Thursday, December 18, 2008

Email, How Reliable is it?

Email is one of the most important application in Internet today beside Web. However, it has become a channel where hackers target to steal confidential information such as login info from user. One of the most popular trick is to masquerade and send a fake email, saying the user account is going to expire and ask the user to login with a fake hyperlink, which link to a fake page with similar design to the real login page.

From technical point of view, how easy to send a fake email? The answer to this question is : 'It's very simple'.

You do not need to write a C program, BackTrack 3 or any hacker tool. You can easily do it with high level language such as Java. It depends on how your email provider securing their SMTP server, but in my case, most of the companies that I have worked with is having their SMTP that you can easily send a fake mail.

At very basic level, these few lines of Java code using Spring Framework can masquerade as 'Your Boss' and send out an email to your colleague saying that he is fired:-

JavaMailSenderImpl mailSender = new JavaMailSenderImpl();
mailSender.setHost("mail.yourcompany.com");
MimeMessage mimeMessage = mailSender.createMimeMessage();
MimeMessageHelper helper = new MimeMessageHelper(mimeMessage, true);
helper.setFrom("Boss <yourboss@yourcompany.com>");
helper.setTo("your_colleague@yourcompany.com");
helper.setSubject("You're Fired!");
helper.setText("I am very unhappy with your face, you're fired!!!");


You still will be able to find out which machine this email is sent from if you examine the email's properties. We joked with one of our colleague years ago with this. She was stunned and we quickly clarified with her before any bad thing happens next, it is sin. However, this shows that most people 'TRUST' email, and they believe it.

Do you believe your email?

No comments:

Post a Comment