Study: SMTP


SMTP is the main protocol used for sending mail on the Internet. Understanding it to at least a moderate degree is a must.

Commands-HELO – Identifies the sending machine. This is spoofable, but many systems are able to look and see if the IP matches the DNS name given here.

MAIL FROM – The sender address given to the mail server, or, in other words, this is the email address that the sender is claiming the message is coming from.

RCPT TO – The address that the message will be going to. Using multiple RCPT TO commands allows you to send to multiple recipients.

DATA – This is the actual meat of the message. There are no controls on what can be sent in this portion. Words at the beginning of a line that are followed by a colon are interpreted as headers by most mail programs. The end of the DATA section is denoted by a period (.) on a line by itself.

QUIT – This is the command that is used to sever the connection to the mail server.


Email Headers –

When email moves from one server to another each box appends a new header to the top of the previous one, making a stack of headers. To track who all handled a given message, start at the bottom of the header and move from left to right as you go up.

The “Received” headers are the headers should be reviewed to find out what has actually happened during the course of an email message’s travels. Many of the other header options are subject to forgery and are less reliable as a source of good information about a particular email message.

It is interesting to note that the true recipient(s) of a message are not viewable in an email header. The actual recipient is declared with the RCPT TO: command given to the mail server, but this information is not available in a header. The To: header option is often present in a header, but this can be forged fairly easily.

Header Options-

Content-Transfer-Encoding: – This is the MIME content type for the message in question, and it is what determines what is used on the client to read/interpret the message. This is a header option that can (and has been) used maliciously by claiming the content type is one thing when it is really something else.

Content-Type: – Similar to above

From (no colon) – This is a relatively trustable field that indicates who sent the message.

From: – This is the sender modifyable from field; don’t trust it.

Message-Id:, Message-id:, Message-ID: – This is a fairly unique identifier assigned to each message – usually by the first mail server that touches it.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

In-Reply-To: – A USENET header used for tracking what post a given post is in response to. This header option is seldom used outside of USENET.

Priority: – A freeform header option that spammers often use to assign their trash a high level of importance.

Reply-To: – This is the email address that will be the recipient if someone replies to the message in question. Often used by spammers to deflect people’s complaints.

Return-Path: – Same as Reply-To:.

X-Headers – X-Headers are headers that start with “X-” and are for informational use only. Any header that is not standard, and is used for some specific purpose is supposed to use this designation, but this isn’t always the case.

X-Mailer: – This is the X-Header used for identifying the mail client used to send the message.

Sending Forged Email-

It is simple enough to send forged email manually, although there are plenty of tools available online to help you do it faster and easier. Doing so manually simply requires that you connect to the mail server you want to send a message from, and then give it the SMTP commands necessary to send mail. For example:

root@localhost> telnet 25

Related posts: