3.3. Forging Your Own HeadersThere are good reasons why you might want to forge the headers of your own messages. I have several scripts that run as root and send out notification emails whenever certain events take place. I don't want people replying to root, so I forge the From address to either my address or that of the recipient. This is a useful technique that illustrates just how easy it is to generate spam. You can try this for yourself using sendmail on a Unix system. Regular mail clients like Outlook and Thunderbird are not set up to do this. Start by writing a simple message to yourself in a file using an editor. Put your address in the To line and set the From line to whatever you like. In this example, I am going to impersonate someone at O'Reilly. Add a Reply-To header and even make up your own Message-Id. For example: To: XYZ@craic.com From: ABC@oreilly.com Reply-To: ABC@oreilly.com Message-Id: <12345678@oreilly.com> Subject: Test Hello World Tell sendmail to read those headers from the file rather than the command line by giving it the -t flag. % /usr/lib/sendmail -t < test_message The message as received should look similar to this: Return-Path: <root@biotech.craic.com> Received: from biotech.craic.com (biotech.craic.com [208.12.16.3]) by gateway.craic.com (8.11.6/8.11.6) with ESMTP id j21NSQ721278 for <XYZ@craic.com>; Tue, 1 Mar 2005 15:28:26 -0800 Date: Tue, 1 Mar 2005 15:28:21 -0800 Reply-To: ABC@oreilly.com Message-Id: <12345678@oreilly.com> To: XYZ@craic.com From: ABC@oreilly.com Subject: Test Hello World While this looks totally convincing when viewed in a mail client, the headers still show the correct Return-Path and hostname for the sender. You can fix the first of these problems by specifying the From address as a command-line option, thus: % /usr/lib/sendmail -t -fABC@oreilly.com < test_message To change the hostname, you need to edit the line in the /etc/hosts file that contains the sender's IP address. The fake hostname should precede the real one, like this: 208.12.16.3 bogus.oreilly.com biotech.craic.com With both of these in place, the headers of the received message are close to what you want: Return-Path: <ABC@oreilly.com> Received: from bogus.oreilly.com (biotech.craic.com [208.12.16.3]) by gateway.craic.com (8.11.6/8.11.6) with ESMTP id j21Mui721208 for <XYZ@craic.com>; Tue, 1 Mar 2005 14:56:44 -0800 Date: Tue, 1 Mar 2005 14:56:44 -0800 Reply-To: ABC@oreilly.com Message-Id: <12345678@oreilly.com> To: XYZ@craic.com From: ABC@oreilly.com Subject: Test All I would need to do to make this a near perfect forgery is remove the reverse DNS table entry for biotech. It's that easy. |