Despite these huge numbers, email is still the same as it was before 40 years from now, and security is a major problem that is facing our privacy day after day.
Most of email users have no idea about how email works, and have no idea that an email claimed to be from AAA@BB.COM can be easily sent from anyone with a simple internet connection. To name some ways to send fake emails, we can state Telnet or the mail Linux command.
To start, let’s consider the following email:
As you can see, the email is with the name Gmail Team and address mail-noreply@gmail.com, seems from Gmail right? well, there is no way to tell, and almost all the information you see in the above picture can be faked easily as we will see later.Note that Gmail may warn you that the email might not be from the one who claims it is from, but in almost all the cases it does not, so don’t rely on it.
To reveal the real identity of the email, we have to check out the email headers, in Gmail you can select the arrow at the right corner and then choose Show Original Message.
Delivered-To: ********@gmail.comThis is the path the message followed to reach the destination, if the email was really sent from Google servers, the IP address that appears in the last Received section would be from Google, but even this can not be trusted and the email header could be forged easily too [LINK].
Received: by 10.223.117.195 with SMTP id s3cs462739faq;
Mon, 13 Jul 2009 06:24:52 -0700 (PDT)
Received: by 10.211.166.2 with SMTP id t2mr4gdcvf553ebo.26.1247491492708;
Mon, 13 Jul 2009 06:24:52 -0700 (PDT)
Received: from mail-bw0-f225.google.com (mail-bw0-f225.google.com [209.85.218.225])
by mx.kundenserver.de (node=mxeu8) with ESMTP (Nemesis)
id 0MKt1w-1McvbcWV0fL6-000RBi for contact@******.info; Mon, 13 Jul 2009 15:24:51 +0200
Received: by bwz25 with SMTP id 25socxvbcv5363bwz.1
for <contact@*******.info>; Mon, 13 Jul 2009 06:24:50 -0700 (PDT)
A proof of concept :
If you can’t find a open delivery server to use with telnet (actually if you are a student, you can use the university’s SMTP server easily to send emails), you can use the many web services out there that provides anonymous email sending.
For test purposes, I will use http://deadfake.com/Send.aspx to send sophisticated emails, they provide a WYSIWYG interface as far as a free access to their mail server using telnet. Here are the sent message and the received in the victims email.
As you can see, the sender is mail-noreply@gmail.com which is usually the address you get emails from when you request a new password or register a new Google service with your Gmail ID, definitely you can’t trust an email from its address.Hold on!!!
If you think this service is heaven for your email crimes, then think again, if you show the headers of the faked message, you will find that the source IP is set to your own IP address, so be careful with that, maybe a little proxy can give you some privacy, but nothing is guaranteed, think twice before doing anything.Still maybe the fact of using signed emails and certificates, but I’m not sure how practically this will help when we deal with hundred of millions of people who don’t give a damn about privacy, further explanation why this won’t save you neither could be found here [LINK].
Oh.. and to not forget, if you don't sign your emails, anyone on the route of your email can read it simply, also mails take months before they got deleted from server’s cache so don’t be happy with deleting mail from you inbox :D.
How this can be used :
- You can for example trick your friends by sending them emails with your teacher’s email telling them there is an exam tomorrow or any funny trick like this, it is impossible for them to tell if it is a faked email especially when you send it from the mail servers at your university (this is Ramy’s plan for the 1st April XD).
- You can get passwords from your community, a simple email with the address of the forum’s administrator and a faked link to reset their passwords…
- You can trick almost whoever you want, your boss for instance, sending him an email with his boss’ email from within the same domain, cannot be more funnier than that.
- And anything you can imagine, because no one actually checks the source of the email.
Conclusion :
Never trust *email*, as far as you don’t give a damn too, it is ok to use it the way you are doing now, but once serious things happen, email won’t help you,and if someone want to track you… then email is the easiest and the most insecure way to get you down, watch the headers as much as you can, and don’t forget to check for IPs using “whois” services.So, do you still trust email?
