http://www.kuai.se/%7Epanik/archive/fakemail.faq

From: John Bambenek (bambenek@alecto.physics.uiuc.edu)
Date: 12/10/96


Reply to:bambenek@alecto.physics.uiuc.edu

Food for though, Eduardo.  And anyone else that thinks I don't know jack
about what I have been doing for the past 2 years.



> I just through the following together. Anyone have any suggestions/comments?
> 
> T H E  "F A K E  M A I L"  F A Q
> Version 0.2 950309
> Written by Rourke McNamara
> (rourkem@pobox.com)
> 
> A good number of people have asked me questions about how possible it is
> to "Fake
> Mail" on the internet. People have asked both becuase they wanted to know if
> someone could do to them or becuase they wanted to do it to someone else. I
> decided that I'd write a small FAQ on the subject and add to it as I have time.
> 
> (1) Can people send "fake" mail on the Internet?
> 
> Yes. People can send mail that looks like it came from someone else. People can
> send mail that looks like it was received by more people than actually received
> it. HOWEVER, only very rarely is this mail truly indistinguishable from
> mail that
> really DID come from the person in question.
> 
> In any case the ONLY real way to be completely sure a message is from a
> particular person is to have that person digitally "sign" the message with
> something like PGP.
> 
> (2) How do you know if a message you have is "fake"?
> 
> You can't always tell for sure. If the person was sloppy the message will have a
> line in the the header block (the text above the message with date and subject,
> etc information) that says something like "Apparently-To:". You can also compare
> the full headers of the message to the full set of headers on another message
> that you have received from that person. If they don't come close to matching
> then ONE OF THEM is probably "fake". Also look for computer names in the headers
> that have nothing to do with your information provider or his information
> provider.
> 
> In order to be better able to spot fake mail you need to understand how it is
> sent. To do that see the section on sending fake mail below.
> 
> The above don't always work. If the person sending the "fake" message is
> particularly crafty he can make the headers look so similar it is nearly
> impossible to catch. In this case you would have to ask the person who
> 'sent' you
> the message whether or not it was really him.
> 
> (3) Why is it possible to "fake" mail?
> 
> It is possible to fake mail becuase all computer on the internet send mail
> around
> using something called SMTP - Simple Mail Transfer Protocal - and it is possible
> for a human to connect to a computer and pretend that it is another computer by
> speaking SMTP. This problem will not go away. Mail programs (both clients and
> SendMail servers) will probably learn to better recognize when someone is trying
> to send fake mail, but they will most likely never be able to detect EVERYTHING.
> 
> (4) How can I "fake" mail?
> 
> That is perhaps the question that is hardest to answer and will take the
> longest,
> so I will start with the basic and most detectable technique and work up to the
> most complicated and hard to detect technique. Of course, faking mail
> REALLY well
> is not such an easy and mechanical process. It requirs some amount of creativity
> in the techniques you apply. So, lets start with the basics....
> 
> (a) The Basics
> 
> To send fake mail you need to pretend that you are a computer transfering mail
> legitimatly. You start by telnetting to the SMTP socket (25) on the remote
> computer. For example, if I wanted to telnet to Cornell's SMTP port I would type
> the following from a UNIX prompt:
> -> telnet cornell.edu 25
> 
> Once you have connected you ussually have to issue a "helo" command. You
> basically are saying hello to the other computer an telling it who you are. For
> now lets just claim to be the computer that we are sending mail "from". For this
> example lets pretend to be rf34+@andrew.cmu.edu. Lets send this message to
> "jmk17@cornell.edu" (he loves getting junk mail):
> < helo andrew.cmu.edu
> 
> Sometimes there is an error entering that command. Enter it again and it will
> work. After that we have to move on to starting the message and annoucing who it
> is from. We do this with the "mail" command. The syntax is "mail from:
> <noone@nowhere.com>" where the <>'s are optional on most systems. In out example
> we would type:
> < mail from: rf34+@andrew.cmu.edu
> 
> After specifying who the mail it from we must specify who the mail is to. We do
> this by using the "rcpt" command. The syntax of this command is "rcpt to:
> <bob@nowhere.com>" where the <>'s are once again optional. This has
> nothing to do
> with who it APPEARS to get the message. The addresses specified with this
> command
> will actually receive the message. In our example we would issue the
> command like
> so:
> < rcpt to: jmk17@cornell.edu
> 
> Next comes the actual message. You send specify the text of the message is to
> follow by using the "data" command to begin and end with a "." on a line by
> itself. In our example we would do the following:
> < data
> > (answerback garbage)
> < You suck. I hate you.
> < .
> 
> Now we're almost done. All we have to do now is quit. We do this by typing
> "quit".
> < quit
> 
> (b) What about the headers?
> 
> The above message will be easy to spot as "fake". Instead of saying "To:
> jmk17@cornell.edu" it will say "Apparently To: jmk17@cornell.edu". Similar will
> happen with from and there will be no subject. To fix these problems we must
> manually enter headers for the message. Here I will just talk about the most
> important headers - To:, From:, Cc:, and Subject:.
> 
> The "To:" header will be who the recipient sees that the message is "To:".
> If the
> recipient "group replies" he will reply to all people listed after "To:" and
> "Cc:" other than himself.
> 
> The "From:" header specifies who the message is from. You should always have the
> address that you used in the "mail from:" command somewhere here. It looks more
> real if you include the persons real name when issuing this command. One way to
> do that is to have the email address and then the real name in parenthesis.
> 
> The "Subject:" line is what appears to the recipient as the subject. End of
> story.
> 
> You enter the header when entering the message. Lets alter our above example so
> that we want it to look like bob@nowhere.net gets a carbon copy. We don't want
> him to get a copy - we just want jmk17@cornell.edu to think so. All we would do
> is change the second to last step so it looks like this:
> < data
> > (answerback garbage)
> < To: jmk17@cornell.edu
> < From: rf34+@andrew.cmu.edu (Randy Fields)
> < Subject: I hate you!
> < Cc: bob@nowhere.net
> <
> < You suck. I hate you.
> < .
> 
> Note the space between the headers and the message. That is very important.
> 
> Now when jmk17@cornell.edu gets our message it will look like a normal message
> from his friend Randy. If he had extensive knowledge regarding the way mail
> worked he's be able to figure out that it came from your computer and not
> andrew.cmu.edu by looking at the extended headers. Since jmk17@cornell.edu is
> just your average computer user he can look at the message all day and not see a
> problem with it.
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> This FAQ will be updated periodically. It can be found on Rourke's Home Page at
> URL http://matrix.resnet.upenn.edu/rourke/ _or_
> http://www.seas.upenn.edu/~rourkem
> 
> If you have any questions, suggestions, corrections, or comments please email
> Rourke at rourkem@pobox.com.
> 
> --
> Rourke McNamara
> School of Engineering and Applied Science
> University of Pennsylvania
> rourkem@seas.upenn.edu
> http://matrix.resnet.upenn.edu/rourke/home.html
http://www.kuai.se/%7Epanik/archive/fakemail.faq

