Mail: Under the Hood

( rev. 01/12/2010 )

Understanding How Computers Transmit E-Mail

CS 3000 -- Lab Assignment

This lab will show you how to send mail by connecting directly to the mail transmission port on a host computer.

Generally, software that transports mail uses a client/server protocol. This lab will familiarize you with such a protocol: Simple Mail Transfer Protocol (SMTP).

You will also find out that it can be easy to pretend you are somebody else when you send e-mail.

Try the steps illustrated below, except send the mail to yourself at some host, not to me at alcyone.

Step One

Log on to one of the following sun hosts:

ceti.csustan.edu,
saiph.csustan.edu,
castor.csustan.edu,
pollux.csustan.edu,
omicron.csustan.edu,
deneb.csustan.edu,
polaris.csustan.edu, or
arcturus.csustan.edu.

Send mail to yourself. Use an address like jsmith@deneb.csustan.edu ... in other words use

"your login name" "at" "one of the sun machines named above"

Use the ordinary "mailx" command (/usr/bin/mailx), but with the -v option. This causes verbose output, revealing the nature of the interaction between the mail transmission process running on the sending host (the client) and the mail transmission process running on the receiving host (the server). The following example illustrates how to send the mail with the -v option. The material in boldface is what the user typed. The computer program typed the rest.

--------------------------- start session one ---------------------------
john@castor: /usr/bin/mailx -v john@alcyone.csustan.edu
Subject: Test
Cc: 
This is a test.
.
EOT
john@castor: john@alcyone.csustan.edu... Connecting to [127.0.0.1] via relay...
220 castor.csustan.edu ESMTP Sendmail 8.13.6+Sun/8.13.6; Tue, 25 Dec 2007 21:39:47 -0800 (PST)
>>> EHLO castor.csustan.edu
250-castor.csustan.edu Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<john@castor.csustan.edu> SIZE=79
250 2.1.0 <john@castor.csustan.edu>... Sender ok
>>> RCPT To:<john@alcyone.csustan.edu>
>>> DATA
250 2.1.5 <john@alcyone.csustan.edu>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
050 <john@alcyone.csustan.edu>... Connecting to cs.csustan.edu. via relay...
050 220 cs.csustan.edu ESMTP Postfix
050 >>> EHLO castor.csustan.edu
050 250-cs.csustan.edu
050 250-PIPELINING
050 250-SIZE
050 250-ETRN
050 250-STARTTLS
050 250-AUTH LOGIN CRAM-MD5
050 250 8BITMIME
050 >>> STARTTLS
050 220 Ready to start TLS
050 >>> EHLO castor.csustan.edu
050 250-cs.csustan.edu
050 250-PIPELINING
050 250-SIZE
050 250-ETRN
050 250-AUTH LOGIN CRAM-MD5
050 250 8BITMIME
050 >>> MAIL From:<john@cs.csustan.edu> SIZE=381
050 250 Ok
050 >>> RCPT To:<john@alcyone.csustan.edu>
050 >>> DATA
050 250 Ok
050 354 End data with <CR><LF>.<CR><LF>
050 >>> .
050 250 Ok: queued as 4E4FD126DE42
050 <john@alcyone.csustan.edu>... Sent (Ok: queued as 4E4FD126DE42)
250 2.0.0 lBQ5dloJ011866 Message accepted for delivery
john@alcyone.csustan.edu... Sent (lBQ5dloJ011866 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 castor.csustan.edu closing connection

--------------------------- stop session one ---------------------------

(You may need to press the enter key now to get your prompt back from the shell.)

Step Two. Telnet to port 25 on the receiving host and use the same protocol to send a message "by hand." Note that you may be able to "get away" with saying the mail is from someone else. Try it! It's OK if you are sending the mail to yourself! Use the example below as a guide. The things in boldface are the things that I typed. Computers typed everything else.

--------------------------- start session two ---------------------------
john@castor: telnet alcyone.csustan.edu 25 
Trying 130.17.70.165...
Connected to alcyone.csustan.edu.
Escape character is '^]'.
220 alcyone.csustan.edu ESMTP Sendmail 8.13.8/8.13.8; Tue, 25 Dec 2007 22:56:41 -0800 (PST)
HELO foobar.yech.com 
250 alcyone.csustan.edu Hello castor.csustan.edu [130.17.70.9], pleased to meet you
MAIL From:<mmouse@disney.com> 
250 2.1.0 <mmouse@disney.com>... Sender ok
RCPT To:<john@alcyone.csustan.edu> 
250 2.1.5 <john@alcyone.csustan.edu>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: This is a bogus message
Hi John,

Rocky says that Bullwinkle is a dope.

