Phishing and the mail delivery process

By Lance James 23 Mar 2006 | SearchDomino.com

Digg This!     StumbleUpon     Del.icio.us

The following is tip #2 from "Phishing exposed -- 10 tips in 10 minutes," excerpted from Chapter 3 of the book Phishing Exposed, published by Syngress Publishing.

All email headers contain the server and client information that controls the process of mail delivery. Many people who use email clients have probably heard of SMTP servers and POP3 servers. Within your email client you are asked to put in your email settings related to these servers, as shown in Figure 3.

Figure 3.3 E-Mail Settings

Phishers take advantage of these settings to successfully perform social engineering against the average email user. To understand this concept a bit more, let's take a quick review of the email protocol.

Within the typical setup for email, two ports are typically used: port 25, and port 110. Port 25 is the Simple Mail Transfer Protocol (SMTP), and its job is to transmit and receive mail—basically what is called a Mail Transfer Agent, or MTA. An MTA is comparable to the mail carrier who picks up the mail and sends it off to where it needs to go. Just as the mail carrier drops off and picks up mail, so does the MTA. Port 110 is the Post Office Protocol, version 3 (POP3), and it is essentially the mailbox from which users pick up their mail up. This has an authentication process that allows users to log in and retrieve their email, which, in most cases, depending on your settings, is set to delete the mail from the server once you have completely retrieved it.

Raw SMTP Communication

A quick way to comprehend the operations of SMTP is to send an email using the Telnet protocol. Telnet is a communication protocol that allows you to connect to and communicate with a port in a terminal. In this case, we will Telnet to port 25 of mail.sendingemail.com:

me@unixshell~$ telnet mail.sendingemail.com 25
Trying 127.0.0.1...
Connected to mail.sendingemail.com.
Escape character is '^]'.
220 mail.sendingemail.com ESMTP

We have successfully established a session with the SMTP or ESMTP (Extended STMP) server, and it has given us a return code of 220. We can now send it commands. The commands typically used to send email are HELO, MAIL FROM, RCTP TO, DATA, and QUIT. Basically, five primary commands control the majority of the protocol.

To start, we have to identify ourselves by simply saying HELO:

220 mail.sendingemail.com ESMTP Postfix
HELO sender.sendingemail.com
250 mail.sendingemail.com Hello 
sender.sendingemail.com [xx.7.239.24], 
pleased to meet you

As you can see, the server greeted us back and identified us by displaying our IP address. Technically, we could make up anything describing who we are; most SMTP servers will allow that because they know our IP, and it will mark our IP within the Received headers.

To send email after the meet and greet, we want to tell the mail server who the email is from and where it is going:

MAIL FROM: me@sendingemail.com
250 me@sendingemail.com... Sender ok
RCPT TO: you@receivingemail.com 
250 you@receivingemail.com… Recipient ok

This code states that the inputs we've entered are okay. In the real world, we would be rejected for the RCTP TO: from Telnet, since relaying to another network should be denied. But since we're on our own network and run our own mail server locally, this is allowed. Note that this is a quick and easy way to forge headers right at the MAIL FROM: and RCPT TO: fields. From our local network, we can put anything we want in both those fields and it will be accepted. This is one basis for some forgery; the other is the open relays, which we will get to shortly.

To send our message, we will use the DATA command:

DATA
354 Enter mail, end with "." On a line by itself
Subject: Test E-mail

Here is my data that I would like to send to you@receivingemail.com. This is essentially the body of the message and we will close by skipping a line and entering "." -me

.
250 I6A2341RR Message accepted for delivery
QUIT
221 mail.sendingemail.com closing connection

Note that the 250 return code revealed an ID for our message; this is the message ID we see in the headers on the way out. Once we tell the mail server QUIT, it will send our message. This is the internal protocol that SMTP works with. As you can see, it's simple and flexible, which is the exact reason the technology enables so many problems while also offering convenience.

The mail server infrastructure works in such an efficient fashion that we did not use only four servers but, at minimum, eight servers to deliver our e-mail. In the process of sending e-mail, we query multiple DNS servers to obtain information about where the mail servers are on the Internet.

Here is an example of the complete process for sending an e-mail (see Figure 4):

Figure 4 Standard E-Mail Infrastructure

1. Create the email, specifying the From, To, Subject, and content.

2. After you click Send, the mail client will access the DNS server of your ISP to locate your local mail server.

3. The local mail server (mail.sendingemail.com in our example) receives your email and uses the local DNS to determine who sent it by doing a reverse IP lookup of Sender.

4. After verification, the local mail server adds the headers and relays the mail to the mail.receivingemail.com mail server. To do this, mail.sendingemail.com has to look up what is called a mail exchange, or MX, record within DNS. This MX says, "Hello mail.sendingemail.com, mail.receivingemail.com is handling mail for receivingemail.com." Once that has been identified by our mail server, it can relay to the proper mail server.

5. Once mail.receivingemail.com receives the e-mail, it applies more header information, including routing data and receiving time; checks the DNS server for a reverse lookup regarding mail.sendingemail.com; and looks up the user you for the domain it is handling mail for.

6. Client email user Receiver contacts mail.receivingemail.com (again, local DNS is used), makes a request to the POP3 port (110), and asks to retrieve its email. The email is delivered to the email client, and Receiver happily reads the email.

Phishing exposed -- 10 tips in 10 minutes

 Home: Introduction
 Tip 1: Phishing and email basics
 Tip 2: Phishing and the mail delivery process
 Tip 3: Anonymous email and phishing
 Tip 4: Forging headers and phishing
 Tip 5: Open relays, proxy servers and phishing
 Tip 6: Proxy chaining, onion routing, mixnets and phishing
 Tip 7: Harvesting email addresses and phishing
 Tip 8: Phishers, hackers and insiders
 Tip 9: Sending spam and phishing
 Tip 10: Fighting phishing with spam filters

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary