Hey guys, i was reading this tut on hackersthreads.com about how u can telnet your SMTP server, like smth.domain.com and get a basic greeting from a server. And then u can send a letter or smth through that if the server allows...
Does it work nowadays cuz i was not able to connect to anything. I type in windows "telnet smth.yahoo.com 25" and it says it cant connect. I was able to connect to old telnet sessions so i think i am doing the syntax right?
telneting the SMTP server
SMTP
That is an old one, many SMTP servers are blocked to prevent spammers from spoofing off of them.
I still find a few though, usually they are small to large business networks. I used to spoof off this small computer company in a small town.
You'd telnet to port 25, the SMTP server would greet you with:
220 gnr.u2me3.com ESMTP Sendmail 8.9.3/8.9.3; Mon, 31 Jan 2006 01:45:38 -0500
Now you know the brand and version of the SMTP server, thats good for exploiting..
A good sysadmin will remove this banner..
Just like any protocol, you have to follow strict procedure:
You must type it correctly and you cannot backspace to correct errors.
Type in:
MAIL FROM: President@whitehouse.gov, hit enter
you might see :
250 President@Whitehouse.gov... Sender ok
Then type :
RCPT TO: DNR@gmail.com, hit enter
you might see:
250 DNR@gmail.com... Recipient ok
MANY SMTP servers will deny you at this point, why?
1. you are not a user of the network the SMTP serves, so you'll get
"Relaying denied" this is a simple filter. If you want to send spoofed email to a authorized user, it will work. This is why there are advanced filters to prevent spammers from getting on the network and spamming the users/employee'e email boxes.
IF you get "Recipient ok" then lets proceed.
Type :
DATA, hit enter
you might see:
354 Enter mail, end with "." on a line by itself
You can now compose your text email, in this case it will look like it came from President@whitehouse.gov and be sent to DNR@gmail.com.
After you write your message, on a line by itself, type a "."
You should see:
250 BAA07042 Message accepted for delivery
then type "Quit" so you show the sysadmin you know what you're doing
Keep the SMTP servers a secret, I lost the one in the small town because I gave it out to other friends
DNR
I still find a few though, usually they are small to large business networks. I used to spoof off this small computer company in a small town.
You'd telnet to port 25, the SMTP server would greet you with:
220 gnr.u2me3.com ESMTP Sendmail 8.9.3/8.9.3; Mon, 31 Jan 2006 01:45:38 -0500
Now you know the brand and version of the SMTP server, thats good for exploiting..
A good sysadmin will remove this banner..
Just like any protocol, you have to follow strict procedure:
You must type it correctly and you cannot backspace to correct errors.
Type in:
MAIL FROM: President@whitehouse.gov, hit enter
you might see :
250 President@Whitehouse.gov... Sender ok
Then type :
RCPT TO: DNR@gmail.com, hit enter
you might see:
250 DNR@gmail.com... Recipient ok
MANY SMTP servers will deny you at this point, why?
1. you are not a user of the network the SMTP serves, so you'll get
"Relaying denied" this is a simple filter. If you want to send spoofed email to a authorized user, it will work. This is why there are advanced filters to prevent spammers from getting on the network and spamming the users/employee'e email boxes.
IF you get "Recipient ok" then lets proceed.
Type :
DATA, hit enter
you might see:
354 Enter mail, end with "." on a line by itself
You can now compose your text email, in this case it will look like it came from President@whitehouse.gov and be sent to DNR@gmail.com.
After you write your message, on a line by itself, type a "."
You should see:
250 BAA07042 Message accepted for delivery
then type "Quit" so you show the sysadmin you know what you're doing
Keep the SMTP servers a secret, I lost the one in the small town because I gave it out to other friends
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
SMTP links, reading headers, sam spade
http://www.stern.nyu.edu/it/guides/smtp ... udora.html
http://www.ostrosoft.com/smtp_component/faq.asp
http://www.softheap.com/localsrv-localsrv-faq/
http://www.e-marketingassociates.com/ho ... q/smtp.asp
http://www.emailarms.com/faq/smtp_faq.html
http://c0vertl.tripod.com/digital.htm
Some junk to read on SMTP, lil POP, and no IMAP..
check out Samspade.org for their email parser.
