Hak5
Save 10% at GoDaddy.com with coupon code HAK

Anonymous Email

From Hak5

Jump to: navigation, search
This article (or section) may need to be wikified.
Please help improve this article, especially its introduction, section layout, and relevant internal links.
This article has been tagged since February 2007.

In this article I'll begin showing you to communicate with SMTP servers directly and how to use it to keep yourself anonymous.

This is pretty much the same way virus writers and spammers are able to send spam and virii from so many bogus addresses and not get caught.

Lets start by trying to get as much information we can from the address we are trying to send the mail too.

"Someidiot@hotmail.com"

One of the easiest ways to send forged mail is using the same mail server as the recipient is using.

How do we find this? We'll use the NSlookup command used in XP. This will do a lookup on the domain name using your ISP's dns servers and find the servers address.

Bring up the command prompt, start -> run -> cmd.exe and give the command nslookup. 

C:\Documents and Settings\Cyberspike>nslookup
Default Server:  nsctor1.bellnexxia.net
Address:  209.226.175.223

So now we have started the tool, lets set the lookup query to mail exchange servers and start a search on the domain, in this case its "hotmail.com". 

> set q=mx
> hotmail.com
Server:  nsctor1.bellnexxia.net
Address:  209.226.175.223

Non-authoritative answer:
hotmail.com     MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx3.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx1.hotmail.com

hotmail.com     nameserver = ns1.msft.net
hotmail.com     nameserver = ns2.msft.net
hotmail.com     nameserver = ns3.msft.net
hotmail.com     nameserver = ns4.msft.net
hotmail.com     nameserver = ns5.msft.net
mx2.hotmail.com internet address = 65.54.244.40
mx2.hotmail.com internet address = 65.54.190.50
mx2.hotmail.com internet address = 65.54.245.40
mx2.hotmail.com internet address = 65.54.244.168
mx3.hotmail.com internet address = 65.54.244.200
mx3.hotmail.com internet address = 64.4.50.179
mx3.hotmail.com internet address = 65.54.244.72
mx3.hotmail.com internet address = 65.54.245.72
mx4.hotmail.com internet address = 65.54.244.232
mx4.hotmail.com internet address = 65.54.245.104
mx4.hotmail.com internet address = 65.54.190.179
mx4.hotmail.com internet address = 65.54.244.104
mx1.hotmail.com internet address = 65.54.244.136
mx1.hotmail.com internet address = 65.54.244.8
mx1.hotmail.com internet address = 64.4.50.50
mx1.hotmail.com internet address = 65.54.245.8
ns1.msft.net    internet address = 207.46.245.230
ns2.msft.net    internet address = 64.4.25.30
ns3.msft.net    internet address = 213.199.144.151

So what in the hell does all this mean? That is all the mail server results for the domain, but the ones we are really interested in are the "MX preference = " results. These are the servers the domain prefers that you send the emails from, and the lower number after the equals sign the better. If the server you pick however is busy, just move on to the next one.

So lets move on and connect to the server. Exit the nslookup tool and return to your command prompt. 

>exit
C:\Documents and Settings\CyberSpike>

The tool we'll be using to connect to the server is telnet. For those of you unaware, telnet is a command line communication tool that was mainly used before the days of Web GUI.

We'll telnet to the first mail server that was on our list on port 25, the smtp or Sendmail port. Sendmail is the service/daemon that all our email is sent though. How come we rarely see it? Mail programs like outlook and mozilla thunderbird connect to sendmail in the background, they provide a gui that makes it easier for the common user to use sendmail.

notes to stop pgp service if it is running on your system , other wise the mail server use it on the sending operations . <amjad yahya> 

C:\Documents and Settings\CyberSpike> telnet mx2.hotmail.com 25

Connecting to mx2.hotmail.com...

220 bay0-mc1-f12.bay0.hotmail.com Sending unsolicited commercial or bulk e-mail
to Microsoft's computer network is prohibited. Other restrictions are found at h
ttp://privacy.msn.com/Anti-spam/. Violations will result in use of equipment loc
ated in California and other states. Tue, 3 Jan 2006 17:13:49 -0800

There, we have a nice little message welcoming us onto the server. As you can see they have a nice little disclaimer to warn off virus writers, mailbombers and spammers.

So lets say hello to this machine, with the command helo. 

helo
250 bay0-mc1-f13.bay0.hotmail.com (3.1.0.17) Hello [xxx.xxx.xx.xxx]

See it greeted us back. Alot of people get scared off here since it greeted us with an ip address ( I have mine x'd out :P ), but right now it has no other way of knowing who we are.

Thats the exact reason why we can exploit sendmail to send forged emails. Sendmail has no verification system that restricts users to one address or keeps them from using someone else's!

Now its time to start working on that email. Choose the address you wish to make yourself appear as.

Some of my favorite test choices are "santa@northpole.com" , "jesus@heaven.net" and "IAm@Yourhouse.com" 

mail from:santa@northpole.com
250 Requested mail action okay, completed

As you can see, you use the "mail from:" command followed by your desired address to start the email. Make sure you type clearly, the backspace button doesn't work with sendmail :P

Now lets address the email using the "rcpt to:" (recipient to:) command followed by the recipients email. 

rcpt to:someidiot@hotmail.com
250 Requested mail action okay, completed

so now we have the email addressed, what are we going to put in it?

First we have to put in the header information such as the date, subject, time, and the from field. This is the stuff that shows up in the GUI mail programs and webmail. Oddly the header information is included in the message body, and all of it can be forged or spoofed :P After that we can start on the message.

So we start the message body by using the "data" command. 

data
from:santa@northpole.com
Date: Sun, 25 Dec 1865 9:11:11 -0500
Subject: Merry Chirstmas Dickhead!

So now thats our header. Notice I once again spoofed my address, as well as the date. I made it look like it was mailed in 1865 on the 9th hour, 11th minute and 11th second. The -0500 is just a random timezone I picked.

Now thats done, lets get down to the message, you can start it on the next line directly in under header information. To end the message, create a blank line by hitting enter, put in a period ".", and hit enter again. 

All your getting this year is coal! .

250 Requested mail action okay, completed

So now your email is done. How to send it? Just exit the server! 

quit
221 Closing connection. Good bye.

Connection to host lost.

C:\Documents and Settings\CyberSpike>

Thats all there was to it! Easy huh? Why not be lazy like me and write a program to automate the process for you? I lost the code during my last HD format but I'm soon going to write a new one.

I'd also like to warn you that the mail server records your ip address and even hides it in the sent emails code! So to be truly anonymous you might want to use a proxy or two first.

Also check this out for commands http://www.ietf.org/rfc/rfc2821.txt

--CyberSpike 13:18, 6 January 2007 (PST)

Retrieved from "http://wiki.hak5.org/wiki/Anonymous_Email"