Basic Email Forgery (Taken from Technotronic) It's all too simple to create a new email identity--or assume someone

else's. Try this: Go to the preferences section of your browser or email software. In Netscape Navigator, for example, select Options/Mail And News Preferences. Once there, simply reset the header information in your email preferences, establishing a false address at a nonexistent domain. For example, try forger@forgery.com. Now send yourself an email to your real address. Check your mail. You should have received a message from forger@forgery.com. How can you recognize a forged email message? If you've received a piece of nasty, obscene, or otherwise annoying email, look at it closely. If the sender's address is familiar, but the message sounds out of character, check the message header to make sure that all of the information--the sender's name, Internet service provider (ISP) address, and domain name--agree. If they don't, it's an indication that you may be the recipient of a forgery. The first step in trying to find the person actually responsible is to send an email inquiry to the purported sender. Don't use the Reply button to do this. Inexperienced forgers will often neglect to change the Reply To field when composing a false message, meaning that your reply will go directly to the forger rather than to the person whose email was forged. Type in the mail address of the supposed sender, asking in the message field whether he or she sent you a message. Basic Email Forgery using Telnet and older versions of sendmail You need a telnet program like NETTERM or a UNIX shell account. Replace www.somedomain.com with the ISP of your choice. Replace forger@forgery.com with any email address you would like. Send the email to your actual email address as a test. Check the header information. Results will vary depending on the Send Mail Program. telnet www.somedomain.com 25 You should get something like this: Trying 129.24.96.10... Connected to www.somedomain.com. Escape character is '^]'. 220 www.somedomain.com Smail3.1.28.1 #41 ready at Fri, 12 Jul 96 12:17 MDT Port 25 moves email from one node to the next across the Internet. It automatically takes incoming email and if the email doesn't belong to someone with an email address on that computer, it sends it on to the next computer on the net, eventually to wind its way to the person to who this email belongs. helo forger@forgery.com 250 www.somedomain.com Hello forger@forgery.com mail from:forger@forgery.com 250 ... Sender Okay rcpt to:youractualemailaddress@yourisp.com

250 <youractualemailaddress@yourisp.com> ... Recipient Okay data 354 Enter mail, end with "." on a line by itself It works!!! . 250 Mail accepted Basic Usenet Post Forgery Using Telnet: The Usenet port usually is open only to those with accounts on that system. So you will need to telnet from your ISP shell account back into your own ISP as follows: telnet news.myISP.com 119 where you substitute the part of your email address that follows the @ for "myISP.com." With my ISP I get this result: Trying 198.59.115.25 ... Connected to myISP.com. Escape character is '^]'. 200 myISP.com InterNetNews NNRP server INN 1.4unoff4 05-Mar-96 ready (posting) Now when we are suddenly in a program that we don't know too well, we ask for: help And we get: 100 Legal commands authinfo user Name|pass Password|generic <prog> <args> article [MessageID|Number] body [MessageID|Number] date group newsgroup head [MessageID|Number] help ihave last list [active|newsgroups|distributions|schema] listgroup newsgroup mode reader newgroups yymmdd hhmmss ["GMT"] [<distributions>] newnews newsgroups yymmdd hhmmss ["GMT"] [] next post slave stat [MessageID|Number] xgtitle [group_pattern] xhdr header [range|MessageID] xover [range] xpat header range|MessageID pat [morepat...] xpath MessageID Report problems to <usenet@myISP.com< To detect forgeries, take a look at the header information. The header is something that shows the route that email or Usenet post took to get into your computer. It gives the names of Internet

host computers that have been used in the creation and transmission of a message. When something has been forged, however, the computer names may be fake. Alternatively, the skilled forger may use the names of real hosts. But the skilled hacker can tell whether a host listed in the header was really used. Start with the Posting Host line. Preform a whois on the Posting Host Name. whois can be executed from a utility like NetScan, the UNIX Shell Prompt, or http://www.internic.net whois forgery.com No match for "FORGERY.COM" If you happen to get a match and still suspect a forgery, finger can be executed from a utility like NetScan or the UNIX Shell Prompt finger forger@forgery.com We get: [forger.com] finger: forger.com: Connection timed out There are several possible reasons for this. One is that the systems administrator for forger.com has disabled the finger port. Another is that forger.com is inactive. It could be on a host computer that is turned off, or maybe just an orphan. To see if the system is currently on the internet, ping can be executed from a utility like NetScan, the UNIX Shell Prompt, or the Windows Command Prompt ping forger.com if you get a response, the system is currently on the internet. If your ping "times out" the system is non currently connected or was forged. If you get a response, try telnetting to the machine to see if you get a logon screen. Through trial and error you may be able to determine the origin of the forgery. Working your way through the header information, telneting to port 119 (news) and port 23 (login). By determining which addresses are valid news servers and which are invalid, you can determine from which news server the forged post originated. This last updated on Thursday, 30-Apr-98 10:41:12 CDT