Comments on My Favourite Email Prank

JB said:

Nice one, Susam.

Though I could not understand the technical details of how it was done, I could understand the prank.

Kumar Veetrag said:

Good job Susam! Who fell for the prank?

Susam Pal said:

Veetrag, some people were scared that someone else has gained access to their email accounts. A few friends asked me if I know their passwords. Others guessed that I must have done something and asked me how I did it.

Gaurav Mogre said:

Got to love the simplicity of SMTP.

Though a bit surprised that the GMail SMTP server accepted the request. One would think that after GMail's SMTP server has AUTH, it would check for false addresses like this.

Ofcourse, the icing on the cake was the email content.

Susam Pal said:

Gaurav,

The AUTH command is used by the client to authenticate itself to the SMTP server before it can send emails. In this example, I have authenticated myself to my SMTP server (not Google's server).

Normally, an email server is meant to receive all emails meant for it. Yes, it might want to classify an email as spam after email authentication. Note that the AUTH command is meant for client authentication while email authentication is done to detect spam by considering the information in the message header, message body, sender's IP address, sender's domain name, etc.

A false email address is not a good reason to classify an email as spam. The possibility of specifying false email addresses in the From and Return-Path fields offers the flexibility of using one of multiple email addresses as the From address while sending an email as well as controlling where one would want to receive notifications if the email delivery fails. For example, I have configured my GMail account such that I can send emails with my From email address ending with either gmail.com or susam.in.

Yuvi Panda said:

Interesting that GMail doesn't check for wrong timestamps. Perhaps they let it pass - servers with wrong time perhaps do exist. I don't see why it shouldn't be rejected though - maybe they will, eventually?

Neat hack though :)

Susam Pal said:

Yuvi,

If you see the SMTP session in this blog post, you'll find that the Date belongs to the data to be transferred by the SMTP server.

The job of an SMTP server is to transfer the data section to the intended recipients irrespective of what the data contains. The email application or client could then flag an email as spam if its content (including Date and other header fields) looks suspicious.