Can I spoof email?

Question

I mean, if I would have my own SMTP (also, is it just about money or are there some limitations to running my own SMTP server?) and would just completely made up the mail (headers, spoofed IPs and everything) and then sent the mail, would there by something to stop me?

Answer 1

The simple answer is yes, you can spoof mail. You can spoof the FROM email address and the sending domain, however you will not be able to spoof the originating IP address. (Your IP address is used in the process of establishing a connection to the receiving mail server, so if you spoof your IP address you will not be able to establish a connection as packets won't make it back to you.)

So let's say you send a message with a spoofed FROM address and domain, but with your real IP address. What happens next is unfortunately difficult to say, as it depend on the configuration of both the domain you are spoofing as well as the configuration of the receiving mailserver. If both are configured correctly, your message will end up in SPAM or be rejected outright. But otherwise, your message may make it to the recipient's mailbox.

Why might your message end up in spam? Over the years, a number of mechanisms have been developed to combat email spoofing and help mail servers identify spoofed messages. There is a simple one known as SPF (Sender Policy Framework), and a more robust one known as DKIM (Domain-keys Identified Mail).

SPF

If you are a domain owner (meaning you have access to your domain's DNS records), you can add a special record that essentially lists all of the IP addresses that are permitted to send emails on behalf of your domain name. When a receiving mail server gets a message, it can compare the IP address that the message was received from against the list of authorized addresses published by the domain owner. If the IP is not authorized, the receiving mail server can choose to reject or flag the message.

DKIM

DKIM also leverages DNS, but is substantially more robust because it relies on public-key cryptography rather than simple IP address lists. If you are a domain owner, you generate a public-private key pair and publish the public key as a DNS record. You install the private key on all of your legitimate sending mail servers, which use the private key to cryptographically sign every outgoing message. Receiving mail servers can verify that the signatures are valid by retrieving the public key via DNS. If you attempt to spoof email from a DKIM-protected domain, you will not be able to add the cryptographic signature because you do not possess the private key.

DMARC

In addition to SPF and DKIM, domain owners can also publish in DNS something called a DMARC policy, which tells receiving mail servers what to if it encounters a message that does not pass SPF or DKIM checks. This policy can be lax or strict depending on how strongly the domain owner wants to combat forged messages from his domain.

In summary

If the domain you are spoofing has published SPF and DKIM records with a strict DMARC policy, and you are sending the message to a mailserver with a properly-configured spam filter, your message will most likely end up in spam. If you are spoofing a message from a domain that has not configured SPF/DKIM/DMARC properly, and/or the receiving mailserver has a lax filter, your messsage might make it through.

Answer 2

You ask a simple question in the title. The simple answer is yes, you can spoof email. There is very little to stop you.

is it just about money or are there some limitations to running my own SMTP server?

If you mean "why doesn't everyone run their own smtp server", the answer is: people don't know how to; people are fine with whatever services are offered online; people don't want to spend the effort in setup and maintenance; or indeed someone doesn't have their own server and getting one is at least $5 a month or so, which is probably not worth it.

Depending on how much you care about fixing other people's shit, it can be a lot of work to set one up as well. Basically sending an email is extremely easy, but many people choose to employ spam filters (or have spam filters chosen for them) which block you. If you care about that, you have to go around and fix everything for other people's mail servers: some want you to retry a message (greylisting), some want you to add SPF, some require DKIM, some use blacklists like spamhaus so you have to delist your IP address there if the previous owner made the IP address get on that list, and you probably have to deal with some Gmail specific issue. I don't know what, there's just always trouble with the monopolist. Especially since people assume Google is less likely to make a mistake than you, they think it's your fault, so go and have fun trying to get yourself whitelisted on Gmail.

Would a completely made-up mail (headers...

Headers are just text you can write. Spoof them all you want.

... spoofed IPs...

Hold on there, how will you spoof your IP address? You can send a packet with a spoofed IP address to the Internet, and if you are lucky your ISP doesn't block it (even though that's the Best Current Practice®), but any replies will go back to the spoofed source so you can't receive what the server is sending back. You are basically sending in the dark and hope it all goes OK.

On top of that, SMTP runs over TCP. You can spoof a TCP connection (contrary to popular belief), though it is hard, especially if you have to send a lot of data. An email requires at the very least a HELO x, MAIL FROM:valid@address, RCPT TO:valid@address, and finally your email data (e.g. ATTACK AT DAWN). Since it takes a few billion attempts to spoof a TCP connection, that's a lot of data which might not go unnoticed on the recipient's side.

Technically possible, but practically close to infeasible. On the upside, connections always get faster so it gets more and more in reach all the time.

... and everything

Not everything! Cryptographic systems like DKIM, which are designed to prove that you have permission to send email for the domain you are claiming you're from, cannot be spoofed.

Usually only missing a DKIM header will not completely stop the email from going through though. I've not setup DKIM for my domain and run into trouble maybe once every two years. After building reputation on the IP address, it works quite fine.

would there be someone to stop me?

The authorities might want to have a word with you. Spoofing might or might not be illegal depending on the country you're from or sending to, but fraud and spam are.

Answer 3

s it just about money or are there some limitations to running my own SMTP server?

Assuming you have enough money for the utilities required to run your server, and your ISP doesn't filter incoming connections on TCP port 25, you should be fine.

Interesting that you mention money. We basically rely a whole lot on trust... from the moment a packet leaves your server, it passes through a series of routers owned by other people. SMTP happens to be unencrypted, which means it's really easy for those routers to tamper with connections.

By using telnet you can send malformed requests. These requests can contain any email address.

The issues mentioned above, SPF, DKIM and DMARC are all VERY helpful protection though unfortunately they have the same flaw: they use DNS, which uses UDP, which is just as easy to forge. In fact, the server receiving the forged email will fire off those numerous requests, but not before it receives the forged email.

The attackers benefit from a huge timing-related attack, here: they know they can beat the legitimate DNS response with their own forged ones (en masse, brute force style to increase odds of success, typically).

The major setback is the attackers can only guess at the unique packet identifiers required to match. If it works the first time, great, the attackers have successfully hijacked all SPF, DKIM and DMARC traffic using DNS cache pollution... for years, if they choose to do so...

Once this is accomplished, the attacker has established denial of service of the authentication services, and AFAIK if these services don't exist then the mail gets relayed rather than dropped.

Otherwise the attackers need but wait for the cache entry to expire and try again (and they can even retrieve a TTL that'll help them)... there have been serious documented attacks that allow an attacker to hijack DNS traffic for an entire zone; these are based on tricking the upstream nameservers into caching forged nameserver entries for the domain(s) in question.

Protection against this comes in the form of DNSSEC (and possibly IPSEC?) in addition to SPF/DKIM/DMARC. Unfortunately, the internet has not unanimously accepted these so we need a fall-back, which is to just deliver the mail after SPF/DKIM/DMARC checks have failed.

... spoofed IPs ...

Forged TCP connections are very difficult to establish. You need to be able to accurately guess packet identifiers for every packet. Possible, but impractical. Attackers might be more likely to use a public wifi network to conduct their attacks... not to mention sunglasses.

... would there by something to stop me ?

I suppose it depends upon where you live. There are countries that don't treat these kinds of attacks as criminal incidents, and then there are countries that'll try to claim the attackers are tourists!

Additionally, authority won't generally conduct an investigation unless a crime is committed. Once you successfully infiltrate a system, you're in... Your authorities might not like it, but they'll be (months) too late.