How is it that emails are sent out from a particular E-mail Post Office that never are? In other words, how can an address, for example Slick@crack.net, that doesn’t exist actually send an e-mail to someone and attach files to that email? Can anyone explain, even technically, how ghost emails are able to be created?
Your e-mail program creates a “header” which has information in it like the destination address, source address, subject, where to send the reply to, etc. Because of the way e-mail is sent, your program has complete control over everything in the header except for the path that the e-mail takes to get from one place to another (that gets filled in along the way).
While common programs like Outlook don’t give you control over the headers, there are plenty of programs that do. It’s fairly trivial to put fake information anywhere in the header. If you don’t want someone to be able to automatically reply to an e-mail you send out (because, for example, you are a spammer and don’t want them to really know who you are) then all you do is forge the “from” field and the “reply to” field.
If you look at the header, you’ll find that the mail server that originated the message was not crack.net at all. Just look at the path portion of the header. You can trace the e-mail back through every machine it passed through. The last one on the list is the one it came from.
It’s ridiculously easy using SMTP, actually. All they do is alter the From field in the email header to whater they want. This will be the address you see on the top of the email, and the address to which a Reply will be sent. If you look at the email hearders, however, you’ll also see the actual originating server domain name, which may or may not be the same as the one in the From field.
In a sense, “ghosting” or “spoofing” the reply address in an email is the same as putting the wrong return address on a regular USPS letter, and not any more difficult.
The effect is similar.
Re: last paragraph of engineer_comp_geek’s post.
Note that since so much of a header can be forged, spammers tack on fake routing info so that the last mail server in the header is probably not the originator. The real source is most likely buried somewhere in the list. It takes significant brain power to figure out which server is the real source, and thus cannot be automated as much as we’d like.
Years ago, when I first learned about email header spoofing, I went around convincing people how easy it was to do. I sat down the dept. chair and showed her how I could send an email from “her” to her. (The old fashioned way too: telneting into the server and typing commands directly.) People then realized that they couldn’t take an email seriously without some other confirmation.
This may be redundant by now, but I just thought I’d try another angle based on how you worded your question.
The key is that the address doesn’t send any messages. The mail server (such as SMTP server) sends the message. Mail servers typically are pretty dumb (SMTP stands for “Simple Mail Transport Protocol”), and something else tells them how to fill out the headers. All the server does, then, is spit the information out into the web. The only thing that has to be “legit” (in order to reach anyone) is the recipient’s address, and the mail server doesn’t even care about that - it will send anything, even though no one might receive it.
Typically, you would use Outlook, for example. Outlook would contact a mail server and tell it you want to send some mail. The information it supplies is what you supplied when you set up your email service on Outlook (which, if you’re at work, an IT person has already done for you). In other words, before you start sending email in the first place, you tell Outlook what your address is, and Outlook sends that to the mail server every time you send an email.
As others have said, there are other ways to interact with a mail server. Microsoft has what is called the “MAPI” interface, a simple tool that allows you to write a program to send email. With that, you can make up from-addresses, reply-to addresses, etc.
Unbeknownst to many, you can “fool” Outlook. When you set up a service, you can put anything you want in the “user information” section, which Outlook uses to return-address your email. In the “login information” section you have to put the real login ID and password that your ISP expects. Often, that will be your “real” email address.
But, lo, Outlook will package the email using whatever you entered in “user information”. And the ISP uses “login information” exclusively for verifying that you are a paying customer. The mail server never sees “login information”. So the mail server just sends the email with the return address Outlook gave it, and you’re merrily on your way…
(I do this all the time, using Outlook to send email that looks like it came from my webmail account, not my ISP-supplied account.)
An even simpler explanation would be for you to copy down all your account info in your current email program, then create a new account within that program using the display name “George W. Bush” and “prez@whitehouse.gov” as the email address - or whatever you’d like, really. Send an email using this account to yourself… Play around with it. As others have noted, the email will appear to come from the President - unless you bother to open up the headers, which most people don’t do.
Lately I’ve been getting emails from “Citibank” that have an originating address of cservice@citibank.com but a return address of jll@pormexico.net. Heh - like I’d fall for that one!
Actually, I have done this and looked at the headers. Outlook doesn’t appear to send anything identifying me. My ISP server address is there, but, hey, the Prez could be using my ISP. It does have my computer’s “network name”, which in my case is nondescript, and it has my (temporarily assigned) IP address which no one can interpret without WHOIS.
Anyway, to the casual user, it would be impossible to determine who this came from. Which ISP, yes. Which sender, no.
If they could pry the info from the ISP, they could find out who had that IP address assigned at that moment in time. But how likely is that?
I believe you have to get a court order to do this sort of thing, so it’s probably not done very often.
Some mail servers will stick extra info in the header so that they can track down abuse. Sometimes it’s the IP address of the machine that actually initiated the message. Then again, those spammer folks are tricky. Sometimes they’ll relay through another system so that all the mail server sees is the IP address of some poor shmuck who doesn’t have the world’s greatest security on his system.
Which is probably forged also. I looked at the headers of one of these, and it went through a “.au” address, probably a captured machine. The first one of these I opened the link to fill in some choice words in the fields - I saw the link was associated with a url in Romania. The Citibank home page has something about this - it seems they are getting a lot of them. The latest I got was from “citibank security” and hopefully opened the page with the warning. The phishers still can’t spell right.
So the moral is - even the machines in the headers may not be the ones owned by the spammers.