Forging headers is trivial, but the more appropriate question is, how is it possible? The MTA that we contact via Telnet can demonstrate how easy it is to forge headers. We will be adding Header-1: xxx and Header-2: yyy, which do not indicate anything special but make a great example:
$ telnet mail.sendingemail.com 25 Trying 127.0.0.1... Connected to mail.sendingemail.com. Escape character is '^]'. 220 mail.sendingemail.com ESMTP Postfix HELO hostname 250 mail.sendingemail.com Hello sender.sendingemail.com [xx.7.239.24], pleased to meet you MAIL FROM: firstname.lastname@example.org 250 Ok RCPT TO: email@example.com 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> Header-1: xxx Header-2: yyy Message body. . 250 Ok: queued as 73F50EDD2B QUIT 221 Bye
Now we check our email and find the following e-mail content and header information:
Return-Path: <firstname.lastname@example.org> X-Original-To: email@example.com Delivered-To: firstname.lastname@example.org Received: by mail.sendingemail.com (Postfix, from userid 1999) id D3750EDD2B; Tue, 5 Apr 2005 21:33:55 -0700 (PDT) Received: from hostname (xx.7.239.24) by mail.sendingemail.com (Postfix) with SMTP id 73F50EDD2B for
; Tue, 5 Apr 2005 21:33:37 -0700 (PDT) Header-1: xxx Header-2: yyy Message-Id: <20050406023337.73F50EDD2B@mail.sendingemail.com> Date: Tue, 5 Apr 2005 21:33:37 -0700 (PDT) From: email@example.com To: firstname.lastname@example.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.sendingemail.com X-Spam-Status: No, hits=2.3 required=5.0 tests=BAYES_90,NO_REAL_NAME autolearn=no version=2.63 Message body.
We can see that our email has come in from email@example.com and was delivered. Our added headers made it into the email, and those could easily be replaced by fake Received headers, X-headers, and any other content someone wanted to place in there. The flexibility of SMTP struts its stuff when it comes to what can go into an email. At this stage it is up to the email clients to judge whether the email is valid or not.
Phishing exposed -- 10 tips in 10 minutes
Tip 1: Phishing and email basics
Tip 2: Phishing and the mail delivery process
Tip 3: Anonymous email and phishing
Tip 4: Forging headers and phishing
Tip 5: Open relays, proxy servers and phishing
Tip 6: Proxy chaining, onion routing, mixnets and phishing
Tip 7: Harvesting email addresses and phishing
Tip 8: Phishers, hackers and insiders
Tip 9: Sending spam and phishing
Tip 10: Fighting phishing with spam filters
This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.