1

I'm trying to understand how email spoofing works. After studying the technical process, I have finally understood that:

  1. The spoofer will try to scan every port of an SMTP server to catch the MX

  2. Connect with telnet to the MX server

  3. Send the SMTP packet changing the FROM and TO in the envelope

However, as it is explained in this post, it is not that easy. You have for example to look for an SMTP server that will not reject the telnet connection attempt considering that I don't even know how you can find the smtp servers (they must be protected from port scanning I guess). And there are other issues.

Therefore, I'm wondering how websites such as "emkei" can so easily propose to spoof an email.

Does it try all the SMTP server really fast?

Or does it host its own SMTP server that will relay the packet? In that case, if for example, it tries to send a mail from xxx@gmail.com, it will have to route it to a Gmail SMTP server, and this one could reject any Gmail address that does not come from another Gmail SMTP server. And if they used an Open-Relay server, the server would have been blacklisted, right? I really don't see how it can work.

schroeder
  • 123,438
  • 55
  • 284
  • 319
KB303
  • 423
  • 2
  • 5
  • 15

3 Answers3

4

The spoofer will try to scan every ports of a smtp server to catch the mx

The MX is detected by doing a DNS lookup and the MTA is then using port 25 on the server(s) returned by this DNS lookup. No port scanning is involved.

However, as it is explained in this post (Spoofing email From address), it is not that easy.

This post shows several ways, some easier and some harder. And it shows that the easiest way is to just find out the MX for the recipient domain (DNS lookup) and connect with your SMTP client (or telnet) to this domain - the same way as a SMTP MTA would do when delivering a non-spoofed mail to this domain. There might be problems if the acclaimed sender domain uses SPF or DKIM and the recipients SMTP server checks for this - but most domains still don't use such protection and many servers don't check for this.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you for your answer. So if I understood well, you just have to find the MX for the recipient domain and then connect to itsee port 25 (telnet ...) in order to send your message. So you think that this is the process executed automatically by sites such as emkei ? – KB303 Aug 04 '17 at 07:05
  • @KB303: correct. Or in other words: you need to behave like a regular MTA which is delivering a mail. – Steffen Ullrich Aug 04 '17 at 07:07
  • 1
    @KB303: telnet here is a tool that allow TCP conversation to an arbitrary port (in fact netcat is the most appropriate tool). It has nothing to do with the telnet protocol - even if most telnet client support both. – Serge Ballesta Aug 04 '17 at 08:57
1

You can find plenty of open MXs with shodan ( http://shodanhq.io ). You will not have any problems in that department. A simple 'spoof' (it will still have X-Originating-IP in the header:

nc example.com 25

...

helo blabbabla

mail from: boogaloo@notyourdomain.com

rcpt to: yourexwife@evil.com

data

I LOVE YOU <3 ... NOT!

.

There are some other finesse things I never used. It has been a while, though I doubt SMTP has changed very much. The only positive thing about scripting this up to send many emails is that you could crash outlook with binary data. And it would crash again when reopened.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user2497
  • 580
  • 2
  • 7
1

You don't need to connect to a domain's mailserver to spoof mail from that domain. Thats just not right at all. That particular attack is called 'open-relaying'... which is where you connect to an exposed mail-server and tell it to send mail. It can be used to send mail internally (which is unlikely to be spotted by spam filtering systems), to send external mail (spam), or to spoof mail from that mail-server's domain with a good chance of internal and external systems not recognising the spoof. This is possibly illegal in some countries, and not what emkei's mailer does.

I verified this by telling the site to spoof a message from a domain I own and monitoring connection attempts on all ports. Nothing happened.

What emkei's script does, is simply sends the mail using a local binary like sendmail/postfix with a spoofed FROM value. Since emkei has the option to support attachments and external SMTP servers, its likely that the site uses a framework like PHPMailer under the hood... as manually constructing emails can be a bit of an RFC minefield.

This version of the attack is on its way out, since its becoming ineffective. Most spam systems will see that the email is likely not transmitted via TLS, not passed DKIM validation, and the headers are probably weird (for example, simply having an 'X-Mailer' header)... all of which will award a message spam-liklihood points in systems like Spam-Assassin. That said it will be a number of years before this method is altogether dead, email just wasn't created with security in mind and the retrofit is SLOW.

hiburn8
  • 441
  • 2
  • 11