227 lines
8.4 KiB
Plaintext
227 lines
8.4 KiB
Plaintext
How to Send Fake Mail Using SMTP Servers
|
|
|
|
By Hunter
|
|
hunter@wicked.gt.ed.net
|
|
---------------------------------------------------------------------------
|
|
Overview
|
|
SMTP (Simple Mail Transfer Protocol) is the protocol by which Internet mail
|
|
is sent. SMTP servers use this protocol to communicate with other servers
|
|
or mail clients. However, by telneting directly to a mail server and
|
|
manually speaking SMTP, one can easily send mail from any address specified
|
|
- meaning that mail can be sent from fake addresses while the sender's real
|
|
address is untraceable.
|
|
|
|
What is Needed?
|
|
All that you need is a generic telnet client. Local echo should be turned
|
|
on so you can see what you type. Also, it is important to note that SMTP
|
|
servers do not handle backspaces, so you must type everything correctly.
|
|
|
|
How do I Start?
|
|
Telnet to port 25 of your target SMTP server (more on SMTP servers
|
|
selection below). The server should respond with a generic welcome message.
|
|
You will type HELO domain.name. Use any domain name you wish as most
|
|
servers do not check the name against the IP you are telneting from. Type
|
|
MAIL FROM: <from@wherever.com>. This is where the message will appear to be
|
|
from. Next, type RCPT TO: <to@wherever.com>. This specifies who will
|
|
receive the message. Type DATA and type the body of your message. To send
|
|
the message, enter a line with only a period. Type QUIT to disconnect.
|
|
|
|
Sample Session
|
|
|
|
220 hq.af.mil Sendmail 4.1/Mork-1.0 ready at Thu, 14 Mar 96 00:26:46 EST
|
|
HELO prometheus.com
|
|
250 hq.af.mil Hello prometheus.com (prometheus.com), pleased to meet you
|
|
MAIL FROM:<satan@hell.net>
|
|
250 <satan@hell.net>... Sender ok
|
|
RCPT TO:<OJ@simpson.com>
|
|
250 <OJ@simpson.com>... Recipient ok
|
|
DATA
|
|
354 Enter mail, end with "." on a line by itself
|
|
This is the body of my message.
|
|
.
|
|
250 Mail accepted
|
|
QUIT
|
|
221 hq.af.mil delivering mail
|
|
|
|
What about message subjects?
|
|
The subject, date, to, etc. are part of the DATA area. After the DATA
|
|
command, start with date and continue is the fashion illustrated by the
|
|
example code below. Make sure there are no mistakes, because the first
|
|
mistake will cause the data to appear in the body of the message, not
|
|
header. It is interesting, because these fields take precedence over the
|
|
MAIL FROM: and RCPT TO: when displaying. A message can be routed to a
|
|
person even though the message itself appears to be addressed to someone
|
|
else. The key is to type VERY carefully.
|
|
|
|
Example:
|
|
DATA
|
|
Date: 23 Oct 81 11:22:33
|
|
From: SMTP@HOSTY.ARPA
|
|
To: JOE@HOSTW.ARPA
|
|
Subject: Mail System Problem
|
|
|
|
Sorry JOE, your message to SAM@HOSTZ.ARPA lost.
|
|
HOSTZ.ARPA said this:
|
|
.
|
|
End Example
|
|
|
|
Can my mail be traced?
|
|
Yes, the IP address you mailed from can be traced if you are not careful.
|
|
All mail will show a line in the header listing the IP address that you
|
|
originally telneted from. If the person you are sending mail to doesn't
|
|
know much about IP's and the like, you shouldn't worry too much.
|
|
Furthermore, depending on your the nature of your connection, there are
|
|
different implications. For instance, if you have a direct connection, you
|
|
can be easily traced by your IP address. On the other hand, if you have a
|
|
dial-in connection or service such as AOL, you will not have a defined IP
|
|
address. You will be assigned a temporary one. The only way your mail can
|
|
be traced with this type of connection is to check against the dial in
|
|
service's system logs. The take-home message is that you are safe with this
|
|
type of connection unless you do something really stupid. Finally, the best
|
|
case scenario is a public access terminal with no logging. This type
|
|
connection is untraceable.
|
|
Author's Note: I have found some servers that don't log IP. Read No IP SMTP
|
|
Server
|
|
|
|
What SMTP servers can I use?
|
|
An easy (but hit-or-miss) way to find random SMTP servers is to look at web
|
|
addresses on Yahoo! or another search engine. Universities and government
|
|
agencies are always good choices. Find a URL and telnet to port 25. If you
|
|
get a response, you have located an available server. 95% of servers will
|
|
accept your mail. The others will not allow external mail forwarding for
|
|
security reasons. Always test the server first.
|
|
|
|
OR
|
|
|
|
Check Hunter's List of Usable SMTP Servers. All servers on this list have
|
|
been tested and will work. A hyptertext interface makes it easy to use the
|
|
servers.
