Shadow Mails

[flowjob]

SMTP,the short form of Simple Mail Transfer Protocol, is one of the most common used protocols for sending emails. But how secure is it?

A SMTP mail usually consists of

• Sender
• Receiver
• Subject
• Date
• Content

Usually in the format

Code: [Select]

From: mail@example.com
To: mail2@example.com
Subject: TheSubject
Date: Thu, 03 Oct 2012 11:11:11 +0200

TheContent
So we can see that the important information (sender,receiver,subject) is stored in the header of the mail. Also,the protocols for reading mails (IMAP,POP3) shows the sender/receiver/subject stored in the header. This is definitely one of the most important security leaks of SMTP, as someone,who writes a mail by hand (e.g. with a command-line or script) can manipulate this data,to show a different sender/receiver.
These manipulated mails are called Shadow Mails.

To create a Shadow Mail you will have to write it by hand with a telnet-connection to a smtp server or by using a scripting-language.

So a example how you could create a mail with a fake sender in Python

Code: [Select]

#Python 2.7.2
from email.message import Message
import smtplib

msg = Message()
msg['From'] = 'notme@example.com'
msg['To'] = 'receiver@example.com'
msg['Subject'] = 'Shadow Mail'
msg['Date'] = 'Mon, 14 Apr 2012 20:00:41 +0200'
msg.set_payload('This is a Shadow Mail...') # <-- Content of the mail
text = msg.as_string() # <-- Converts data in to upper format

smtp = smtplib.SMTP('smtp.example.com')
smtp.login('mymail@example.com','mypasswd')
smtp.sendmail('mymail@example.com','receiver@example.com',text) # <-- Real mail!
smtp.quit()
Now imagine spam-bots would use this too...
You wouldn't be able to know if it's the real sender or a fake sender...
But this protocol is still in use,but it has to be said that there are already more secure ways,where this trick can't be used anymore (e.g. PGP or SPF)

BTW,If you are too lazy to write that upper code again and again,I'm working on a ShadowMail SMTP-client right now ^^




Download Executeable for Windows,or
Download Python-Compiled for Linux

[ca0s]

Those emails will most likely get marked as spam (if not just dropped) when received in any decent email service. They have ways to detect source spoof (for example, just check the domain's ip against real address).

[flowjob]

Those emails will most likely get marked as spam (if not just dropped) when received in any decent email service. They have ways to detect source spoof (for example, just check the domain's ip against real address).

Nor GMX neither Gmail marks them as spams!
There possibly is such a software that detectes this,but nor GMX neither Gmail told me that there is something wrong...

[Stackprotector]

Gmail marks them as spam when the sender name and domain name is not equals,   tough almost everything else does leave it trough like hotmail .etc.etc.

When you are sending mails yourself gmail is less likely to detect.  but i will not try it when doing serious audits.
Always use a phishing like domain, like facebuuk.com  (ofcourse it is already bought) but it is about the idea:)

[flowjob]

weird...
When I tried it with Gmail the mail didn't get marked...

And about fishing: sending a mail back doesn't work, but it's still enough for fake mails or if you want to hide the sender, even tough an expert would find out the real mail address...

[p_2001]

could someone reading tell me how to do the same in C/C++?

I don't know Python...

or maybe point out someplace

Sender

• Receiver
• Subject
• Date
• Content

oO you forgot "QUIT" as the last string to be sent... just read the protocol and found yours incomplete, dunno if it matters to send "quit"  though...







never mind, got it from stackoverflow..... here is the code

Code: [Select]

     #include<iostream>
     #include <sys/types.h>
     #include <sys/socket.h>
     #include <netinet/in.h>
     #include <netdb.h>
     #include <stdio.h>
     using namespace std;
     #define HELO "HELO 192.168.1.1\r\n"
     #define DATA "DATA\r\n"
     #define QUIT "QUIT\r\n"

    //#define h_addr h_addr_list[0]
    //FILE *fin;
    int sock;
    struct sockaddr_in server;
    struct hostent *hp, *gethostbyname();
    char buf[BUFSIZ+1];
    int len;
    char *host_id="192.168.1.10";
    char *from_id="rameshgoli@domain.com";
    char *to_id="rameshgoli@domain.com";
    char *sub="testmail\r\n";
    char wkstr[100]="hello how r u\r\n";

    /*=====Send a string to the socket=====*/

    void send_socket(char *s)
    {
        write(sock,s,strlen(s));
        write(1,s,strlen(s));
        //printf("Client:%s\n",s);
    }

    //=====Read a string from the socket=====*/

    void read_socket()
    {
        len = read(sock,buf,BUFSIZ);
        write(1,buf,len);
      //printf("Server:%s\n",buf);
    }

    /*=====MAIN=====*/
    int main(int argc, char* argv[])
    {

    /*=====Create Socket=====*/
    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock==-1)
    {
     perror("opening stream socket");
     exit(1);
    }
    else
      cout << "socket created\n";
    /*=====Verify host=====*/
    server.sin_family = AF_INET;
    hp = gethostbyname(host_id);
    if (hp==(struct hostent *) 0)
    {
     fprintf(stderr, "%s: unknown host\n", host_id);
     exit(2);
    }

    /*=====Connect to port 25 on remote host=====*/
    memcpy((char *) &server.sin_addr, (char *) hp->h_addr, hp->h_length);
    server.sin_port=htons(25); /* SMTP PORT */
    if (connect(sock, (struct sockaddr *) &server, sizeof server)==-1)
    {
     perror("connecting stream socket");
     exit(1);
    }
    else
      cout << "Connected\n";
    /*=====Write some data then read some =====*/
    read_socket(); /* SMTP Server logon string */
    send_socket(HELO); /* introduce ourselves */
    read_socket(); /*Read reply */
    send_socket("MAIL FROM: ");
    send_socket(from_id);
    send_socket("\r\n");
    read_socket(); /* Sender OK */
    send_socket("VRFY ");
    send_socket(from_id);
    send_socket("\r\n");
    read_socket(); // Sender OK */
    send_socket("RCPT TO: "); /*Mail to*/
    send_socket(to_id);
    send_socket("\r\n");
    read_socket(); // Recipient OK*/
    send_socket(DATA);// body to follow*/
    send_socket("Subject: ");
    send_socket(sub);
    read_socket(); // Recipient OK*/
    send_socket(wkstr);
    send_socket(".\r\n");
    read_socket();
    send_socket(QUIT); /* quit */
    read_socket(); // log off */

    //=====Close socket and finish=====*/
    close(sock);
    exit(0);
  }
Staff edit: Dafuq bro? use CODE tags!

[flowjob]

oO you forgot "QUIT" as the last string to be sent... just read the protocol and found yours incomplete, dunno if it matters to send "quit"  though...

Where did I forget it?
I wrote it on the end:

Code: [Select]

smtp = smtplib.SMTP('smtp.example.com')
smtp.login('mymail@example.com','mypasswd')
smtp.sendmail('mymail@example.com','receiver@example.com',text) # <-- Real mail!
smtp.quit()

The 'smtp.quit()' sends the 'QUIT' command to the server....

[p_2001]

^^^^^^^^^

I was talking about the protocol, your code which I read half of it was in python and had a library imported so I did not read the rest of it..... sry about that....

what you wrote >>>

A SMTP mail usually consists of

• Sender
• Receiver
• Subject
• Date
• Content

should be accompanied by
          QUIT

Its easier to write code from the algo rather than another code lol.....

[flowjob]

I looked for the original commands sent via telnet to the server,but I had problems finding the right syntax when logging in with a password,just found examples without passwords...

BTW,I uploaded the SMTP-Client now (look at the first post). I kept it simple,as I only publish it on Evilzone,and so only a few people may download it...