Trying (and Failing) to Spoof Hotmail

Suppose one day you were bored and began to examine emails in the raw packet form. You would see something like

Received: from mail-qr1-x642.google.com (mail-qr1-x642.google.com [IPv6:2607:f8b0:4864:20::642])
        by mxa.mail.yahoo.com with SMTPS id 5fb88148210cz.64.2019.07.11.16.33.39
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 11 Jul 2019 16:33:39 +0000 (UTC)
Received-SPF: pass (domain of google.com designates 2607:f8b0:4864:20::642 as permitted sender) client-ip=2607:f8b0:4864:20::642; 
Authentication-Results: mxa.mail.yahoo.com; dkim=pass header.i=@google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; 
	s=20161025; h=mime-version📅message-id:subject:from:to;
	bh=dZZ/1uN7EMoYbtIRVtP6loc8vk6vg2vW23aa5iTM0HU=;
	b=SpbOlScW2KZD1wL30zfL...
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
        bh=dZZ/1uN7EMoYbtIRVtP6loc8vk6vg2vW23aa5iTM0HU=;
        b=SpbOlScW2KZD1wL30zfLFIVm5aHFKBL7im6Akld...
X-Gm-Message-State: APjAAAW3uW9BbY790kSoB5xjqVw2R86toGL2L3Qp3eeB7zyF
	SOfWvvFwHvaCxxWGQetyW5CufS0=
X-Google-Smtp-Source: APXvYqz50V3msWKCH7PLCN4yknYSQEmLVakb1zYUCr5iJw05xKRZFspGxvWSCw4V801tB2P0yKLDyA==
X-Received: by 2002:a05:6a10:222b:b029:192:7bb7:f36 with SMTP id x43-20020a056a10222b00b0291927bb7f36mr12647285wru.47.1562805201911;
        Thu, 11 Jul 2019 16:33:39 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 11 Jul 2019 16:33:38 -0700
Message-ID: <CAGXj1cZsP2FZkQo3wwY7WzneOcWLhwZHw_W64qTHHVdNZwK6sQ@mail.gmail.com>
Subject: Test email
From: John Doe <johndoe@gmail.com>
To: Jane Doe <janedoe@yahoo.com>
Content-Type: text/plain; charset=UTF-8

Hi Jane,

Please don't take the mustard from the refrigerator.

Regards,
John```

Intercept a normal email packet and you will see that every single field has been signed. If you look at a hotmail[^1] email packet, as my friend Aayush did, you'd find that the "To" field is unsigned. This means that it is theoretically possible to forward an email, changing the 'To' field. This makes it possible to make it appear that, the Amazon invoice for pink doilies was meant for manly_mike@gmail.com rather than jane@gmail.com.

But normal email clients don't let you send the raw packets. Instead, we had to find either an email service that allowed us to customize the email packets (apparently Amazon SES allows this) or else host our own emailing server.

Attempt 1: Amazon SES

This failed quickly. Although SES allows some level of email packet editing, it requires identity authentication and automatically signs the 'From' field. This means that we couldn't forward an intercepted email from someone else.

Attempt 2: Custom email server 1

Next, we considered running our own SMTP server using Postfix on an Amazon EC2 instance. That would provide us the freedom to manipulate email headers. Setting up Postfix was relatively straightforward, but we hit a roadblock - port 25, the default port for SMTP (Simple Mail Transfer Protocol - default email protocol), was blocked.

Attempt 3: Running our own SMTP server

We then installed Postfix on our Raspberry Pi to see if we could send customized packets using our own email server. As it turns out, Port 25 is blocked not just by AWS, but by the Internet Service Provider itself. Ports 465 and 587, which are sometimes also used for emails, were also blocked. Spoof failed.

In hindsight, it seemed pretty unlikely that we would succeed, even if hotmail was using a protocol that was somewhat out of date. sxqqdqxvsfuxd evlcuqmqfuuxf mfwhszwawiussvss cwgv.