I just through the following together. Anyone have any suggestions/comments?


T H E  "F A K E  M A I L"  F A Q 
Version 0.2 950309
Written by Rourke McNamara
(rourkem@pobox.com)

A good number of people have asked me questions about how possible it is
to "Fake
Mail" on the internet. People have asked both becuase they wanted to know if
someone could do to them or becuase they wanted to do it to someone else. I
decided that I'd write a small FAQ on the subject and add to it as I have time.


(1) Can people send "fake" mail on the Internet?

Yes. People can send mail that looks like it came from someone else. People can
send mail that looks like it was received by more people than actually received
it. HOWEVER, only very rarely is this mail truly indistinguishable from
mail that
really DID come from the person in question.

In any case the ONLY real way to be completely sure a message is from a
particular person is to have that person digitally "sign" the message with
something like PGP.


(2) How do you know if a message you have is "fake"?

You can't always tell for sure. If the person was sloppy the message will have a
line in the the header block (the text above the message with date and subject,
etc information) that says something like "Apparently-To:". You can also compare
the full headers of the message to the full set of headers on another message
that you have received from that person. If they don't come close to matching
then ONE OF THEM is probably "fake". Also look for computer names in the headers
that have nothing to do with your information provider or his information
provider.

In order to be better able to spot fake mail you need to understand how it is
sent. To do that see the section on sending fake mail below.

The above don't always work. If the person sending the "fake" message is
particularly crafty he can make the headers look so similar it is nearly
impossible to catch. In this case you would have to ask the person who
'sent' you
the message whether or not it was really him.


(3) Why is it possible to "fake" mail?

It is possible to fake mail becuase all computer on the internet send mail
around
using something called SMTP - Simple Mail Transfer Protocal - and it is possible
for a human to connect to a computer and pretend that it is another computer by
speaking SMTP. This problem will not go away. Mail programs (both clients and
SendMail servers) will probably learn to better recognize when someone is trying
to send fake mail, but they will most likely never be able to detect EVERYTHING.


