Google Spoof Mail fun

So, you want to spoof mail? It may or may not be as difficult as you think it is. There are many ways of spoofing a mail. We shall discuss the two most often used method.

The easy one:

Google Homepage is introducing a lot of widgets, one of them is the mini mail service, which requires no configuration. This can be exploited to send fake mails. Simply log on to your google account and go to http://www.google.com/ig on the top left corner click the button “add content” and search for mini mail widget. Else visit this url to get it directly. The res tis easy enter the email ids and enter the text and have fun.

The only drawback is that you can’t edit the name of the sender. Which means the Victim will recieve a mail where the sender name will be the email id. This is not desireable, since the victim may figure out its a spoof mail. Further you can’t edit the “reply-to” field also. This is where the harder method comes into play.

The harder method:

If you have basic computer knowledge and some ideas on networking (esp. telnet) this guide will be simple for you and you can skip most of this tutorial. If you don’t, read thro this whole tutorial.

Mail can be sent over telnet, port 25, this is the SMTP (Simple Mail Transfer Protocol). Basically, you set up a connection, and execute several commands to send your mail. But if you have a basic e-mail account, have gotten a few letters from Yahooers, and looked at the headers, you probably know that they come from very different servers, “mta135.mail.yahoo.com”, “sbt854.mail.yahoo.com” etc…

So when mail is sent, how does it know which server to go to, there are literally thousands. Well, the answer is MX (Mail Exchange) servers; these keep a record of which servers contain which addresses (no you don’t need to access this illegally). Ok, so just like a real mail server we need to inquire about some things.

First let’s figure out who we’re spoofing mail to, say “ganeshapp@mail.example.com”. Now, memorize the entire domain (everything after the “@”), for this example it is “mail.example.com”, although usually it will not have a sub domain (“yahoo.com”, “hotmail.com”, etc…).

Now, I hope you’re using Microsoft. Now, start a command prompt, if you don’t know how to do that, press the Windows button + R, a run window should come up, type “cmd” and press enter. Okies, now you’re in command prompt, and your primary objective is to find the MX server. Who can help you?

Nslookup! Type in “nslookup” and press enter, this should bring up a “>” prompt. If it does work then type in “set type=mx” and press enter, guess what that does? Yes, now nslookup will look for MX servers associated with what you type in. Now recall what I asked you to memorize earlier (everything after the “@”), this is your recipient’s domain. Type it in and press enter. You should get a couple of lines of response info, look for “Non authoritative answer:” Below that you should see a list of servers (possibly only one) and their “MX preference”.

What does this mean? Well when mail is sent to these servers, first the one with the lowest MX preference (1) takes it. If there are multiple servers with the same MX preference, mail is distributed evenly among them. Each server with an MX preference of above one is a “backup server”, in the case of a DoS DDoS or DRDoS attack the first MX server will consume all of the malicious traffic, and the backup servers will get to work on their real mail.

So now we understand that the server with the highest number for MX preference will most likely NOT be in use. So let’s write it down, pretend that for our “mail.example.com” query we got:

“Non authoritative answer: mail.example.com MX preference = 3,

mail exchanger = server3.mx.mail.example.com

mail.example.com MX preference = 2,

mail exchanger = server2.mx.mail.example.com

mail.example.com MX preference = 1,

mail exchanger = server1.mx.mail.example.com”

So we pick, “server3.mx.mail.example.com”, since it has the highest number for MX preference and therefore will be used the least. Now we know where to connect to! YAY! Let’s exit nslookup by typing in “exit” and pressing enter.

Now we need to connect to “server3.mx.mail.example.com” (remember, I made this up, there is no “server3.mx.mail.example.com”) type in:

“telnet server3.mx.mail.example.com 25″

The format for telnet is “telnet [server] [port]” so the previous should be self-explanatory. Now there are various response codes you need to know:

220 is a greeting on connection

221 is a goodbye on a proper connection close

250 is your new favorite number, the ok code

354 means “Start data input” (main message)

421 is service not available

451 is a connection drop

501 is a syntax error

502 means you entered a non-existent command

550 is no such user (sending to a non-existent address)

There might be others which I am forgetting. Immediately you should get a 220, whatever it says after the code does not matter, if it says “Gotcha hacker, the cops are on their way to your house NOW!” don’t be scared off, this can be configured to say anything.

Now, the first thing you need to do so that the server won’t get pissed is say hi. Type in “HELO” and press enter (it doesn’t have to be all caps, that’s just my habit). If you can’t see what you are typing, type in “QUIT”, you’ll exit out, type in “telnet” and at the “Microsoft Telnet>” prompt type in “set LOCAL_ECHO” and then “quit”, then re-connect. If the “HELO” does not return a 250, the admins have gotten a little fake-mail-defensive, so try “EHLO” you MUST get a 250 for at least one of the two commands before you continue.

