How to hack a mail server (well, sortof)

So, you want to learn how to ‘hack’ email.  Well, you’ve sortof come to the right place.  The purpose of this article is to explain a little bit about how email works and what actually happens when you click that send button.  The process noted here can actually be used to diagnose email problems and / or confirm that a server (in this case, mail.foo.com) will actually accept email for the domain foo.com.  

For this example, we will assume that our email address is bob@foo.com and we’re trying to send an email to tom@bar.com.  We won’t get into any detail about what email software we’re using but will instead focus on what’s going on behind the scenes.  We need to get to a command prompt (or DOS prompt or PowerShell prompt, just some kind of command prompt that ‘does stuff’ when you type in the command ‘telnet’).  My comments are in blue beside what you will actually see.  The things that you will type are in bold.

c:>telnet mail.foo.com 25 <- Open a command prompt and type this.  This will connect you to the mail server mail.foo.com.  If you’re on Comcast or AT&T, you may have to use port 587 instead, so it would look like c:>telnet mail.foo.com 587.  If the administrator at mail.foo.com is worth his salt (and your ISP isn’t blocking it), that will work.

Trying mail.foo.com…
Connected to mail.foo.com. <- You have successfully connected to the mail server at mail.bar.com
Escape character is ‘^]’.
220 mail.bar.com  ESMTP <- The numeric code 220 is an indication that you’re good to go.  
ehlo foo.com <- At this blank line, we’re going to introduce ourselves by saying ehlo (think of it as enhanced hello)
250-mail.bar.com <- mail.bar.com responds back with another 200 series message, this time a 250
250-AUTH=LOGIN CRAM-MD5 PLAIN <- mail.bar.com is telling us some of the stuff that it supports
250-AUTH LOGIN CRAM-MD5 PLAIN <- mail.bar.com is telling us some of the stuff that it supports
250-STARTTLS <- mail.bar.com is telling us some of the stuff that it supports
250-PIPELINING <- mail.bar.com is telling us some of the stuff that it supports
250 8BITMIME <- mail.bar.com is telling us some of the stuff that it supports

At this point, we’ve confirmed that there’s a mail server there and that it’s accepting mail.  Let’s send it some…

mail from:bob@foo.com <- This email will report to come from bob@foo.com
250 ok <- Another 200 series, this time another 250. 
rcpt to:tom@bar.com <- This email should go to tom@bar.com
250 ok <- The server will accept email for tom@bar.com
data <- Tell the data that we’d now like to send some data (our email)
354 go ahead <- Ahhh, a 354.  This means that it’s ready to start accepting input, end it with <CR>.<CR>
The body of our email goes here.   <- This is our email
. <- This is the <CR>.<CR> that we were told to follow it up with
250 ok 1363214855 mail.bar.com <- Our mail was accepted for delivery

 

And there it is.  That would send an email containing the text “The body of our email goes here.” to tom@bar.com and would report that it came from bob@foo.com.  There are a couple of things that could have gone wrong here and understanding these things can help us better troubleshoot email.

  • Our Internet Service Provider could be blocking access to the mail server mail.foo.com.  If this happens, we would have gotten a timeout or an error from the telnet command telling us that the server was unavailable.  If our email software (Outlook, Mac Mail, etc.) was trying to do this, it would get an error that it could not connect to the smtp server.  Several ISP’s block access to mail servers to try to mitigate SPAM.  Obviously, that doesn’t work, but they do it anyway.
  • The server mail.foo.com could have been down.  Their Internet connection failed, their server was rebooting or Exchange just died.  Any number of things could have gone wrong here but the symptoms would look the same as if the ISP was blocking access.  
  • Our IP Address has been blacklisted.  This means that, for some reason, whoever manages mail.foo.com believes that we’re bad news and they’ve refused to talk to us.  This could cause a couple of things.  First, it could look like the ISP is blocking access or the server is down and just refuse to talk to us.  Alternatively though, it may tell us that it’s not going to talk to us because we’re blacklisted.  Some sending servers will even tell you why you’re blacklisted and offer (very generic) ways that you can get un-black-listed.
  • Our domain name has been blacklisted or is being actively rejected.  This is when it starts getting good.  Typically when this happens, we will see a message after the “mail from:bob@foo.com”.  There are tons of options here but, suffice it to say, it will not be one of our friendly 200 series messages.  This message will typically be spelled out in the email that’s sent back to the sender.
  • The user does not exist.  This happens *very* frequently and we will see it after the rcpt to:tom@bar.com line.  We will typically see a 500 series message (550, 551, etc.) telling us that the mailbox doesn’t exist.  Often, it’s because of a misspelling (it will be tom @bar.com [note the space] or t0m@bar.com [note the zero]).  Like the earlier error, the message will typically be speled out in the email that’s sent back to the sender.
  • The server doesn’t allow relaying.  We see this *a lot* when a server has been misconfigured or when the receiving server (mail.bar.com) has a backup mail server (secondary).  If the secondary isn’t configured properly, which can go unnoticed for long periods of time (since it’s rarely used), it can reject mail that should have been delivered.  Look for a message about relaying or authentication in the message that’s sent back to the original sender.

There are tons of other possibilities but I believe that this does a good job of scraping the surface.  If you’re ever having email problems, impress your friends by using this to troubleshoot and find out where the real problem is.

 

Helpful Links:

Verify that an email actually exists – Simply type in the email in question and find out if it’s valid.  Note here though, I’ve found this to be about 90% accurate.

Is your IP address blacklisted – This site provides all manner of geeky network voodoo but one of it’s biggest values is looking up an IP address in basically every legitimate blacklist on the planet (and then some).  Suffice it to say, if you’re legitimately blacklisted, this site will tell you.

SMTP Codes – This gives you the definition of each of the SMTP codes noted above as well as several others