1. Exercise 9: Email Spoofing

2. Overview What is Email Spoofing Types of Spoofing
Identifying Spoofed s
Understanding Headers
Conclusion

3. What is Spoofing
Due to the lack of authentication in the protocol (SMTP), attackers and spammers can easily obfuscate the origin of their .
Attackers use spoofed messages to propagate viruses, Trojans, and worms. Criminals use them for phishing schemes.
Simple Mail Transfer Protocol

4. Types of Email Spoofing
Open Mail Relay (misconfigured server)
Self-Owned Mail Servers
Compromised Machines
Hijacked Accounts
Temporary Accounts

5. Exercise: Spoofing Email
Type the following into the command line
startx
Then hit ‘enter’

6. Exercise: Spoofing Emails
Click the Terminal at the bottom left of the screen and type the the following:
cd /etc/init.d/
sendmail start

7. Exercise: Spoofing Emails
Open a second Terminal keeping the first open and type:
sendmail

8. Exercise: Email Spoofing
Open a third Terminal keeping the other two open and type:
telnet

9. Exercise: Email Spoofing
In the same terminal as before, type:
helo
from:
rcpt to:
data
date: thu 13 Sept 2012
subject: Class Cancelled
Class has been cancelled tomorrow. .

10. Exercise: Email Spoofing
Go to Start Menu in the bottom-left, click on internet then firefox.
Go to your provider and type in your credentials and the should be there.
Provided port 25 isn’t blocked.

11. Identifying Spoofed Email
There are a number of telltale signs that may indicate an is not legitimate. All of them involve interpreting a message’s headers.

12. Understanding Email Headers
Headers are added when the is handled by different parties. Understanding headers is necessary to identifying and tracing spoofed . 3
Return-Path:
Received: from smtp.alphanet.com (smtp.alphanet.com [ ])
by mailhost.betanet.com with smtp (Exim 4.44)id 1DtsVC-0001I2-O2
Mon, 25 Jul :40: 2
Received: from alice.alphanet.com (alice.alphanet.com [ ])
by smtp.alphanet.com ( / ) with ESMTP id j6PFdtHm024126
for Mon, 25 Jul :39:
Message-ID: 1
Date: Mon, 25 Jul :39:
From: Alice Price
User-Agent: Mozilla Thunderbird (Windows/ )
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Bob Doe
Subject: Lunch
Content-Type: text/plain; charset=ISO
Content-Transfer-Encoding: 7bit
The useful information is in the "Received:" lines. Each of these lines represents a hop between two mail servers on the path from the sender to the recipient. These can also be forged, but there is a catch: A malicious mail server can forge the current headers, and at the end will have to send the mail to legitimate mail servers. The legitimate mail servers WILL RECORD the IP address of the sending server, and this information will ALWAYS BE TRUE.
So, the malicious sender has no control over the Received lines of the header.

13. Conclusion
Threat of Spoofing
Types
Detecting and Identifying

14. Questions?