You are on page 1of 3

Basic Email Forgery (Taken from Technotronic)

It's all too simple to create a new email identity--or assume


someone else's. Try this:

Go to the preferences section of your browser or email software. In


Netscape Navigator, for example, select Options/Mail And News
Preferences. Once there, simply reset the header information in your
email preferences, establishing a false address at a nonexistent
domain. For example, try forger@forgery.com. Now send yourself an
email to your real address. Check your mail. You should have
received a message from forger@forgery.com.

How can you recognize a forged email message? If you've received a


piece of nasty, obscene, or otherwise annoying email, look at it
closely. If the sender's address is familiar, but the message sounds
out of character, check the message header to make sure that all of
the information--the sender's name, Internet service provider (ISP)
address, and domain name--agree. If they don't, it's an indication
that you may be the recipient of a forgery.

The first step in trying to find the person actually responsible is


to send an email inquiry to the purported sender. Don't use the
Reply button to do this. Inexperienced forgers will often neglect to
change the Reply To field when composing a false message, meaning
that your reply will go directly to the forger rather than to the
person whose email was forged. Type in the mail address of the
supposed sender, asking in the message field whether he or she sent
you a message.

Basic Email Forgery using Telnet and older versions of sendmail

You need a telnet program like NETTERM or a UNIX shell account.


Replace www.somedomain.com with the ISP of your choice.
Replace forger@forgery.com with any email address you would like.
Send the email to your actual email address as a test.
Check the header information. Results will vary depending on the
Send Mail Program.

telnet www.somedomain.com 25
You should get something like this:
Trying 129.24.96.10...
Connected to www.somedomain.com.
Escape character is '^]'.
220 www.somedomain.com Smail3.1.28.1 #41 ready at Fri, 12 Jul 96
12:17 MDT

Port 25 moves email from one node to the next across the Internet.
It automatically takes incoming email and if the email doesn't
belong to someone with an email address on that computer, it sends
it on to the next computer on the net, eventually to wind its way to
the person to who this email belongs.

helo forger@forgery.com
250 www.somedomain.com Hello forger@forgery.com
mail from:forger@forgery.com
250 ... Sender Okay
rcpt to:youractualemailaddress@yourisp.com
250 <youractualemailaddress@yourisp.com> ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
It works!!!
.
250 Mail accepted

Basic Usenet Post Forgery Using Telnet:

The Usenet port usually is open only to those with accounts on that
system. So you will need to telnet from your ISP shell account back
into your own ISP as follows:

telnet news.myISP.com 119


where you substitute the part of your email address that follows the
@ for "myISP.com."

With my ISP I get this result:


Trying 198.59.115.25 ...
Connected to myISP.com.
Escape character is '^]'.
200 myISP.com InterNetNews NNRP server INN 1.4unoff4 05-Mar-96 ready
(posting)

Now when we are suddenly in a program that we don't know too well,
we ask for:

help
And we get:
100 Legal commands
authinfo user Name|pass Password|generic <prog> <args>
article [MessageID|Number]
body [MessageID|Number]
date
group newsgroup
head [MessageID|Number]
help
ihave
last
list [active|newsgroups|distributions|schema]
listgroup newsgroup
mode reader
newgroups yymmdd hhmmss ["GMT"] [<distributions>]
newnews newsgroups yymmdd hhmmss ["GMT"]
[] next
post
slave
stat [MessageID|Number]
xgtitle [group_pattern]
xhdr header [range|MessageID]
xover [range]
xpat header range|MessageID pat [morepat...]
xpath MessageID
Report problems to <usenet@myISP.com<

To detect forgeries, take a look at the header information.


The header is something that shows the route that email or Usenet
post took to get into your computer. It gives the names of Internet
host computers that have been used in the creation and transmission
of a message. When something has been forged, however, the computer
names may be fake. Alternatively, the skilled forger may use the
names of real hosts. But the skilled hacker can tell whether a host
listed in the header was really used.

Start with the Posting Host line.


Preform a whois on the Posting Host Name.
whois can be executed from a utility like NetScan, the UNIX Shell
Prompt, or http://www.internic.net

whois forgery.com
No match for "FORGERY.COM"

If you happen to get a match and still suspect a forgery, finger can
be executed from a utility like NetScan or the UNIX Shell Prompt

finger forger@forgery.com
We get:
[forger.com]
finger: forger.com: Connection timed out

There are several possible reasons for this. One is that the systems
administrator for forger.com has disabled the finger port. Another
is that forger.com is inactive. It could be on a host computer that
is turned off, or maybe just an orphan.

To see if the system is currently on the internet, ping can be


executed from a utility like NetScan, the UNIX Shell Prompt, or the

Windows Command Prompt


ping forger.com
if you get a response, the system is currently on the internet. If
your ping "times out" the system is non currently connected or was
forged.

If you get a response, try telnetting to the machine to see if you


get a logon screen. Through trial and error you may be able to
determine the origin of the forgery.

Working your way through the header information, telneting to port


119 (news) and port 23 (login). By determining which addresses are
valid news servers and which are invalid, you can determine from
which news server the forged post originated.

This last updated on Thursday, 30-Apr-98 10:41:12 CDT