_________________________________________________________ Guide to (mostly) Harmless Hacking Vol. 1 No. 7 How to Forge Email Using Eudora Pro _________________________________________________________ One of the most popular hacking tricks is forging email. People love to fake out their friends by sending them email that looks like it is from Bill_Gates@microsoft.com, santa@north.pole.org, or beelzebub@heck.mil. Unfortunately, spammers and other undesirables also love to fake email so it's easy for them to get away with flooding our email accounts with junk. Thanks to these problems, most email programs are good Internet citizens. Pegasus, which runs on Windows, and Pine, which runs on Unix, are fastidious in keeping the people from misusing them. Have you ever tried to forge email using Compuserve or AOL? I'm afraid to ever say something is impossible to hack, but those email programs have all resisted my attempts. I will admit that the screen name feature of America OnLine allows one to hide behind all sorts of handles. But for industrial strength email forging there is Eudora Pro for Windows 95, Qualcomm's gift to the Internet and the meanest, baddest email program around. ******************************************************* In this Guide you will learn how to use Eudora Pro to fake email. This will include how to forge: · Who sent the mail · Extra headers to fake the route it took though the Internet · Even the message ID! · And anything else you can imagine · Plus, how to use Eudora for sending your email from other people's computers -- whether they like it or not. · Plus -- is it possible to use Eudora for mail bombing? ***************************************************************** Some Super Duper haxors will see this chapter and immediately start making fun of it. They will assume I am just going to teach the obvious stuff, like how to put a fake sender on your email. No way. This is serious stuff. For example, check out the full headers of this email: Return-Path: Received: from kizmiaz.fu.org (root@kizmiaz.fu.org [206.14.78.160]) by Foo66.com (8.8.6/8.8.6) with ESMTP id VAA09915 for ; Sat, 13 Sep 1997 21:54:34 -0600 (MDT) Received: from Anteros (pmd08.foo66.com [198.59.176.41]) by kizmiaz.fu.org (8.8.5/8.8.5) with SMTP id UAA29704 for ; Sat, 13 Sep 1997 20:54:20 -0700 (PDT) Date: Sat, 13 Sep 1997 20:54:20 -0700 (PDT) Message-Id: <2.2.16.19970913214737.530f0502@ayatollah.ir> received: from emout09.mail.ayatollah.ir (emout09.mx.aol.com [198.81.11.24])by Foo66.com (8.8.6/8.8.6) with ESMTP id MAA29967 for ; Mon, 8 Sep 1997 12:06:09 -0600 (MDT) Favorite-color:turquoise X-Sender: meinel@ayatollah.ir (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: cpm@foo66.com From: Carolyn Meinel Subject: Test of forged everything I actually sent this email though a PPP connection with my account cpm@foo66.com to myself at that same address. Yes, this email began and ended up at the same computer. However, if you read the headers, this email looks like it was sent by a computer named Anteros, then went to kizmiaz.fu.org, then ayatollah.ir. Sender, it reports, is unverified but appears to be meinel@ayatollah.ir. What is of particular interest is the message ID. Many people, even experienced sysadmins and hackers, assume that even with forged email, the computer name at the end of the message ID is the computer on which the email was written, and the computer that holds the record of who the guy was who forged it. But you can quickly prove with Eudora Pro that you can forge a message ID that references almost any computer, including nonexistent computers. Some of this Guide is clearly amateurish. For hundreds of dollars you can buy an email program from a spammer company that will forge email better and pump it out faster. Still, this learning to forge email on Eudora illustrates many basic principles of email forgery. Let's start with the sender's email address. I managed to myself three different fake addresses in this email: meinel@ayatollah.ir cmeinel@techbroker.com cpm@foo66.com Only the last of these, cpm@foo66.com, was "real." The other two I inserted myself. There is a legitimate use for this power. In my case, I have several ISPs but like to have everything returned to my email address at my own domain, techbroker.com. But that ayatollah address is purely a joke. Here's how I put in those names. 1) In Eudora, click "tools" then "options." This will pull down a menu. 2) Click "Personal Information." For forging email, you can make every one of these entries fake. 3) The address you put under "Pop account" is where you tell Eudora where to look to pick up your email. But guess what? When you send email you can put a phony host in there. I put "ayatollah.ir." This generated the line in the header, "Message-Id: <2.2.16.19970913214737.530f0502@ayatollah.ir>." Some people think the message ID is the best way to track down forged email. Just mail the sysadmin at ayatollah.ir, right? Wrong! 