|
|
---------------------------------------------------------------------------
|
|
|
|
Apocalypse 95
|
|
|
|
Last revision: 3.15.96
|
|
Mail to: hunter@wicked.gt.ed.net
|
|
Hunter's List of SMTP Servers
|
|
|
|
By Hunter
|
|
hunter@wicked.gt.ed.net
|
|
---------------------------------------------------------------------------
|
|
Note: There is no guarantee that the administrators of these servers will
|
|
be happy if you use the servers. I am only acknowledging the existence of
|
|
these servers. For a server that doesn't stamp your IP on the message
|
|
header, read No IP SMTP Server
|
|
|
|
If you have a telnet client set up as a helper app to your web browser,
|
|
simply click on the name of a server to use the server for direct mail.
|
|
Some links may be slow.
|
|
|
|
centerof.thesphere.com
|
|
misl.mcp.com
|
|
jeflin.tju.edu
|
|
arl-mail-svc-1.compuserve.com
|
|
alcor.unm.edu
|
|
mail-server.dk-online.dk
|
|
lonepeak.vii.com
|
|
burger.letters.com
|
|
aldus.northnet.org
|
|
netspace.org
|
|
mcl.ucsb.edu
|
|
wam.umd.edu
|
|
atlanta.com
|
|
elmer.anders.com
|
|
venus.earthlink.net
|
|
urvax.urich.edu
|
|
vax1.acs.jmu.edu
|
|
loyola.edu
|
|
cornell.edu
|
|
brassie.golf.com
|
|
quartz.ebay.gnn.com
|
|
acad.bryant.edu
|
|
palette.wcupa.edu
|
|
utrcgw.utc.com
|
|
umassd.edu
|
|
trilogy.usa.com
|
|
mit.edu
|
|
corp-bbn.infoseek.com
|
|
vaxa.stevens-tech.edu
|
|
ativan.tiac.net
|
|
miami.linkstar.com
|
|
wheel.dcn.davis.ca.us
|
|
kroner.ucdavis.edu
|
|
ccshst01.cs.uoguelph.ca
|
|
server.iadfw.net
|
|
valley.net
|
|
grove.ufl.edu
|
|
cps1.starwell.com
|
|
unix.newnorth.net
|
|
mail2.sas.upenn.edu
|
|
nss2.cc.lehigh.edu
|
|
pentagon.mil
|
|
blackbird.afit.af.mil
|
|
denise.dyess.af.mil
|
|
cs1.langley.af.mil
|
|
wpgate.hqpacaf.af.mil
|
|
www.hickam.af.mil
|
|
wpgate.misawa.af.mil
|
|
guam.andersen.af.mil
|
|
dgis.dtic.dla.mil
|
|
www.acc.af.mil
|
|
redstone.army.mil
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
Apocalypse 95
|
|
|
|
Last revison: 3.30.96
|
|
Mail to: hunter@wicked.gt.ed.net
|
|
Mail Servers with No IP Logging
|
|
|
|
Number of Servers that have updated Sendmail versions due to my list
|
|
[Image]
|
|
|
|
---------------------------------------------------------------------------
|
|
When I wrote How to Send Fake Mail Using SMTP Servers, I said that your
|
|
messages are traceable by your IP address (it will always be stamped in the
|
|
header). Well, slowly, I am finding systems that don't append your IP to
|
|
the message. You can send messages through this servers, using the
|
|
techniques I described in my SMTP fakemail tutorial, and they are totally
|
|
untraceable. If you have a telnet client set as a helper app to your
|
|
broweser, all you have to do is click on the link below, and you will be
|
|
connected to the respective SMTP server.
|
|
|
|
DO NOT DO ANYTHING REALLY STUPID WITH THESE SERVERS. If a server was posted
|
|
on this list, but isn't now, don't use it! Don't say that I didn't warn
|
|
you.
|
|
|
|
cvo.oneworld.com
|
|
www.marist.chi.il.us
|
|
bi-node.zerberus.de
|
|
underground.net
|
|
alcor.unm.edu
|
|
venus.earthlink.net
|
|
mail.airmail.net
|
|
---------------------------------------------------------------------------
|
|
|
|
Apocalypse 95
|
|
|
|
---------------------------------------------------------------------------
|
|
How to find your own IP-Less Severs:
|
|
Finding your own servers that do not append IP to message headers is a
|
|
relatively easy process if you know what to look for. There are many SMTP
|
|
server programs out there. Sometimes you will hit an odd system with an
|
|
unusual server program that you can test by hand. However, the easiest way
|
|
it to look for the more common ones. By far, the easiest to look for is a
|
|
certain older Sendmail version that many systems still use. To find it,
|
|
connect with a server as usual. Examine the welcome text. You are looking
|
|
for a line that looks like the following:
|
|
220 xxxx.xxxx.xxx Smail3.1.29.1 #15 ready at Mon, 10 Jan 96 12:34 EDT
|
|
|
|
The important part is the Smail3.1.29.1. If you find a server with this
|
|
number, 3.1.29.1, or another 3.x.x.x number, you have what you are looking
|
|
for.
|
|
|
|
---------------------------------------------------------------------------
|
|
Last Revision: 4.21.96
|
|
hunter@wicked.gt.ed.net
|