Forged or suspicious email might have a warning in the _full_ email headers about 'maybe forged' , but some are false alarms. Most people do not view the full email headers, thus are fooled by the simple FROM: address.
In the case of Gmail.com, you will select "more options" link next to the sender's simple email address. Then you will select the link for "show Original" it will display the email in the SMTP version:
X-Gmail-Received: 91324be7b2455a95bef97317a57ec678943f69bb
Delivered-To: DNR@gmail.com
Received: by 10.64.179.16 with SMTP id b16cs46119qbf;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Received: by 10.54.153.16 with SMTP id a16mr2683614wre;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Return-Path: <Online.University+DNR=gmail.com@ajijj.com>
Received: from mail1.ajijj.com (i44-251.alfgl.com [200.62.44.251])
by mx.gmail.com with ESMTP id 15si464870wrl.2006.07.14.12.01.57;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of Online.University+DNR=gmail.com@ajijj.com designates 200.62.44.251 as permitted sender)
Message-Id: <44b7ea2c.4ebc1de7.1271.ffff8a27SMTPIN_ADDED@mx.gmail.com>
From: OnlineUniversity <Online.University+DNR=gmail.com@ajijj.com>
To: DNR@gmail.com
Subject: do you know which is the best online university?
Date: Fri, 14 Jul 2006 16:01:48 -0300
MIME-Version: 1.0
Content-Type: text/html
Viewing suspicious email in text form, like this is a good way to determine if the email is active script, like having HTML. Content-Type: tells you the content of the email, 'text-html'. This email contained advertisement, junk pictures that clog my bandwidth (all which contact a server and leak your IP/browser/other nfo).
Samspade's tools, like the email parser will do a lot of work for you, adding helpful comments, running DNS checks, warnings. Check out the same email header run through SamSpade's email parser:
07/15/06 10:38:00 Input
The Received: headers are the important ones to read
My comments are just hints, and should be considered only
an opinion. I may have guessed wrong, or things may have
changed since I was written
X-Gmail-Received: 91324be7b2455a95bef97317a57ec678943f69bb
Delivered-To: dnr@gmail.com
Received: by 10.64.179.16 with SMTP id b16cs46119qbf;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
This received header was added by your mailserver
10.64.179.16 received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Received: by 10.54.153.16 with SMTP id a16mr2683614wre;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
10.54.153.16 received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Return-Path:
<Online.University+dnr=gmail.com@ajijj.com>
Received: from mail1.ajijj.com (i44-251.alfgl.com
[200.62.44.251]) by mx.gmail.com with ESMTP id
15si464870wrl.2006.07.14.12.01.57; Fri, 14 Jul 2006
12:02:04 -0700 (PDT)
mx.gmail.com received this from someone claiming
to be mail1.ajijj.com
but really from 200.62.44.251(i44-251.alfgl.com)
All headers below may be forged
Received-SPF: pass (gmail.com: domain of
Online.University+dnr=gmail.com@ajijj.com
designates 200.62.44.251 as permitted sender)
Hmmm received-spf: isn't a header I recognise
Message-Id:
<44b7ea2c.4ebc1de7.1271.ffff8a27SMTPIN_ADDED@mx.gmail.com>
From: OnlineUniversity
<Online.University+dnr=gmail.com@ajijj.com>
To: dnr@gmail.com
Subject: do you know which is the best online university?
Date: Fri, 14 Jul 2006 16:01:48 -0300
MIME-Version: 1.0
Content-Type: text/html
All the above added comments are Steve Atkins, the creator of the app.
So not only was it easy to spoof email , but its easy to determine a suspicious one.
Set your email to text only.
