Email spoofing: The story of “Congratulations you have won a lottery” like spam emails

Posted on Updated on

Mail vs E-mail
Back in old days when internet was not so common, we had to rely only on the postal/courier services. The only thing that bugs me about the traditional mail is their speed. This is when email comes. It offers numerous benefits, like its blazing fast, most of the time its free,  you can attach from pictures to videos, from management point of view you don’t have to maintain a hard folder, last but not least its environment friendly. In short, email is one of the greatest inventions of all time.

What is a spam?
I’m not that old, but again back in those dial-up connection days, there was no such thing as Gmail, most of people either used Hotmail or Yahoo mail for the emails. The problem with these two email service providers is the spams. Spams are irrelevant emails coming to you, mostly used for marketing a product/service, but they are cases where spam emails have hacked a person through social engineering attack or session hijacking. Phishing is also associated with spoofed emails, phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers” .

If you only use Gmail, you are a lucky person, because Google has got some very intelligent and sophisticated spam filtering mechanism. And frankly speaking I don’t get spams at all in my Gmail, but in case of Ymail or Hotmail … let’s just not talk about it.

What is e-mail spoofing?
In today’s article I will focus on Email spoofing. So, the first question you may ask is what is spoofing? Spoofing in simple terms is when Alice tries to be Bob. Email spoofing is when Alice sends an email to Eve but she keeps her identity to be Bob. When Eve receives an email she thinks that Bob has sent the email but it’s not.

*PLEASE NOTE THIS TUTORIAL IS FOR EDUCATIONAL PURPOSES ONLY. GENERATING SPOOFED EMAILS OR SPAM IS ILLEGAL AND PUNISHABLE UNDER THE LAW. YOU WILL BE RESPONSIBLE FOR YOUR ACTIONS.*

Platform: Windows 7 (also works on MAC and Linux)

How to spoof an e-mail ?
There can be different ways of spoofing an email, but I am going to use “sendmail” program for it. Sendmail is a simple command line program used to send emails via SMTP protocol.

1. Go to Google and type “sendmail google code”. Open the page highlighted below.

Searching mailsend googlecode

2. This is what sendmail on google code looks like.

mailsend on googlecode

3. Go to the download section and download the appropriate file, as I m on windows so, I will be downloading the “.exe” file.

downloading the program

4. Open the command line and call the program “mailsend”. As soon as you type mailsend, the first thing it will ask for is SMTP server. This is a very critical part, if you don’t provide the right SMTP server your email will not be sent. You have to chose a SMTP server that doesn’t require authentication. I will be using PTCL’s SMTP server i.e “smtp.ptcl.com.pk“, this server runs on port 25.

specifying the SMTP server

5. Next in “from”, enter the email ID of the person you want to spoof, In this case I m making a spoof email of Bill Gates i.e “billgates@microsoft.com

from

6. Provide the email id of receiver, I m giving my own email id.

to7. Enter subject and then write your message, after you have completed your message.

sub + message

8. Press enter, then press dot button and again press enter, a message will pop that your email has been sent.

mail sent

9. Here you can see my inbox has got that spoofed email.

received

10. Inbox overview.

final

You can download Wireshark file of following session from here:
https://docs.google.com/file/d/0BzXG746ounrhV0VzR0tERXF5M0E/edit

Also, I have made a video of this tutorial over here:
https://vimeo.com/81287459

This is all. I hope this tutorial makes you security conscious. Next time you receive an email asking for your credentials, just think for a moment whether its legitimate or not.  If you have got any suggestions or any questions, feel free to ask me.

Advertisements

8 thoughts on “Email spoofing: The story of “Congratulations you have won a lottery” like spam emails

    wokattack said:
    December 8, 2013 at 11:16 am

    Reblogged this on SciTechEnergy and commented:
    Very interesting run through of email spoofing:

    Ahmed Usman said:
    December 15, 2013 at 3:05 pm

    pretty smart eh :) !

    Rahat Masood said:
    January 3, 2014 at 7:47 am

    This is an excellent way of describing spam emails…. Thanks for sharing…
    However, can you please provide the mechanisms or ways to prevent spamming? It would be of great interest too…!!

    Keep sharing :)

    satria said:
    March 2, 2014 at 5:41 am

    Type. in a new line and press Enter to end the message, CTRL + C to abort

    but when in a long time why the enter key to send email

      Fowz Masood responded:
      May 6, 2014 at 9:04 am

      try watching the video. it works.

    job offer!!! said:
    September 3, 2014 at 3:25 am

    Spot on with this write-up, I honestly believe this site needs a great
    deal more attention. I’ll probably be back again to read more, thanks for the advice!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s