( Latest revision
02/01/2005
)
Understanding How Computers Transmit E-Mail
CS 3000 -- Lab Assignment #3
This lab will show you how to send mail by connecting directly to the mail
transmission port on a host computer.
Generally, software that transports mail uses a client/server protocol. This
lab will familiarize you with such a protocol: Simple Mail Transfer Protocol
(SMTP).
You will also find out that it can be easy to pretend you are somebody else
when you send e-mail.
Try the steps illustrated below, except send the mail to yourself at some
host, not to me at alcyone.
Step One. Send mail with the ordinary "mail" command, but using the -v
option. This causes verbose output, revealing the nature of the interaction
between the mail transmission (sendmail) process running on the sending host
(the client) and the mail transmission process running on the receiving host
(the server). The following example illustrates how to send the mail with the
-v option:
--------------------------- start session one ---------------------------
john@regulus: mail -v john@alcyone.csustan.edu
Subject: Test
Cc:
This is a test.
.
EOT
john@regulus: john@alcyone.csustan.edu... Connecting to localhost via relay...
220 regulus.csustan.edu ESMTP Sendmail 8.12.10+Sun/8.12.2; Mon, 24 Jan 2005 00:06:46 -0800 (PST)
>>> EHLO regulus.csustan.edu
250-regulus.csustan.edu Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From:<john@regulus.csustan.edu> SIZE=79
250 2.1.0 <john@regulus.csustan.edu>... Sender ok
>>> RCPT To:<john@alcyone.csustan.edu>
>>> DATA
250 2.1.5 <john@alcyone.csustan.edu>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 j0O86kpL009580 Message accepted for delivery
john@alcyone.csustan.edu... Sent (j0O86kpL009580 Message accepted for delivery)
Closing connection to localhost
>>> QUIT
221 2.0.0 regulus.csustan.edu closing connection
--------------------------- stop session one ---------------------------
(You may need to press the enter key now to get your prompt back
from the shell.)
Step Two. Telnet to port 25 on the receiving host and use the same
protocol to send a message "by hand." Note that you may be able to "get away"
with saying the mail is from someone else. Try it! It's OK if you are
sending the mail to yourself! Use the example below as a guide. The things
in boldface are the things that I typed. Computers typed everything
else.
--------------------------- start session two ---------------------------
john@regulus: telnet alcyone.csustan.edu 25
Trying 130.17.70.165...
Connected to alcyone.csustan.edu.
Escape character is '^]'.
220 alcyone.csustan.edu ESMTP Sendmail 8.12.10+Sun/8.12.8; Mon, 24 Jan 2005 00:09:03 -0800 (PST)
HELO foobar.yech.com
250 alcyone.csustan.edu Hello regulus.csustan.edu [130.17.70.16], pleased to meet you
MAIL From:<mmouse@disney.com>
250 2.1.0 <mmouse@disney.com>... Sender ok
RCPT To:<john@alcyone.csustan.edu>
250 2.1.5 <john@alcyone.csustan.edu>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: This is a bogus message
Hi John,
Rocky says that Bullwinkle is a dope.
-- Mickey
.
250 2.0.0 j0O893wM016306 Message accepted for delivery
QUIT
221 2.0.0 alcyone.csustan.edu closing connection
Connection to alcyone.csustan.edu closed by foreign host.
john@regulus:
--------------------------- stop session two ---------------------------
Step Three. Read the e-mail message you sent yourself when you did step
two. How much does the message reveal about the true identity or location of
the sender? When an e-mail message is transmitted, some information about the
sender goes into the message header and some information goes into one or more
log files on the receiving host. The exact nature of the
information varies with the software and the way that it is configured.
Generally speaking, it's not too hard to send mail that appears to come from
someone else. Here is the e-mail message I get when I configure my e-mail
reader to show me "long headers."
--------------------------- start session three ---------------------------
From: mmouse@disney.com
Subject: This is a bogus message
Date: January 24, 2005 00:09:03 PST
Return-Path: <mmouse@disney.com>
Received: from foobar.yech.com (regulus.csustan.edu [130.17.70.16]) by alcyone.csustan.edu (8.12.10+Sun/8.12.8) with SMTP id j0O893wM016306 for <john@alcyone.csustan.edu>; Mon, 24 Jan 2005 00:10:19 -0800 (PST)
Message-Id: <200501240810.j0O893wM016306@alcyone.csustan.edu>
X-Spam-Status: No, hits=0.8 required=5.0 tests=AWL,BAYES_30,NO_REAL_NAME,RCVD_IN_ORBS, RCVD_IN_OSIRUSOFT_COM version=2.50
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Hi John,
Rocky says that Bullwinkle is a dope.
-- Mickey
--------------------------- stop session three ---------------------------
Step Four. If possible check the log entry that the receiving
host made when your message arrived. (In the example, alcyone is the
receiving host.) If the receiving host is a Sun Ultra then if you don't wait
too long you can probably see the log entry by entering this command:
tail /var/log/syslog
Different computing systems have different names and locations for their log
files. If the receiving host is not a Sun Ultra you may need help finding the
log file. Also, depending on how file permissions are set, ordinary users may
not be allowed to access log files. In any case, the log entries here show no
recognition of who actually sent the message:
--------------------------- start session four ---------------------------
Jan 24 00:10:51 alcyone sendmail[16306]: [ID 801593 mail.info] j0O893wM016306: from=<mmouse@disney.com>, size=93, class=0, nrcpts=1, msgid=<200501240810.j0O893wM016306@alcyone.csustan.edu>, proto=SMTP, daemon=MTA-v4, relay=regulus.csustan.edu [130.17.70.16]
Jan 24 00:10:51 alcyone.csustan.edu spamd[8417]: connection from localhost [127.0.0.1] at port 51708
Jan 24 00:10:51 alcyone.csustan.edu spamd[16313]: info: setuid to john succeeded
Jan 24 00:10:51 alcyone.csustan.edu spamd[16313]: processing message <200501240810.j0O893wM016306@alcyone.csustan.edu> for john:1003.
Jan 24 00:10:52 alcyone.csustan.edu spamd[16313]: razor2 check skipped: No such file or directory Can't locate Razor2/Client/Agent.pm in @INC (@INC contains: ../lib /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/5.6.1/sun4-solaris /usr/local/lib/perl5/5.6.1 /usr/local/lib/perl5/site_perl .) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Dns.pm line 377, <GEN522> line 20.\n
Jan 24 00:11:22 alcyone.csustan.edu spamd[16313]: clean message (0.8/5.0) for john:1003 in 31.0 seconds, 519 bytes.
Jan 24 00:11:22 alcyone sendmail[16309]: [ID 801593 mail.info] j0O893wM016306: to=<john@alcyone.csustan.edu>, delay=00:01:03, xdelay=00:00:31, mailer=local, pri=30451, dsn=2.0.0, stat=Sent
--------------------------- stop session four ---------------------------
Food for thought: Is there any reliable way to figure out where an
e-mail message really came from? Is there a way to figure out if it came from
where it claims to have come from?
Related Links for Further Reading:
AOL Signs Off From Sender ID
Reading Email Headers
Law Barring Junk E-Mail Allows a Flood Instead
IP-spoofing Demystified
Spamming Issues and Topics