Now let’s figure out what we want the from address to be, let’s pretend that “ganeshapp@mail.example.com” is an immigrant, and we want to scare the crap out of him by sending a fake e-mail from “principal@college.com” saying that he is getting suspended. So, now that we greeted the server, let’s run the “MAIL” command, (remember, if you don’t do anything for too long, you’ll get a connection close, so type fast). So, for our example we type in “MAIL FROM: <principal@college.com>” and press enter. Got a 250? Good. Now let’s make sure it gets to the right recipient, with the “RCPT” command: “RCPT TO: <ganeshapp@mail.example.com>”, again you should get a 250. You can put down multiple “RCPT”s, to send it to several addresses. Now, time for the main course, type in “DATA” and press enter, you should get a 354, meaning “Start typing”. First come headers! Headers are important! The format is “[header]: Text of header” make note of the colon and the space. There are many headers:

Subject: This is the subject.

To: You can put the Name and address of the recipient here, you’ll see the syntax later in the example.

From: Your Name can be as long as you want, but must be followed by an address.

Reply-To: This is the Reply-To address, make note of the hyphen and the capitol letters. You can put a name here too, but it’s optional.

MIME-Version: If your letter is plain text, never mind this header, make note of the hyphen and the capitol letters.

Content-type: If your letter is plain text, never mind this header, make note of the hyphen and the capitol letter.

You may be confused now. Well, to make things simpler, for our example we don’t need “MIME-Version” or “Content-type” and you won’t need them for most of your life. Maybe later if you are making a cookie-stealer or trying to SE someone’s password, you’ll need “MIME-Version: 1.0″ and “Content-type: text/html; charset=iso-8859-1″ to send HTML e-mails.

Newbies: Forget what you just read, it will only confuse you more! For now let’s see what we would type in for our example:

“Subject: This is your principal, U R D-suspended!

To: Ganesh APP<ganeshapp@mail.example.com>

From: Principal <principal@college.com>

Reply-To: <principal@college.com>”

Now, to separate the headers from the main text of our letter, just press enter, leaving an empty line will notify the SMTP interpreter that the headers have ended. After that you can type as much as you want, on as many lines as you want, so how do you end the message? On a separate line type “.” (the period is an SMTP termination character) and your e-mail will be sent. You should get another 250. Then just type “QUIT” to close connection. You should get a 221. So let’s see what we would type for the example:

“Get out of my college, or I’ll send the FBI and CIA after you! They’re vicious I tells ya, VICIOUS! Part this land at once. OR ELSE!.QUIT”

That should make some sense… I know it really doesn’t. So I’ll Just recap with the entire example (comments are after “//”)

// Start by running command prompt.

Message: nslookup // Run nslookup so we can find our server.

Message: set type=mx

Message: mail.example.com

Response: Non authoritative answer:

Response: mail.example.com MX preference = 3, mail exchanger = server3.mx.mail.example.com // Okies, this is the server we need!

Response: mail.example.com MX preference = 2, mail exchanger = server2.mx.mail.example.com

Response: mail.example.com MX preference = 1, mail exchanger = server1.mx.mail.example.com

Message: exit // Exit nslookup.

Message: telnet

Message: set LOCAL_ECHO // Turning on LOCAL_ECHO so we can see what we type.

Message: quit

Message: telnet server3.mx.mail.example.com 25 // Setting up a connection.

Response: 221 Some Message

Message: HELO

Response: 250 Some Message

Message: EHLO // Just in case.

Response: 250 Some Message

Message: MAIL FROM: <principal@college.com>

Response: 250 Some Message

Message: RCPT TO: <ganeshapp@mail.example.com>

Response: 250 Some Message// Remember, you can have multiple “RCPT TO”s

Message: DATA

Response: 354 Some Message

Message: Subject: This is your principal, U R Suspended!

Message: To: Ganesh APP <ganeshapp@mail.example.com>

Message: From: Principal <principal@college.com>

Message: Reply-To: Principal <prprincipal@college.com>

Message: Message: Get out of my college, or I’ll send the FBI and CIA after you!

Message: They’re vicious I tells ya, VICIOUS!

Message: Part this land at once. OR ELSE!

Message: .

Response: 250 Some message

Message: QUIT

Response: 221 Closing Connection…

Good luck with that. Practise before you go for the kill. And never type something wrong. One typos and you will have to start over. Will soon post on how to spoof emails with *nix and Mac.

Disclaimer: The tutorial is only for educational purpose. Bot-Hack doesnt take responsibiltyof what ever damage you cause using these techniques. you are on your own to try them.

Related posts:

1. Insecure SMTP…
2. Voice mail for bloggers and sites
3. eReader extension for FireFox
4. Google World War II videos
5. Tracing An Email