-- Mickey
.
250 2.0.0 lBQ6ufiJ004401 Message accepted for delivery
QUIT
221 2.0.0 alcyone.csustan.edu closing connection
Connection to alcyone.csustan.edu closed by foreign host.
john@castor: 
--------------------------- stop session two ---------------------------

Step Three. Read the e-mail message you sent yourself when you did step two. How much does the message reveal about the true identity or location of the sender? When an e-mail message is transmitted, some information about the sender goes into the message header and some information goes into one or more log files on the receiving host. The exact nature of the information varies with the software and the way that it is configured. Generally speaking, it's not too hard to send mail that appears to come from someone else. Here is the e-mail message I get when I configure my e-mail reader to show me "long headers."

--------------------------- start session three ---------------------------
           From: mmouse@disney.com
        Subject: This is a bogus message
           Date: December 25, 2007 22:56:41 PST
             To: undisclosed-recipients: ;
    Return-Path: <mmouse@disney.com>
       Received: from murder ([unix socket]) by cs.csustan.edu (Cyrus v2.2.12-OS X 10.4.0) with LMTPA; Tue, 25 Dec 2007 22:59:09 -0800
       Received: from localhost (localhost [127.0.0.1]) by cs.csustan.edu (Postfix) with ESMTP id 4FD93126E1FE for <john@cs.csustan.edu>; Tue, 25 Dec 2007 22:59:09 -0800 (PST)
       Received: from cs.csustan.edu ([127.0.0.1]) by localhost (cs.csustan.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ESZj31Q6fNd for <john@cs.csustan.edu>; Tue, 25 Dec 2007 22:58:12 -0800 (PST)
       Received: from alcyone.csustan.edu (alcyone.csustan.edu [130.17.70.165]) by cs.csustan.edu (Postfix) with ESMTP id 97EAA126E1F4 for <john@cs.csustan.edu>; Tue, 25 Dec 2007 22:58:12 -0800 (PST)
       Received: from foobar.yech.com (castor.csustan.edu [130.17.70.9]) by alcyone.csustan.edu (8.13.8/8.13.8) with SMTP id lBQ6ufiJ004401 for <john@alcyone.csustan.edu>; Tue, 25 Dec 2007 22:57:59 -0800 (PST)
        X-Sieve: CMU Sieve 2.2
X-Virus-Scanned: by amavisd-new using ClamAV at csustan.edu
    X-Spam-Flag: NO
   X-Spam-Score: 1.693
   X-Spam-Level: *
  X-Spam-Status: No, score=1.693 tagged_above=-999 required=4 tests=[BAYES_60=1, SPF_FAIL=0.693]
     Message-Id: <200712260657.lBQ6ufiJ004401@alcyone.csustan.edu>

Hi John,

Rocky says that Bullwinkle is a dope.

-- Mickey

--------------------------- stop session three ---------------------------

Step Four. If possible check the log entry that the receiving host made when your message arrived. (In the example, alcyone is the receiving host.) If the receiving host is a Sun Ultra then if you don't wait too long you can probably see the log entry by entering this command:

tail /var/log/syslog

You can also "pattern match" for the entry by doing

grep mmouse /var/log/syslog

(Of course, this assumes your e-mail was addressed to "mmouse")

Different computing systems have different names and locations for their log files. If the receiving host is not a Sun Ultra you may need help finding the log file. Also, depending on how file permissions are set, ordinary users may not be allowed to access log files. In any case, the log entries here show no recognition of who actually sent the message:

--------------------------- start session four ---------------------------
Dec 25 22:58:45 alcyone sendmail[4401]: [ID 801593 mail.info] lBQ6ufiJ004401: from=<mmouse@disney.com>, size=92, class=0, nrcpts=1, msgid=<200712260657.lBQ6ufiJ004401@alcyone.csustan.edu>, proto=SMTP, daemon=MTA-v4, relay=castor.csustan.edu [130.17.70.9]
Dec 25 22:58:45 alcyone sendmail[4405]: [ID 801593 mail.info] lBQ6ufiJ004401: to=<john@alcyone.csustan.edu>, delay=00:00:46, xdelay=00:00:00, mailer=relay, pri=120092, relay=cs.csustan.edu. [130.17.70.80], dsn=2.0.0, stat=Sent (Ok: queued as 97EAA126E1F4)
--------------------------- stop session four ---------------------------

Food for thought: Is there any reliable way to figure out where an e-mail message really came from? Is there a way to figure out if it came from where it claims to have come from?

Related Links for Further Reading:

AOL Signs Off From Sender ID

Reading Email Headers

Law Barring Junk E-Mail Allows a Flood Instead

IP-spoofing Demystified

Spamming Issues and Topics