On Wed, Feb 17, 2010, Geoff Shang wrote about Request for help with mail
spoofing:
Given that I have this script which I am willing to send on, my questions
are:
1. What exactly is being done?
You didn't attach the script, but basically forging mail on the Internet
is trivial.
The key point to understand is that SMTP, the simple mail transfer protocol,
has absolutely no authentication mechanism for the From address. If I send
mail from n...@math.technion.ac.il, my host simply writes the line
MAIL FROM: n...@math.technion.ac.il
as part of the SMTP session with the receiving mail server. It could have
just as easily wrote presid...@whitehouse.gov.
Traditionally, on Unix hosts, the mail program such as sendmail automatically
fills this address, and only root can override it (sendmail -f...). But this
is completely irrelevant protection, because somebody can use any other
software, or even manually doing direct SMTP connection (telnet host 25),
to send mail pretending to be from anyone. When I was in a Technion
freshman, circa 18 years ago, I used to amuse my fellow students by sending
them mail from presid...@whitehouse.gov :-)
Anyway, even though the From envelope and From: header can be easily
forged this way, something you can't avoid is the Received: trail - the
mail will contain a list of IP address which relayed this message, including
your host - the host that initiated that SMTP session and pretended to
be presid...@whitehouse.gov. As you saw, getting around this annoyance is
easy - all you need to do is find a host that will agree to take any crap
that you send it and spew it out to your choice of address. socks proxies,
tor, and so on, let you do exactly that - you can initiate a connection to
some mail server port 25, but the server will get the connection through
some intermediate server(s) which will hide who you are.
Trying to track down the origin of such connections is quite hopeless unless
this guy makes a big mistake. But filtering them is somewhat easier.
Perhaps the most reliable thing you can do is to blacklist email arriving
through any known socks proxies or similar open machines. Numerous blacklists
exist to this effect (e.g., http://www.us.sorbs.net/) and scripts to process
each mail and filter out the suspicious ones.
Nadav.
--
Nadav Har'El| Wednesday, Feb 17 2010, 3 Adar 5770
n...@math.technion.ac.il |-
Phone +972-523-790466, ICQ 13349191 |Lottery: A tax on people who are bad at
http://nadav.harel.org.il |math.
___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
