Posted by fuzy 1) You send a syn packet with a random sequence number (x) to the smtp server. So if you try to establish the connection using a spoofed source address, the server would respond to the spoofed source address with the syn/ack packets that you should get. This would cause either a timeout (If the spoofed source address doesn't exist), or if it does exist it would send a rst packet since it never tried to establish the connection. This is why I say you can't use winject to do this (Atleast not without using a packet sniffer to get the sequence numbers needed to complete the three way handshake). If you have anymore questions or you want to correct any mistakes I might have made in this post, feel free to contact me via fuzy@fuzy.net, fuzy on efnet, or fuz on ircsnet.
on December 16, 2002, 16:16:27
64.219.195.58
It's unlikely that the IP Address in the header of that e-mail was really spoofed, since most smtp servers use several methods to keep it from happening (Although it isn't impossible). It's just that most people that know how to do that wouldn't waste the time just to try to send an anonymous e-mail (Since there are easier ways to send anonymous e-mails). My guess is that the IP Address wasn't spoofed, but the hostname was modified using the smtp command HELO, making it look like a spoofed address. That or the person used a vhost. To answer your question, using winject to spoof your ip to send an anonymous e-mail, you can't. If you tried establishing a connection to the smtp server using a spoofed source address you would have a problem. Here's how a normal tcp connection is established:
2) The smtp server replies with a syn packet with a random sequence number (y), and an ack packet (ack = x + 1).
3) You respond with an ack packet (ack = y + 1).
Message Thread:
« Back to thread