Mail: Under the Hood

( Latest revision 03/30/2007 )

Understanding How Computers Transmit E-Mail

CS 3000 -- Lab Assignment #3

This lab will show you how to send mail by connecting directly to the mail transmission port on a host computer.

Generally, software that transports mail uses a client/server protocol. This lab will familiarize you with such a protocol: Simple Mail Transfer Protocol (SMTP).

You will also find out that it can be easy to pretend you are somebody else when you send e-mail.

Try the steps illustrated below, except send the mail to yourself at some host, not to me at alcyone.

Step One. Send mail with the ordinary "mail" command, but using the -v option. This causes verbose output, revealing the nature of the interaction between the mail transmission (sendmail) process running on the sending host (the client) and the mail transmission process running on the receiving host (the server). The following example illustrates how to send the mail with the -v option:

--------------------------- start session one ---------------------------
john@regulus: mail -v john@alcyone.csustan.edu
Subject: Test
Cc: 
This is a test.
.
EOT
john@regulus: john@alcyone.csustan.edu... Connecting to localhost via relay...
220 regulus.csustan.edu ESMTP Sendmail 8.12.10+Sun/8.12.2; Mon, 24 Jan 2005 00:06:46 -0800 (PST)
>>> EHLO regulus.csustan.edu
250-regulus.csustan.edu Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From:<john@regulus.csustan.edu> SIZE=79
250 2.1.0 <john@regulus.csustan.edu>... Sender ok
>>> RCPT To:<john@alcyone.csustan.edu>
>>> DATA
250 2.1.5 <john@alcyone.csustan.edu>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 j0O86kpL009580 Message accepted for delivery
john@alcyone.csustan.edu... Sent (j0O86kpL009580 Message accepted for delivery)
Closing connection to localhost
>>> QUIT
221 2.0.0 regulus.csustan.edu closing connection
--------------------------- stop session one ---------------------------

(You may need to press the enter key now to get your prompt back from the shell.)

Step Two. Telnet to port 25 on the receiving host and use the same protocol to send a message "by hand." Note that you may be able to "get away" with saying the mail is from someone else. Try it! It's OK if you are sending the mail to yourself! Use the example below as a guide. The things in boldface are the things that I typed. Computers typed everything else.

--------------------------- start session two ---------------------------
john@regulus: telnet alcyone.csustan.edu 25
Trying 130.17.70.165...
Connected to alcyone.csustan.edu.
Escape character is '^]'.
220 alcyone.csustan.edu ESMTP Sendmail 8.12.10+Sun/8.12.8; Mon, 24 Jan 2005 00:09:03 -0800 (PST)
HELO foobar.yech.com
250 alcyone.csustan.edu Hello regulus.csustan.edu [130.17.70.16], pleased to meet you
MAIL From:<mmouse@disney.com>
250 2.1.0 <mmouse@disney.com>... Sender ok
RCPT To:<john@alcyone.csustan.edu>
250 2.1.5 <john@alcyone.csustan.edu>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: This is a bogus message
Hi John, 

Rocky says that Bullwinkle is a dope.

-- Mickey
.
250 2.0.0 j0O893wM016306 Message accepted for delivery
QUIT
221 2.0.0 alcyone.csustan.edu closing connection
Connection to alcyone.csustan.edu closed by foreign host.
john@regulus: 
--------------------------- stop session two ---------------------------

Step Three. Read the e-mail message you sent yourself when you did step two. How much does the message reveal about the true identity or location of the sender? When an e-mail message is transmitted, some information about the sender goes into the message header and some information goes into one or more log files on the receiving host. The exact nature of the information varies with the software and the way that it is configured. Generally speaking, it's not too hard to send mail that appears to come from someone else. Here is the e-mail message I get when I configure my e-mail reader to show me "long headers."

--------------------------- start session three ---------------------------
From:   mmouse@disney.com
Subject: This is a bogus message
Date: January 24, 2005 00:09:03 PST
Return-Path: <mmouse@disney.com>
Received: from foobar.yech.com (regulus.csustan.edu [130.17.70.16]) by alcyone.csustan.edu (8.12.10+Sun/8.12.8) with SMTP id j0O893wM016306 for <john@alcyone.csustan.edu>; Mon, 24 Jan 2005 00:10:19 -0800 (PST)
Message-Id: <200501240810.j0O893wM016306@alcyone.csustan.edu>
X-Spam-Status: No, hits=0.8 required=5.0 tests=AWL,BAYES_30,NO_REAL_NAME,RCVD_IN_ORBS, RCVD_IN_OSIRUSOFT_COM version=2.50
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)

Hi John, 

Rocky says that Bullwinkle is a dope.

-- Mickey
--------------------------- stop session three ---------------------------

Step Four. If possible check the log entry that the receiving host made when your message arrived. (In the example, alcyone is the receiving host.) If the receiving host is a Sun Ultra then if you don't wait too long you can probably see the log entry by entering this command:

tail /var/log/syslog

You can also "pattern match" for the entry by doing

grep mmouse /var/log/syslog

(Of course, this assumes your e-mail was addressed to "mmouse")

Different computing systems have different names and locations for their log files. If the receiving host is not a Sun Ultra you may need help finding the log file. Also, depending on how file permissions are set, ordinary users may not be allowed to access log files. In any case, the log entries here show no recognition of who actually sent the message:

--------------------------- start session four ---------------------------
Jan 24 00:10:51 alcyone sendmail[16306]: [ID 801593 mail.info] j0O893wM016306: from=<mmouse@disney.com>, size=93, class=0, nrcpts=1, msgid=<200501240810.j0O893wM016306@alcyone.csustan.edu>, proto=SMTP, daemon=MTA-v4, relay=regulus.csustan.edu [130.17.70.16]
Jan 24 00:10:51 alcyone.csustan.edu spamd[8417]: connection from localhost [127.0.0.1] at port 51708
Jan 24 00:10:51 alcyone.csustan.edu spamd[16313]: info: setuid to john succeeded
Jan 24 00:10:51 alcyone.csustan.edu spamd[16313]: processing message <200501240810.j0O893wM016306@alcyone.csustan.edu> for john:1003.
Jan 24 00:10:52 alcyone.csustan.edu spamd[16313]: razor2 check skipped: No such file or directory Can't locate Razor2/Client/Agent.pm in @INC (@INC contains: ../lib /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/5.6.1/sun4-solaris /usr/local/lib/perl5/5.6.1 /usr/local/lib/perl5/site_perl .) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Dns.pm line 377, <GEN522> line 20.\n
Jan 24 00:11:22 alcyone.csustan.edu spamd[16313]: clean message (0.8/5.0) for john:1003 in 31.0 seconds, 519 bytes.
Jan 24 00:11:22 alcyone sendmail[16309]: [ID 801593 mail.info] j0O893wM016306: to=<john@alcyone.csustan.edu>, delay=00:01:03, xdelay=00:00:31, mailer=local, pri=30451, dsn=2.0.0, stat=Sent
--------------------------- stop session four ---------------------------

Food for thought: Is there any reliable way to figure out where an e-mail message really came from? Is there a way to figure out if it came from where it claims to have come from?

Related Links for Further Reading:

AOL Signs Off From Sender ID

Reading Email Headers

Law Barring Junk E-Mail Allows a Flood Instead

IP-spoofing Demystified

Spamming Issues and Topics