Doug Vitale Tech Blog

Send spoofed emails with telnet

You can send spoofed emails (i.e., emails with a fake source address) if you can establish a telnet session with an email server. (Before continuing, go here if you need to brush up on your telnet knowledge).

If you don’t know the host name of an email server, you’ll have to find one using a utility like dig or nslookup.

For dig, the command to find email servers for a domain (e.g., hotmail.com) is:

dig @[DNS_server_name_or_IP] hotmail.com MX

The output of this command is as follows:

; <<>> DiG 9.3.2 <<>> @208.67.222.222 hotmail.com MX
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17095
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;hotmail.com.			IN	MX

 ;; ANSWER SECTION:
 hotmail.com.		3600	IN	MX	5 mx3.hotmail.com.
 hotmail.com.		3600	IN	MX	5 mx4.hotmail.com.
 hotmail.com.		3600	IN	MX	5 mx1.hotmail.com.
 hotmail.com.		3600	IN	MX	5 mx2.hotmail.com.

 ;; Query time: 157 msec
 ;; SERVER: 208.67.222.222#53(208.67.222.222)
 ;; WHEN: Sat Dec 31 19:28:50 2011
 ;; MSG SIZE  rcvd: 109

.
As you can see, the four email servers for the domain hotmail.com are mx1.hotmail.com, mx2, etc.

To use the deprecated nslookup command, a few additional steps are required.

1. Open a command prompt, type nslookup, hit Enter.
2. Type set query=mx, hit Enter.
3. Type the name of the domain, hotmail.com, hit Enter.
4. You should see the following output:

> set q=mx
> hotmail.com
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
hotmail.com     MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx1.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx3.hotmail.com

mx1.hotmail.com internet address = 65.55.92.168
mx1.hotmail.com internet address = 65.54.188.94
mx1.hotmail.com internet address = 65.54.188.110
mx1.hotmail.com internet address = 65.54.188.126
mx1.hotmail.com internet address = 65.54.188.72
mx1.hotmail.com internet address = 65.55.37.104
mx1.hotmail.com internet address = 65.55.37.88
mx1.hotmail.com internet address = 65.55.37.72
mx1.hotmail.com internet address = 65.55.92.184
mx1.hotmail.com internet address = 65.55.37.120
mx1.hotmail.com internet address = 65.55.92.136
mx1.hotmail.com internet address = 65.55.92.152
mx2.hotmail.com internet address = 65.55.92.152
mx2.hotmail.com internet address = 65.55.37.88
mx2.hotmail.com internet address = 65.55.37.120
mx2.hotmail.com internet address = 65.55.37.72
mx2.hotmail.com internet address = 65.55.37.104
mx2.hotmail.com internet address = 65.55.92.136
mx2.hotmail.com internet address = 65.55.92.168
mx2.hotmail.com internet address = 65.55.92.184
mx2.hotmail.com internet address = 65.54.188.94
mx2.hotmail.com internet address = 65.54.188.110
mx2.hotmail.com internet address = 65.54.188.126
mx2.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.55.37.104

Let’s choose mx4.hotmail.com.

1. Open your command prompt and type: telnet mx4.hotmail.com 25 (if you don’t know what the ’25’ stands for, you should definitely read this). Alternatively you can start by typing telnet, hit Enter, and then open mx4.hotmail.com 25.

2. You should see the following output:

Trying 65.54.188.126...
Connected to mx4.hotmail.com.
Escape character is '^]'.
220 BAY0-MC4-F1.Bay0.hotmail.com Sending unsolicited commercial or bulk e-mail
to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx.

3. Type helo and hit Enter. You should see the following output:

250 BAY0-MC3-F20.Bay0.hotmail.com (3.14.0.48) Hello [79.134.202.86]

4. Next type MAIL FROM: you@fakeemailaddress.com, hit Enter. You should get the message, ‘Sender ok’.

5. Next type RCPT TO: you@realemailaddress.com, hit Enter. You should get the message, ‘Recipient ok’.

6. You can optionally include an email subject with: SUBJECT: Testing spoofed email with telnet.

7. Now type DATA <email body contents>.

8. Lastly you type . (a single period) and then hit Enter. You should get the message, ‘250 Mail accepted’. Now type QUIT and hit Enter.

9. Check your inbox for the spoofed email you just sent.

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

SSH: The Secure Shell on Amazon SSH, The Secure Shell Next Generation SSH2 Implementation: Securing Data in Motion on Amazon Next Generation SSH2 Implementation

Guide to TCP/IP on Amazon Guide to TCP/IP Teach Yourself TCP/IP in 24 Hours on Amazon Teach Yourself TCP/IP

TCP/IP Network Administration on Amazon TCP/IP Network Administration TCP/IP Guide on Amazon TCP/IP Guide

Written by Doug Vitale

December 31, 2011 at 2:29 PM

%d bloggers like this: