Nice one, Susam.
Though I could not understand the technical details of how it was done,
I could understand the prank.
Good job Susam! Who fell for the prank?
Veetrag, some people were scared that someone else has gained access to
their email accounts. A few friends asked me if I know their passwords.
Others guessed that I must have done something and asked me how I did
Got to love the simplicity of SMTP.
Though a bit surprised that the GMail SMTP server accepted the request.
One would think that after GMail's SMTP server has AUTH, it would check
for false addresses like this.
Ofcourse, the icing on the cake was the email content.
The AUTH command is used by the client to authenticate
itself to the SMTP server before it can send emails. In this example, I
have authenticated myself to my SMTP server (not Google's server).
Normally, an email server is meant to receive all emails meant for it.
Yes, it might want to classify an email as spam after email
authentication. Note that the AUTH command is meant for
client authentication while email authentication is done to detect spam
by considering the information in the message header, message body,
sender's IP address, sender's domain name, etc.
A false email address is not a good reason to classify an email as spam.
The possibility of specifying false email addresses in the
From and Return-Path fields offers the
flexibility of using one of multiple email addresses as the
From address while sending an email as well as controlling
where one would want to receive notifications if the email delivery
fails. For example, I have configured my GMail account such that I can
send emails with my From email address ending with either
gmail.com or susam.in.
Interesting that GMail doesn't check for wrong timestamps. Perhaps they
let it pass - servers with wrong time perhaps do exist. I don't see why
it shouldn't be rejected though - maybe they will, eventually?
Neat hack though :)
If you see the SMTP session in this blog post, you'll find that the
Date belongs to the data to be transferred by the SMTP
The job of an SMTP server is to transfer the data section to the
intended recipients irrespective of what the data contains. The email
application or client could then flag an email as spam if its content
(including Date and other header fields) looks suspicious.