_______________________________________________________________________

Sendmail and Beyond: Kewl Tips and Tricks By Ankit Fadia [email protected]
_______________________________________________________________________

Welcome to yet another Hackin Tr!ths man!al. Altho!h this man!al comes a"ter a lon
break# it is really nice to et back to writin "or HT. Anyway# in the past# we ha$e had a
n!mber o" e%planations on how to send "ored emails# how to play with the Sendmail
daemon# email headers and e$erythin else to do with S&T' (Simple &ail Trans"er
'rotocol) and emails. Altho!h this man!al too throws liht on related matter# it is
howe$er more "oc!sed on ad$anced tips and tricks and other !ncommon b!t e%tremely
!se"!l pieces o" in"ormation.

*ow# we ha$e already learnt how one can# telnet to 'ort +, o" a mail ser$er and send an
email (e$en a "ored email) by simply typin o!t some S&T' commands. Howe$er# "or
the bene"it o" beinners and to re"resh the memory o" e%perienced b!t "oret"!l people#
we wo!ld -!ickly be oin thro!h the process. . promise to make it as short as possible#
at the same time easy to !nderstand.

'ort +, is the Sendmail 'ort where the S&T' daemon r!ns. This daemon is in"act the
daemon handlin all the o!toin mails. All email clients send mail by connectin to 'ort
+, o" the mail ser$er and iss!in S&T' commands. This process is a!tomated and occ!rs
in the backro!nd. Howe$er# one co!ld also man!ally connect (telnet) to 'ort +, o" a
mail ser$er and man!ally type o!t the S&T' commands in order to send emails. So the
basic o!tline o" the entire process as below. For details reardin the !sae o" indi$id!al
commands# simply type the word /help0 "ollowed by the command at the Sendmail
prompt.

*ote: The below sends a mail "rom [email protected] to [email protected] by iss!in
S&T' commands to the mail ser$er: mail.isp.com 1esponses "rom the mail se$er ha$e a
n!mber precedin them while the commands typed by the !ser do not ha$e any n!mber
precedin.

2:3windows4telnet mail.isp.com

++5 mail.isp.com 6S&T' Sendmail 7.8.9 (9.9.+5.:;5<=!l55>589?A&) Th!# < @ec +555
9<:97:,5 A5,:5 (.ST)
helo ankit.com
+,5>mail.isp.com Hello B+5:.%%.yyy.89C# pleased to meet yo!
mail "rom: [email protected]
+,5 [email protected]... Sender ok
rcpt to: [email protected]
+,5 [email protected]... 1ecipient ok
data
:,D 6nter mail# end with E.E on a line by itsel"
This is the part where the body o" the messae is typed in.
.
+,5 1AA5555559?8: &essae accepted "or deli$ery

The headers o" the abo$e email as seen by the recipient is as "ollows:

1et!rn>'ath: [email protected]
1ecei$ed: "rom ankit.com by mail.isp.com (7.8.9;9.9.+5.:;5<=!l55>589?A&)
id 1AA5555559?8:G Th!# < @ec +555 9<:98:D8 A5,:5 (.ST)
@ate: Th!# < @ec +555 9<:98:D8 A5,:5 (.ST)
From: Ankit Fadia [email protected]
&essae>.d: F+5559+5<99D8.1AA5555559?8:@mail.isp.com4
H>I.@J: 8+59,?a:b8+?c,98:5:?8::e?d5De"d,

This is the part where the body o" the messae is typed in.

Anyway# now that we ha$e recalled the basic o!tline o" the process o" man!ally sendin
an email# let !s mo$e on with the main s!bKect o" this man!al.

The S!bKect Field In>s!bKected

*ow# e$er since . released the man!al on sendin "ored emails (Sendin emails !sin
S&T' commands) . ha$e recei$ed a n!mber o" emails askin me -!estions like: LHow to
Speci"y the S!bKect o" an email sent man!ally by connectin to 'ort +, o" a systemM. Nr
LHow to Speci"y 22 and B22 recipients when doin the sameOM Well# in this section we
disc!ss K!st that.

