MeatballWiki | RecentChanges | Random Page | Indices | Categories

Internet e-mail uses the Simple Mail Transfer Protocol RFC 821, and it really is simple. Indeed, it's trivial to (superficially) forge an e-mail from someone else on the Internet. All you need to do is telnet to port 25 of the addressee, do a magic chicken dance (see below), and you've forged e-mail. Many providers are attempting to upgrade to SMTP authentication RFC 2554.

Fakemail is useful for some purposes, like sending an email notification to yourself from a script, but it is mostly abused as you might have guessed. Sometimes the results are funny, such as April fools jokes on mailing lists. The Linux kernel mailing list has a off-and-on [tradition] [of] [this]. Probably the most famous fakemail April fools joke was JargonFile:KremVax, although it was actually a UseNet posting.

A more ingenious usage is outright parody, as in the [Case of Danny Hellman], who sent an e-mail as if from Ted Rall, a political cartoonist who had at that time recently written a hatchet job attack of Maus-creator Art Spiegelman. That resulted in drawn out and costly litigation. Fortunately, this type of parody is protected speech under the First Amendment. Most people who have spent a considerable amount of time on the 'Net have witnessed at least one malicious fakemail to a mailing list. [CategoryCase]

Nonetheless, it's rare that you will see fakemail used in a personal attack on someone else. While the cryptonauts will demand everyone switch to PGP, we DefendAgainstParanoia and simply compare the mail headers. They usually are enough to distinguish reality from fiction.

Most people receive several pieces of fakemail a day. We like to call it spam.

Magic chicken dance

Telnet to port 25.

 HELO example.com
 MAIL FROM:fakemail@fakedomain.com
 RCPT TO:yourself@yourdomain.com
 Date: Thu, 1 Apr 2000 12:34:56 -0500 (EDT)
 From: fakemail@fakedomain.com (Joe Q. Fakemail)
 To: yourself@yourdomain.com
 Subject: Hi, I'm fake mail!
 Reply-To: devnul@nowhere.com 

 The universe is a figment of its own imagination.

That's about it. The header information (date, from, to subject, reply-to) is normally optional, though some mail clients will bounce messages without it; it does serve to make your e-mail look more authentic.

On systems that have an Authentication Server (RFC 931), spoofing your "MAIL FROM:" line will not work. Send yourself fakemail first to check.

See IdentityTheft


Nearly all mail servers will log the IP address from which the spoof originated in the email itself, making it fairly easy to track down the perpetrator. Some will perform an RDNS lookup. Some have varying levels of authentication built in, and will alert the recipient to inconsistencies in the header. A few servers now require EHELO. An increasing number of ISPs, including Earthlink, perform egress filtering on port 25 for dialup users.



MeatballWiki | RecentChanges | Random Page | Indices | Categories
Edit text of this page | View other revisions