Reply
Thread Tools Display Modes
#1
Old 04-29-2004, 03:14 PM
Guest
Join Date: Mar 2002
Location: Sykesville, MD
Posts: 1,617
"Ghost" email addresses

How is it that emails are sent out from a particular E-mail Post Office that never are? In other words, how can an address, for example [email protected], that doesn't exist actually send an e-mail to someone and attach files to that email? Can anyone explain, even technically, how ghost emails are able to be created?
#2
Old 04-29-2004, 03:25 PM
Robot Mod in Beta Testing
Moderator
Join Date: Mar 2001
Location: Pennsylvania
Posts: 19,921
Your e-mail program creates a "header" which has information in it like the destination address, source address, subject, where to send the reply to, etc. Because of the way e-mail is sent, your program has complete control over everything in the header except for the path that the e-mail takes to get from one place to another (that gets filled in along the way).

While common programs like Outlook don't give you control over the headers, there are plenty of programs that do. It's fairly trivial to put fake information anywhere in the header. If you don't want someone to be able to automatically reply to an e-mail you send out (because, for example, you are a spammer and don't want them to really know who you are) then all you do is forge the "from" field and the "reply to" field.

If you look at the header, you'll find that the mail server that originated the message was not crack.net at all. Just look at the path portion of the header. You can trace the e-mail back through every machine it passed through. The last one on the list is the one it came from.
__________________
Electrical engineer, computer geek (er, programmer), and no talent bum musician
#3
Old 04-29-2004, 03:27 PM
Charter Member
Join Date: Jan 2003
Location: Richmond, VA
Posts: 22,536
It's ridiculously easy using SMTP, actually. All they do is alter the From field in the email header to whater they want. This will be the address you see on the top of the email, and the address to which a Reply will be sent. If you look at the email hearders, however, you'll also see the actual originating server domain name, which may or may not be the same as the one in the From field.
__________________
SnUgGLypuPpY -- TakE BaCk tHe PiT!
#4
Old 04-29-2004, 04:02 PM
Guest
Join Date: Nov 2002
Location: Where I'm At
Posts: 57
In a sense, "ghosting" or "spoofing" the reply address in an email is the same as putting the wrong return address on a regular USPS letter, and not any more difficult.

The effect is similar.
#5
Old 04-29-2004, 04:29 PM
ftg ftg is offline
Guest
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 15,833
Re: last paragraph of engineer_comp_geek's post.

Note that since so much of a header can be forged, spammers tack on fake routing info so that the last mail server in the header is probably not the originator. The real source is most likely buried somewhere in the list. It takes significant brain power to figure out which server is the real source, and thus cannot be automated as much as we'd like.

Years ago, when I first learned about email header spoofing, I went around convincing people how easy it was to do. I sat down the dept. chair and showed her how I could send an email from "her" to her. (The old fashioned way too: telneting into the server and typing commands directly.) People then realized that they couldn't take an email seriously without some other confirmation.
#6
Old 04-29-2004, 10:21 PM
Guest
Join Date: Mar 2004
Posts: 131
Quote:
Originally Posted by SlickRoenick
In other words, how can an address, for example [email protected], that doesn't exist actually send an e-mail to someone and attach files to that email?
This may be redundant by now, but I just thought I'd try another angle based on how you worded your question.

The key is that the address doesn't send any messages. The mail server (such as SMTP server) sends the message. Mail servers typically are pretty dumb (SMTP stands for "Simple Mail Transport Protocol"), and something else tells them how to fill out the headers. All the server does, then, is spit the information out into the web. The only thing that has to be "legit" (in order to reach anyone) is the recipient's address, and the mail server doesn't even care about that - it will send anything, even though no one might receive it.

Typically, you would use Outlook, for example. Outlook would contact a mail server and tell it you want to send some mail. The information it supplies is what you supplied when you set up your email service on Outlook (which, if you're at work, an IT person has already done for you). In other words, before you start sending email in the first place, you tell Outlook what your address is, and Outlook sends that to the mail server every time you send an email.

As others have said, there are other ways to interact with a mail server. Microsoft has what is called the "MAPI" interface, a simple tool that allows you to write a program to send email. With that, you can make up from-addresses, reply-to addresses, etc.

Unbeknownst to many, you can "fool" Outlook. When you set up a service, you can put anything you want in the "user information" section, which Outlook uses to return-address your email. In the "login information" section you have to put the real login ID and password that your ISP expects. Often, that will be your "real" email address.

But, lo, Outlook will package the email using whatever you entered in "user information". And the ISP uses "login information" exclusively for verifying that you are a paying customer. The mail server never sees "login information". So the mail server just sends the email with the return address Outlook gave it, and you're merrily on your way...