Firstly# let !s learn how to speci"y the s!bKect o" an email enineered man!ally by S&T'
commands. Well# the process o" speci"yin the S!bKect remains pretty m!ch similar to the
normal process o" sendin emails man!ally. Act!ally all the commands remain the same
!ntil we reach the /data0 command. A"ter we iss!e the /data0 command# the remote mail
ser$er will reply with the below messae:

:,D 6nter mail# end with E.E on a line by itsel"

This ser$er response means that we can start typin the body o" o!r messae now.
Howe$er# it also indirectly speci"ies that this is the time that we type in the S!bKect o" the
email. We can speci"y the s!bKect o" the email as "ollows:

S!bKect: Hi

Where /s!bKect:0 is the keyword# which tells the mail ser$er that yo! are ready to type in
yo!r s!bKect and /Hi0# is the s!bKect o" yo!r choice. Po! can contin!e with the body o" the
email by pressin the /6nter0 key and typin in the characters. The end with the: / .
/('eriod) and e$erythin else remains the same.

Jet !s o tho!h the entire process# step by step. 'lease note that . ha$e inserted
comments where$er necessary within brackets. Both the brackets and the characters
within the brackets are not a part o" the act!al commands.

For this e%ample# we need to keep the "ollowin pieces o" in"ormation in mind:

&ail Ser$er: mail.isp.com
1ecipient0s 6mail Address: [email protected]
Sender0s 6mail Address: [email protected]
S!bKect: HiQQQ
Body: This is a test messae

2:3windows4telnet mail.isp.com

++5 mail.isp.com 6S&T' Sendmail 7.8.9 (9.9.+5.:;5<=!l55>589?A&) Th!# < @ec +555
9<:97:,5 A5,:5 (.ST)
helo ankit.com
+,5>mail.isp.com Hello B+5:.%%.yyy.89C# pleased to meet yo!
mail "rom: [email protected]
+,5 [email protected]... Sender ok
rcpt to: [email protected]
+,5 [email protected]... 1ecipient ok
data
:,D 6nter mail# end with E.E on a line by itsel"
s!bKect: HiQQQ
This is a test messae
.
+,5 1AA5555559?8: &essae accepted "or deli$ery

*ow i" yo! e%amine the headers o" this email# yo! will "ind that they !nlike the headers
that we $iewed earlier in the man!al will ha$e a separate S!bKect line.

1et!rn>'ath: [email protected]
1ecei$ed: "rom ankit.com by mail.isp.com (7.8.9;9.9.+5.:;5<=!l55>589?A&)
id 1AA5555559?8:G Th!# < @ec +555 9<:98:D8 A5,:5 (.ST)
@ate: Th!# < @ec +555 9<:98:D8 A5,:5 (.ST)
From: Ankit Fadia [email protected]
&essae>.d: F+5559+5<99D8.1AA5555559?8:@mail.isp.com4
S!bKect: HiQQQQ
H>I.@J: 8+59,?a:b8+?c,98:5:?8::e?d5De"d,

This is a test messae

220s and B220s

What are the S&T' commands e-!i$alent to the B22 and 22 "ields o" yo!r email clientO
Well# this -!estion has only one simply answer: none. The "ollowin "ew lines will tell !s
why.

To !nderstand the answer to the abo$e -!estion# let !s "irst !nderstand how e%actly does
an email client handle a 22 or a B22. How does it do what we are s!pposed to do with
the 22 and B22 "eat!resO

*ow# when yo! hit the Send b!tton# then yo!r email client connects to 'ort +, o" the mail
ser$er that yo! speci"ied d!rin the con"i!ration time. Then it will iss!e S&T'
commands to the remote mail ser$er and send it the re-!ired in"ormation. And in this
process yo!r email is sent. The order in which the $ario!s S&T' commands are i$en is
same as described earlier.

*ormally# when yo! ha$e only a sinle recipient# then yo!r email client iss!es only a
sinle /12'T TN:0 command# to the mail ser$er. Howe$er# when there is more than a
sinle recipient# then the email client iss!es m!ltiple instances o" /12'T TN:0 Nr in
other words# when the 22 "ield o" yo!r email client is not empty then m!ltiple 12'T
commands are iss!ed.

Po! see the Simple &ail Trans"er 'rotocol does not pro$ide any special command "or
220in an email to someone. The entire concept o" 22 relies on the iss!e o" m!ltiple
12'T commands to the mail ser$er. The same is the case when yo! ha$e m!ltiple
recipients in the /To:0 "ield o" the email client. So basically this means that it really
doesn0t matter whether yo! add a recipient0s email address to the 22 "ield or to the /To:0
"ield. The S&T' command iss!ed and the headers created will remain the same.

