[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
fooling MTAs.
On Tue, 26 Aug 1997, Peter wrote:
>
> I don't know what kind of script would fool sendmail into accepting such
> a flagrant spoofing but I want to know it just in case it happens to me.
>
> I did look up (and find) the IP of the sender in the headers. Not that it
> helped me much. What I don't get is how do you send email to SMTP and get
> the From: header to show To: when you *HAVE* to use the MAIL FROM:<..>
> SMTP command ?!
body and envelope are two separate things, you have already got the fake
letter I sent you, where I invented every single header. here's the
session's text:
[ira@off ~]$ tn actcom.co.il 25
Trying 192.114.47.1...
Connected to actcom.co.il.
Escape character is '^]'.
220 actcom.co.il ESMTP Sendmail 8.8.6/actcom-0.2 ready at Wed, 27 Aug 1997
01:06:58 +0300 (EET DST)
helo liklik.liklok.nz
250 actcom.co.il Hello [204.141.46.66] (may be forged), pleased to meet
you
mail from: <hotblack.desiato@restaurant.end.universe.uni>
250 <hotblack.desiato@restaurant.end.universe.uni>... Sender ok
rcpt to: <plp@actcom.co.il>
250 <plp@actcom.co.il>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Date: Tue, 26 Aug 1997 19:11:19 +0000 (GMT)
From: Yosef! <really@not.kidding>
To: Asher Frenkel <asher@ibm.net.il>
Cc: linux-il@linux.org.il
Subject: the unholy Email faker strikes again...
Message-Id: <Pine.LNX.3.91.970826185700.94A-100000@plp2>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: yosi <thats@right>
Reply-To: Peter <plp@actcom.co.il>
Hi peter. This is Ira faking a message. you can immediately see how the
headers and the envelope are two totally different things.
you may also want to look at the "return-path" and be surprised again.
the only thing you can trust here is the last Recieved line, I could have
faked a few more...
Ira.
.
250 BAA01800 Message accepted for delivery
quit
221 actcom.co.il closing connection