(I do this all the time, using Outlook to send email that looks like it came from my webmail account, not my ISP-supplied account.)

#7
Old 04-29-2004, 10:55 PM
BANNED
Join Date: Nov 2002
Location: Foxbase Alpha
Posts: 999
An even simpler explanation would be for you to copy down all your account info in your current email program, then create a new account within that program using the display name "George W. Bush" and "[email protected]" as the email address - or whatever you'd like, really. Send an email using this account to yourself... Play around with it. As others have noted, the email will appear to come from the President - unless you bother to open up the headers, which most people don't do.

Lately I've been getting emails from "Citibank" that have an originating address of [email protected] but a return address of [email protected]. Heh - like I'd fall for that one!
#8
Old 04-30-2004, 12:01 AM
Guest
Join Date: Mar 2004
Posts: 131
Quote:
Originally Posted by Rex Fenestrarum
As others have noted, the email will appear to come from the President - unless you bother to open up the headers, which most people don't do.
Actually, I have done this and looked at the headers. Outlook doesn't appear to send anything identifying me. My ISP server address is there, but, hey, the Prez could be using my ISP. It does have my computer's "network name", which in my case is nondescript, and it has my (temporarily assigned) IP address which no one can interpret without WHOIS.

Anyway, to the casual user, it would be impossible to determine who this came from. Which ISP, yes. Which sender, no.

If they could pry the info from the ISP, they could find out who had that IP address assigned at that moment in time. But how likely is that?
#9
Old 04-30-2004, 01:42 AM
Robot Mod in Beta Testing
Moderator
Join Date: Mar 2001
Location: Pennsylvania
Posts: 19,921
Quote:
Originally Posted by LivingInThePast
If they could pry the info from the ISP, they could find out who had that IP address assigned at that moment in time. But how likely is that?
I believe you have to get a court order to do this sort of thing, so it's probably not done very often.

Some mail servers will stick extra info in the header so that they can track down abuse. Sometimes it's the IP address of the machine that actually initiated the message. Then again, those spammer folks are tricky. Sometimes they'll relay through another system so that all the mail server sees is the IP address of some poor shmuck who doesn't have the world's greatest security on his system.
__________________
Electrical engineer, computer geek (er, programmer), and no talent bum musician
#10
Old 04-30-2004, 11:44 AM
Member
Join Date: Aug 2002
Location: Deep Space
Posts: 41,651
Quote:
Originally Posted by Rex Fenestrarum

Lately I've been getting emails from "Citibank" that have an originating address of [email protected] but a return address of [email protected]. Heh - like I'd fall for that one!
Which is probably forged also. I looked at the headers of one of these, and it went through a ".au" address, probably a captured machine. The first one of these I opened the link to fill in some choice words in the fields - I saw the link was associated with a url in Romania. The Citibank home page has something about this - it seems they are getting a lot of them. The latest I got was from "citibank security" and hopefully opened the page with the warning. The phishers still can't spell right.

So the moral is - even the machines in the headers may not be the ones owned by the spammers.
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 03:20 AM.

Copyright © 2017
Best Topics: nepali translation audio hole in underwear puddintane definition mri ovarian cyst rena sofer hot guard cat breeds shego age cows downstairs monkey wings trial parts mcauliffe nuts sex with sibling restore cedar chest black clearcoat soda can thickness obesity people eating painting leather jacket bulging can songs about john bestbuy pickup tutti frutti gum homeless hair huffy mongoose bike candelabra led 100w absolutely badasses freshnet champagne knife handle finishes debrox wiki toaster oven cake mxpx christian quid money seagull meat morgues near me man with long fingernails does crazy glue work on plastic what keeps our atmosphere in place 3 way light bulb in regular socket fedex package not due for delivery behind the green door scene girls wearing victoria's secret weiser locks home depot how to prevent dogs from scratching hardwood floors printer not printing color correctly wet towel over fan amazon can't ship to my address can french onion soup be frozen can a puerto rican run for president kool aid sugar free black light to find cat urine stuffed animals for dogs to hump waffle weave baby blankets with satin trim how to set up a cash register bruising after shoulder surgery colored golf balls walmart boku no pico tv tropes toronto to chicago driving time countries visited on this trip prior to u.s. arrival 1950s jeans rolled up jury duty change of address can i put my straight talk sim card in another phone what is the point of poking on fb what engines can fit in my car chicken and a biscuit crackers how to clean a nonstick griddle paris hilton bacon number get your stinking paws off me how many teats does a deer have what to do with bread dough 12 volt to 6 volt resistor can humans get animals pregnant