DNR
http://www.ostrosoft.com/smtp_component/faq.asp
http://www.softheap.com/localsrv-localsrv-faq/
http://www.e-marketingassociates.com/ho ... q/smtp.asp
http://www.emailarms.com/faq/smtp_faq.html
http://c0vertl.tripod.com/digital.htm
Some junk to read on SMTP, lil POP, and no IMAP..
check out Samspade.org for their email parser.
Forged or suspicious email might have a warning in the _full_ email headers about 'maybe forged' , but some are false alarms. Most people do not view the full email headers, thus are fooled by the simple FROM: address.
In the case of Gmail.com, you will select "more options" link next to the sender's simple email address. Then you will select the link for "show Original" it will display the email in the SMTP version:
X-Gmail-Received: 91324be7b2455a95bef97317a57ec678943f69bb
Delivered-To: DNR@gmail.com
Received: by 10.64.179.16 with SMTP id b16cs46119qbf;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Received: by 10.54.153.16 with SMTP id a16mr2683614wre;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Return-Path: <Online.University+DNR=gmail.com@ajijj.com>
Received: from mail1.ajijj.com (i44-251.alfgl.com [200.62.44.251])
by mx.gmail.com with ESMTP id 15si464870wrl.2006.07.14.12.01.57;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of Online.University+DNR=gmail.com@ajijj.com designates 200.62.44.251 as permitted sender)
Message-Id: <44b7ea2c.4ebc1de7.1271.ffff8a27SMTPIN_ADDED@mx.gmail.com>
From: OnlineUniversity <Online.University+DNR=gmail.com@ajijj.com>
To: DNR@gmail.com
Subject: do you know which is the best online university?
Date: Fri, 14 Jul 2006 16:01:48 -0300
MIME-Version: 1.0
Content-Type: text/html
Viewing suspicious email in text form, like this is a good way to determine if the email is active script, like having HTML. Content-Type: tells you the content of the email, 'text-html'. This email contained advertisement, junk pictures that clog my bandwidth (all which contact a server and leak your IP/browser/other nfo).
Samspade's tools, like the email parser will do a lot of work for you, adding helpful comments, running DNS checks, warnings. Check out the same email header run through SamSpade's email parser:
07/15/06 10:38:00 Input
The Received: headers are the important ones to read
My comments are just hints, and should be considered only
an opinion. I may have guessed wrong, or things may have
changed since I was written
X-Gmail-Received: 91324be7b2455a95bef97317a57ec678943f69bb
Delivered-To: dnr@gmail.com
Received: by 10.64.179.16 with SMTP id b16cs46119qbf;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
This received header was added by your mailserver
10.64.179.16 received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Received: by 10.54.153.16 with SMTP id a16mr2683614wre;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
10.54.153.16 received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)
Return-Path:
<Online.University+dnr=gmail.com@ajijj.com>
Received: from mail1.ajijj.com (i44-251.alfgl.com
[200.62.44.251]) by mx.gmail.com with ESMTP id
15si464870wrl.2006.07.14.12.01.57; Fri, 14 Jul 2006
12:02:04 -0700 (PDT)
mx.gmail.com received this from someone claiming
to be mail1.ajijj.com
but really from 200.62.44.251(i44-251.alfgl.com)
All headers below may be forged
Received-SPF: pass (gmail.com: domain of
Online.University+dnr=gmail.com@ajijj.com
designates 200.62.44.251 as permitted sender)
Hmmm received-spf: isn't a header I recognise
Message-Id:
<44b7ea2c.4ebc1de7.1271.ffff8a27SMTPIN_ADDED@mx.gmail.com>
From: OnlineUniversity
<Online.University+dnr=gmail.com@ajijj.com>
To: dnr@gmail.com
Subject: do you know which is the best online university?
Date: Fri, 14 Jul 2006 16:01:48 -0300
MIME-Version: 1.0
Content-Type: text/html
All the above added comments are Steve Atkins, the creator of the app.
So not only was it easy to spoof email , but its easy to determine a suspicious one.
Set your email to text only.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.