Social Engineering Class

Topics covered:

Spoofing Email

Email servers run on port 25. To figure out what machine handles email for a domain, you can use the dig program to ask for the mx (mail exchanger) record:

$ dig -t mx yopmail.com

This will print out a lot of junk, you only care about the line with “MX” in it:

yopmail.com.            86400   IN      MX      1 smtp.yopmail.com.

This tells us that the machine smtp.yopmail.com handles mail for the yopmail.com domain.

Now, let’s spoof some email! We use “telnet” to connect to port 25 of yopmail.com. If you’re running Windows, you need to install a telnet client. PuTTY is a good choice.

The parts you type are in boldface; the first line is just the Unix command to open a connection to port 25. If you’re using PuTTY, you’ll do this through a dialog box.

$ nc smtp.yopmail.com 25
Trying 87.98.164.155...
Connected to smtp.yopmail.com.
Escape character is '^]'.
220 mx.yopmail.com ESMTP *** 
EHLO bub
250 SIZE 150000
MAIL FROM: <spammer@evil.com>
250 OK
RCPT TO: <sittingduck@yopmail.com>
250 OK
DATA
354 Start mail input; end with .
From: Santa Claus <santa@north.pole>
To: Sitting Duck <sittingduck@yopmail.com>
Subject: naughty

You have been very naughty this year!
.
250 mail saved
</pre>

Now you can open up <http://yopmail.com/>, check the `sittingduck`
account, and see the email.  Notice how there doesn't seem to be any way
to look up who actually sent it (spammer@evil.com); all you get is that
it came from Santa Claus.