(4) How can I "fake" mail?

That is perhaps the question that is hardest to answer and will take the
longest,
so I will start with the basic and most detectable technique and work up to the
most complicated and hard to detect technique. Of course, faking mail
REALLY well
is not such an easy and mechanical process. It requirs some amount of creativity
in the techniques you apply. So, lets start with the basics....

(a) The Basics

To send fake mail you need to pretend that you are a computer transfering mail
legitimatly. You start by telnetting to the SMTP socket (25) on the remote
computer. For example, if I wanted to telnet to Cornell's SMTP port I would type
the following from a UNIX prompt: 
-> telnet cornell.edu 25

Once you have connected you ussually have to issue a "helo" command. You
basically are saying hello to the other computer an telling it who you are. For
now lets just claim to be the computer that we are sending mail "from". For this
example lets pretend to be rf34+@andrew.cmu.edu. Lets send this message to
"jmk17@cornell.edu" (he loves getting junk mail): 
< helo andrew.cmu.edu

Sometimes there is an error entering that command. Enter it again and it will
work. After that we have to move on to starting the message and annoucing who it
is from. We do this with the "mail" command. The syntax is "mail from:
<noone@nowhere.com>" where the <>'s are optional on most systems. In out example
we would type: 
< mail from: rf34+@andrew.cmu.edu

After specifying who the mail it from we must specify who the mail is to. We do
this by using the "rcpt" command. The syntax of this command is "rcpt to:
<bob@nowhere.com>" where the <>'s are once again optional. This has
nothing to do
with who it APPEARS to get the message. The addresses specified with this
command
will actually receive the message. In our example we would issue the
command like
so: 
< rcpt to: jmk17@cornell.edu

Next comes the actual message. You send specify the text of the message is to
follow by using the "data" command to begin and end with a "." on a line by
itself. In our example we would do the following: 
< data 
> (answerback garbage) 
< You suck. I hate you. 
< .

Now we're almost done. All we have to do now is quit. We do this by typing
"quit". 
< quit

(b) What about the headers?

The above message will be easy to spot as "fake". Instead of saying "To:
jmk17@cornell.edu" it will say "Apparently To: jmk17@cornell.edu". Similar will
happen with from and there will be no subject. To fix these problems we must
manually enter headers for the message. Here I will just talk about the most
important headers - To:, From:, Cc:, and Subject:.

The "To:" header will be who the recipient sees that the message is "To:".
If the
recipient "group replies" he will reply to all people listed after "To:" and
"Cc:" other than himself.

The "From:" header specifies who the message is from. You should always have the
address that you used in the "mail from:" command somewhere here. It looks more
real if you include the persons real name when issuing this command. One way to
do that is to have the email address and then the real name in parenthesis.

The "Subject:" line is what appears to the recipient as the subject. End of
story.

You enter the header when entering the message. Lets alter our above example so
that we want it to look like bob@nowhere.net gets a carbon copy. We don't want
him to get a copy - we just want jmk17@cornell.edu to think so. All we would do
is change the second to last step so it looks like this: 
< data 
> (answerback garbage) 
< To: jmk17@cornell.edu 
< From: rf34+@andrew.cmu.edu (Randy Fields) 
< Subject: I hate you! 
< Cc: bob@nowhere.net 
< 
< You suck. I hate you. 
< .

Note the space between the headers and the message. That is very important.

Now when jmk17@cornell.edu gets our message it will look like a normal message
from his friend Randy. If he had extensive knowledge regarding the way mail
worked he's be able to figure out that it came from your computer and not
andrew.cmu.edu by looking at the extended headers. Since jmk17@cornell.edu is
just your average computer user he can look at the message all day and not see a
problem with it.


-=-=-=-=-=-=-=-=-=-=-=- 
This FAQ will be updated periodically. It can be found on Rourke's Home Page at 
URL http://matrix.resnet.upenn.edu/rourke/ _or_
http://www.seas.upenn.edu/~rourkem

If you have any questions, suggestions, corrections, or comments please email
Rourke at rourkem@pobox.com.

-- 
Rourke McNamara
School of Engineering and Applied Science
University of Pennsylvania
rourkem@seas.upenn.edu
http://matrix.resnet.upenn.edu/rourke/home.html



+-----------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
|   http://cspo.queensu.ca/~fletcher/Circle/list_faq.html   |
+-----------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/18/00 PST