Section 3.3. Forging Your Own Headers

Previous page
Table of content
Next page

3.3. Forging Your Own Headers

There are good reasons why you might want to forge the headers of your own messages. I have several scripts that run as root and send out notification emails whenever certain events take place. I don't want people replying to root, so I forge the From address to either my address or that of the recipient. This is a useful technique that illustrates just how easy it is to generate spam.

You can try this for yourself using sendmail on a Unix system. Regular mail clients like Outlook and Thunderbird are not set up to do this. Start by writing a simple message to yourself in a file using an editor. Put your address in the To line and set the From line to whatever you like. In this example, I am going to impersonate someone at O'Reilly. Add a Reply-To header and even make up your own Message-Id. For example:

     To: XYZ@craic.com     From: ABC@oreilly.com     Reply-To: ABC@oreilly.com     Message-Id: <12345678@oreilly.com>     Subject: Test     Hello World

Tell sendmail to read those headers from the file rather than the command line by giving it the -t flag.

     % /usr/lib/sendmail -t < test_message

The message as received should look similar to this:

     Return-Path: <root@biotech.craic.com>     Received: from biotech.craic.com (biotech.craic.com [208.12.16.3])             by gateway.craic.com (8.11.6/8.11.6)             with ESMTP id j21NSQ721278             for <XYZ@craic.com>; Tue, 1 Mar 2005 15:28:26 -0800     Date: Tue, 1 Mar 2005 15:28:21 -0800     Reply-To: ABC@oreilly.com     Message-Id: <12345678@oreilly.com>     To: XYZ@craic.com     From: ABC@oreilly.com     Subject: Test     Hello World

While this looks totally convincing when viewed in a mail client, the headers still show the correct Return-Path and hostname for the sender. You can fix the first of these problems by specifying the From address as a command-line option, thus:

     % /usr/lib/sendmail -t -fABC@oreilly.com < test_message

To change the hostname, you need to edit the line in the /etc/hosts file that contains the sender's IP address. The fake hostname should precede the real one, like this:

     208.12.16.3   bogus.oreilly.com   biotech.craic.com

With both of these in place, the headers of the received message are close to what you want:

     Return-Path: <ABC@oreilly.com>     Received: from bogus.oreilly.com (biotech.craic.com [208.12.16.3])             by gateway.craic.com (8.11.6/8.11.6)             with ESMTP id j21Mui721208             for <XYZ@craic.com>; Tue, 1 Mar 2005 14:56:44 -0800     Date: Tue, 1 Mar 2005 14:56:44 -0800     Reply-To: ABC@oreilly.com     Message-Id: <12345678@oreilly.com>     To: XYZ@craic.com     From: ABC@oreilly.com     Subject: Test

All I would need to do to make this a near perfect forgery is remove the reverse DNS table entry for biotech. It's that easy.


Previous page
Table of content
Next page
Internet Forensics
Internet Forensics
ISBN: 059610006X
EAN: 2147483647
Year: 2003
Pages: 121
Authors: Robert Jones F.R
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
FileMaker Pro 8: The Missing Manual
Introduction to 80x86 Assembly Language and Computer Architecture
Cisco IOS Cookbook (Cookbooks (OReilly))
Cisco CallManager Fundamentals (2nd Edition)
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy