Email Spoofing
Frank Costello
Lesley Linne’
We were told in lecture that the Simple Mail Transfer Protocol (SMTP) was designed to
service a small group of academics and military personnel who were all trusted “friends”. This
implies security holes, at best. However, we did not realize how seriously email security was
lacking until actually going through the steps of sending forged email. The crux of the issue is:
if you connect directly to an smtp mail server (for example via Telnet) it will believe anything
you say.
Since this document is meant to be publicly posted online, we will not provide step-by-step
instructions on how to spoof andrew webmail. If you would like us to provide such instructions,
please contact us, and we can do so.
The idea, though, is that you simply open a connection to the smtp.andrew.cmu.edu mail server
on port 25. This is the designated smtp port. After announcing your presence using the smtp
HELO command (as in “helo localhost”) the target server will engage your machine as a trusted
party. So then if/when you tell the server via smpt commands to send an email addressed to and
from an arbitrary address, it will comply.
This is a dangerous phising tool, because it allows an attacker to assume the identity of someone
the target trusts. Many people would probably expect that in order to send email on behalf of
someone else, the attacker must have control of that person’s machine (or at least have cracked
their account). This also provides a way to spread malicious programs, as people are more likely
to casually follow web links from a trusted source.
Unfortunately, the smtp protocol is firmly entrenched in the Internet and replacing it with a
secure mail transfer protocol is infeasible, even though the acronym would not have to change.
While it is impossible to make an insecurely designed system completely secure after the fact, it
surprisingly seems that in the case of email, there has not even been an attempt to add
verification to what should no longer be a trust based system.