Exercise 9: Email Spoofing

Overview What is Email Spoofing Types of Spoofing Identifying Spoofed Emails Understanding Email Headers Conclusion

What is Email Spoofing Due to the lack of authentication in the email protocol (SMTP), attackers and spammers can easily obfuscate the origin of their email. Attackers use spoofed email messages to propagate viruses, Trojans, and worms. Criminals use them for phishing schemes. Simple Mail Transfer Protocol

Types of Email Spoofing Open Mail Relay (misconfigured server) Self-Owned Mail Servers Compromised Machines Hijacked Email Accounts Temporary Accounts

Exercise: Spoofing Email Type the following into the command line startx Then hit ‘enter’

Exercise: Spoofing Emails Click the Terminal at the bottom left of the screen and type the the following: cd /etc/init.d/ sendmail start

Exercise: Spoofing Emails Open a second Terminal keeping the first open and type: sendmail

Exercise: Email Spoofing Open a third Terminal keeping the other two open and type: telnet 127.0.0.1 25

Exercise: Email Spoofing In the same terminal as before, type: helo 127.0.0.1 25 email from: <professor@auburn.edu> rcpt to: <youremailaddress@yourprovider.com> data date: thu 13 Sept 2012 subject: Class Cancelled Class has been cancelled tomorrow. .

Exercise: Email Spoofing Go to Start Menu in the bottom-left, click on internet then firefox. Go to your email provider and type in your credentials and the email should be there. Provided port 25 isn’t blocked.

Identifying Spoofed Email There are a number of telltale signs that may indicate an email is not legitimate. All of them involve interpreting a message’s headers.

Understanding Email Headers Headers are added when the email is handled by different parties. Understanding headers is necessary to identifying and tracing spoofed email. 3 Return-Path: <alice.price@alphanet.com> Received: from smtp.alphanet.com (smtp.alphanet.com [192.168.0.100]) by mailhost.betanet.com with smtp (Exim 4.44)id 1DtsVC-0001I2-O2 Mon, 25 Jul 2005 11:40:06 -0400 2 Received: from alice.alphanet.com (alice.alphanet.com [192.168.0.5]) by smtp.alphanet.com (8.12.10/8.12.10) with ESMTP id j6PFdtHm024126 for <bob.doe@betanet.com>; Mon, 25 Jul 2005 11:39:55 -0400 Message-ID: <42E507CC.2080100@alphanet.com>   1 Date: Mon, 25 Jul 2005 11:39:55 -0400 From: Alice Price <alice.price@alphanet.com> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bob Doe <bob.doe@betanet.com> Subject: Lunch Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit The useful information is in the "Received:" lines. Each of these lines represents a hop between two mail servers on the path from the sender to the recipient. These can also be forged, but there is a catch: A malicious mail server can forge the current headers, and at the end will have to send the mail to legitimate mail servers. The legitimate mail servers WILL RECORD the IP address of the sending e-mail server, and this information will ALWAYS BE TRUE. So, the malicious sender has no control over the Received lines of the header.

Conclusion Threat of Email Spoofing Types Detecting and Identifying

Questions?