the SMTP session with the receiving mail server. It could have just as easily wrote presid...@whitehouse.gov. Traditionally, on Unix hosts, the mail program such as sendmail automatically fills this address, and only root can override it (sendmail -f...). But this is completely irrelevant protection, because somebody can use any other software, or even manually doing direct SMTP connection ("telnet host 25"), to send mail pretending to be "from" anyone. When I was in a Technion freshman, circa 18 years ago, I used to amuse my fellow students by sending them mail from presid...@whitehouse.gov :-) Anyway, even though the "From" envelope and "From:" header can be easily forged this way, something you can't avoid is the "Received:" trail - the mail will contain a list of IP address which relayed this message, including your host - the host that initiated that SMTP session and pretended to be presid...@whitehouse.gov. As you saw, getting around this "annoyance" is easy - all you need to do is find a host that will agree to take any crap that you send it and spew it out to your choice of address. socks proxies, tor, and so on, let you do exactly that - you can initiate a connection to some mail server port 25, but the server will get the connection through some intermediate server(s) which will hide who you are. Trying to track down the origin of such connections is quite hopeless unless this guy makes a big mistake. But filtering them is somewhat easier. Perhaps the most reliable thing you can do is to blacklist email arriving through any known socks proxies or similar open machines. Numerous blacklists exist to this effect (e.g., http://www.us.sorbs.net/) and scripts to process each mail and filter out the suspicious ones. Nadav. -- Nadav Har'El | Wednesday, Feb 17 2010, 3 Adar 5770 n...@math.technion.ac.il |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |Lottery: A tax on people who are bad at http://nadav.harel.org.il |math. _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il