4) "Real name" and "Return address" are what showed up in the header lines "From: Carolyn Meinel " and "Return-Path: ." I could have made them fake. If they are fake, people can't reply to you by giving the "reply" command in their email program. 5) Next, while still on the options pulldown, scroll down to "sending mail." Guess what, under "SMTP Server," you don't have to put in the one your ISP offers you to send your email out on. With a little experimentation you can find hundreds -- thousands -- millions -- of other computers that you can use to send email on. However, this must be a real computer that will really send out your email. I picked kizmiaz.fu.org for this one. That accounts for the header lines: Received: from kizmiaz.fu.org (root@kizmiaz.fu.org [206.14.78.160]) by Foo66.com (8.8.6/8.8.6) with ESMTP id VAA09915 for ; Sat, 13 Sep 1997 21:54:34 -0600 (MDT) Received: from Anteros (pmd08.foo66.com [198.59.176.41]) by kizmiaz.fu.org (8.8.5/8.8.5) with SMTP id UAA29704 for ; Sat, 13 Sep 1997 20:54:20 -0700 (PDT) How to Make Extra Headers and Fake the Path through the Internet But maybe this doesn't make a weird enough header for you. Want to make your email even phonier? Even really experienced Eudora users rarely know about how to make extra headers, so it's a great way to show off. 1) Open Windows Explorer by clicking "start," then "programs," then "Windows Explorer". 2) On the left hand side is a list of directories. Click on Eudora. 3) On the right hand side will be all the directories and files in Eudora. Scroll down them to the files. Click on "eudora.ini." 4) Eudora.ini is now in Notepad and ready to edit. 5) Fix it up by adding a line at the going to the line entitled "extra headers=" under [Dialup]. After the "=" type in something like this: extraheaders=received:from emout09.mail.ayatollah.ir (emout09.mx.aol.com [198.81.11.24])by Foo66.com (8.8.6/8.8.6) with ESMTP id MAA29967 for ; Mon, 8 Sep 1997 12:06:09 -0600 (MDT) With this set up, all your email going out from Eudora will include that line in the headers. You can add as many extra headers to your email as you want by adding new lines that also start with "extra headers=". For example, in this case I also added "Favorite-color:turquoise." ****************************************************** You can go to jail warning: There still are ways for experts to tell where you sent this email from. So if someone were to use forged email to defraud, threaten or mail bomb people, watch out for that cellmate named Spike. ***************************************************************** Is it Possible to Mail Bomb Using Eudora? The obvious way to mail bomb with Eudora doesn't work. The obvious way is to put the address of your victim into the address list a few thousand times and then attach a really big file. But the result will be only one message going to that address. This is no thanks to Eudora itself. The mail daemons in common use on the Internet such as sendmail, smail and qmail only allow one message to be sent to each address per email. Of course there are better ways to forge email with Eudora. Also, there is a totally trivial way to use Eudora to send hundreds of gigantic attached files to one recipient, crashing the mail server of the victim's ISP. But I'm not telling you how because this is, after all, a Guide to (mostly) Harmless Hacking. But next time those Global kOS dudes try to snooker you into using one of their mail bomber programs (they claim these programs will keep you safely anonymous but in fact you will get caught) just remember all they are doing is packaging up stuff that anyone who knows two simple tricks could do much better with Eudora. (If you are a legitimate computer security professional, and you want to join us at Infowar in solving the problem, contact me for details and we'll think about whether to trust you.) ************************************************ Evil Genius Tip: This deadly mailbomber thingy is a feature, yes, honest-to-gosh intended FEATURE, of sendmail. Get out your manuals and study. ************************************************ The ease with which one may forge perfect mail and commit mail bombings which crash entire ISP mail servers and even shut down Internet backbone providers such as has recently happened to AGIS may well be the greatest threat the Internet faces today. I'm not happy about revealing this much. Unfortunately, the mail forgery problem is a deeply ingrained flaw in the Internet's basic structure. So it is almost impossible to explain the basics of hacking without revealing the pieces to the puzzle of the perfect forgery and perfect mailbombing. If you figure it out, be a good guy and don't abuse it, OK? Become one of us insiders who see the problem -- and want to fix it rather than exploit it for greed or hatred. _______________________________________________________________ To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________