[root@linuxbox ~]# telnet relay-server.com 25 Trying 123.123.123.123... Connected to relay-server.com (123.123.123.123). Escape character is '^]'. 220 mail.relay-server.com ESMTP Postfix (2.2.5) ehlo localhost 250-mail.relay-server.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250 8BITMIME mail from: sender@domain-A.com 250 Ok rcpt to: recipient@domain-B.com 250 Ok data 354 End data with <CR><LF>.<CR><LF> Subject: This is a spoofed email From: spoofed-sender@domain-X.com To: recipient@domain-B.com this is a spoofed email ;) . 250 Ok: queued as 4568223D16 ^] telnet> q Connection closed. [root@linuxbox ~]#
Lets break this apart...
In this example we have 3 domains.
domain-A.com - This is a domain that that "relay-server.com" will relay for.
domain-B.com - This is a real recipient domain.
domain-X.com - This is the spoofed domain. We can choose anything here.
First, telnet to a mail server that will relay for domain-A.com
telnet relay-server.com 25 Trying 123.123.123.123... Connected to relay-server.com (123.123.123.123). Escape character is '^]'. 220 mail.relay-server.com ESMTP Postfix (2.2.5)
Next, identify yourself to the SMTP server.
ehlo localhost 250-mail.relay-server.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250 8BITMIME
Now set the sender and reciever on the envelope. The envelope is what the MTA sees. Mail clients normally ignore the message envelope.
mail from: sender@domain-A.com 250 Ok rcpt to: recipient@domain-B.com 250 Ok
Now for the data, this is where we set the headers and the body of the email. Mail clients read the headers and not the envelope. This is how we fake the sender, by making the headers different from the envelope.
data 354 End data with <CR><LF>.<CR><LF> Subject: This is a spoofed email From: spoofed-sender@domain-X.com To: recipient@domain-B.com hahahahaha this is a spoofed email ;) . 250 Ok: queued as 4568223D16
Mail has been queued, we can now quit.
^] telnet> q Connection closed.