Jet !s take a practical e%ample to make it clearer. The recipients0 list "or this e%ample is
as "ollows:

To: [email protected] ankit"[email protected]
22: [email protected] G [email protected]

.n this case# the "ollowin are the commands# which will send a blank email with the
s!bKect /test0 "rom the email address: [email protected] to the abo$e list o" recipients.

2:3windows4telnet mail.isp.com

++5 mail.isp.com 6S&T' Sendmail 7.8.9 (9.9.+5.:;5<=!l55>589?A&) Th!# < @ec +555
9<:97:,5 A5,:5 (.ST)
helo ankit.com
+,5>mail.isp.com Hello B+5:.%%.yyy.89C# pleased to meet yo!
mail "rom: [email protected]
+,5 [email protected]... Sender ok
rcpt to: [email protected]
+,5 [email protected]... 1ecipient ok
rcpt to: ankit"[email protected]
+,5 ankit"[email protected]... 1ecipient ok
rcpt to: ankit_"[email protected]
+,5 [email protected]... 1ecipient ok
rcpt to: [email protected]
+,5 [email protected]... 1ecipient ok
data
:,D 6nter mail# end with E.E on a line by itsel"
s!bKect: Test
.
+,5 1AA5555559?8: &essae accepted "or deli$ery

Ret itO *ow# let !s mo$e on to as to how B22 works.

*ow# in the abo$e case i.e. in the case o" 22# the email client !sed m!ltiple 12'T0s in
the same S&T' session to send the same email to m!ltiple recipients. Howe$er# in s!ch a
case the email any recipient can $iew the email addresses o" all the recipients. The reason
behind this pri$acy in$asion is the "act that a sinle email sent to either a sinle or
m!ltiple recipients has to ha$e the same e%act email headers. This means that all
recipients in the /220 and /To0 "ields o" the same email ha$e to ha$e the same email
headers. This is d!e to the "act that the email addresses o" all the recipients were i$en to
the mail ser$er d!rin the same S&T' session. All this may so!nd -!ite $a!e and weird.
." that is the case# then read the "ollowin pararaphs to !nderstand better.

*ow# when yo! 22 a sinle email to m!ltiple recipients (Say :) then the "ollowin
proced!re takes place:

6mail 2lient Starts Session at remote mail ser$er.
.t introd!ces itsel" and the sender.
.t !ses m!ltiple 12'T commands to send the same email to m!ltiple recipients.
The email client disconnects.

As the email addresses o" all the recipients are mentioned in the same session at the
remote mail ser$er# they constit!te the same email headers. Th!s all the recipients are
able to $iew the email addresses to which this email was sent.

*ow# in a sit!ation# when we B22 the same email to m!ltiple recipients (Say +) then the
"ollowin proced!re takes place:

6mail 2lient Starts Session at remote mail ser$er.
.t introd!ces itsel" and the sender.
.t !ses a sinle 12'T commands to send the same email to the "irst email address in the
B22 list.
The email client disconnects.
.t aain starts a new session at the remote ser$er.
.t aain introd!ces itsel" and the sender.
.t !ses a sinle 12'T commands to send the same email to the second email address in
the B22 list.
The email client disconnects# once aain.

.n this case# each recipient was sent an email thro!h a !ni-!e session at the remote mail
ser$er# th!s each recipient recei$ed !ni-!e email headers and the identity o" none o" the
other recipients in the B22 list was not i$en away.

The abo$e description o" the !sae o" 22 and B22 is based on how N!tlook 6%press
works. Howe$er# act!ally Sendmail does pro$ide a manner in which the 22 recipients
can be speci"ied. A"ter i$in the @ATA command# one can i$e the 22 list by i$in the
"ollowin command:

22:1ecipient Jist

Howe$er# i$in the B22 command instead o" 22 does not prod!ce the desired res!lt.

Sendin Attachments thro!h Sendmail

Today# &.&6 attachments are !sed to trans"er "iles attached to an email. &.&6
attachments !se Base?D encodin to encode the binary data. 6arlier another encodin
standard was !sed# which was called the I!encode encodin standard. Po! can send
attachments thro!h Sendmail !sin any o" the abo$e methods.

II>encodin or Ini%>to>Ini% encodin is an encodin standard# which con$erts all
kinds o" "iles into AS2.. "or sa"e transmission o$er *etworks. Files# which are to be sent
o$er networks# are encoded at the sender0s end and decoded at the recei$er0s end. This
ens!res that "iles (attachments) can be trans"erred o$er di""erent kinds o" networks#
systems ro!ters etc witho!t any loss. Howe$er# this method t!rned o!t be corr!ption
prone and is th!s not the most pre"erred one.

Accordin to a Ini$ersity# the basic mechanism o" II>encodin is as "ollows:

The basic scheme is to break ro!ps o" : eiht>bit characters (+D bits) into D si%>bit
characters and then add :+ (a space) to each si%>bit character# which maps it into the
readily transmittable character. Another way o" phrasin this is to say that the encoded ?
bit characters are mapped into the set: SQETUVWX()YA#>.;59+:,?<78:GFZ4O
@AB2...HP[B3C\_ "or transmission o$er comm!nications lines.

S!ch encodin increases the "ile si]e by abo!t D+V. So# the mechanism o" II>encodin
can be concl!ded as "ollows:

File is I!encoded at sender0s end >>>>>>>>>>>>>>>>>>>>^ File is I!decoded at the recei$er0s
end.

All attachments too can be sent o$er networks in !!encoded "orm.

Po! see i" yo! enter the !!encoded code o" any "ile a"ter yo! ha$e iss!ed the @ATA
command at the Sendmail prompt# then the recipient will be able to recei$e the
attachment and $iew it too. Almost all email clients allow I!decodin. (6$en i" the email
client !sed by the recipient does not allow I!decodin then are se$eral !tilities# which do
it "or yo!.) All "iles incl!din imaes# a!dio "iles# $ideo "iles# te%t "iles etc can be
encoded by the I!encodin standard to obtain the !!encoded code.

The method by which attachments in the "orm o" their !!encoded "orm can be sent as
attachments is a +>step process>:

2on$ertin the "ile to be sent as an attachment into !!encoded "orm.
Ri$en the !!encoded "orm to the mail ser$er a"ter the @ATA command.

Jet# !s "irst tackle the "irst step:

." yo! are !sin a Windows plat"orm# then all yo! need to per"orm I!encodin is
Win[ip. ." yo! do not already ha$e Win[ip# then yo! co!ld et it "rom:
http:;;www.win]ip.com

Win[ip can easily be !sed "or obtainin the I!encode o" any "ile. Simply create a new
archi$e containin the "ile yo! want to I!encode and select Action 4 I!encode. Po!
co!ld also simply press Shi"t A I.
Win[ip will sa$e the I!encode "orm o" the .]ip "ile in the "orm: "ilename.!!e
A typical .!!e "ile (.n this case o" an imae "ile) wo!ld be as "ollows:


_Z_
_Z_ 'art 559 o" 559 o" "ile new.]ip
_Z_

bein ??? new.]ip
&DUJTQQ5SS@S(ST,S_12@=J<AG'SSSXDSSSSXSSSSGF,WAFZ.8R;WZA.':)9R
&HWV71SSE_TUS_VT31FA('#T(HS;[email protected]>_[3.*[V.33U@H(:CE*_<?T&<E`
&:?C3TA)<,,G)>'(2GIBCY)F1ANSP2R`XG_H.<F')::@_UP_PBVY(IH9SHDIG
&:[,,K`BGF6`T@FU:SVQAS5(DSQ5SS@S(ST,S_12@=J<AG'SSSXDSSSSXSSSS
KSSSSSSSS(SE`@5SSSSQ*8<F*8`6FDUJVQ@SSSSSQSSUS>5SSS)5SSSSSSSSS
S
end

The "irst "ew lines are only comments added by Win[ip and are not act!ally a part o" the
I!encoded code. So# simply eliminate e$erythin abo$e the "ollowin line:

bein ??? new.]ip

This i$es yo! the I!encode code o" the "ile yo! want to transmit as an attachment !sin
Sendmail.

YYYYYYYYYYYYYYYYYYYY
HA2K.*R T1ITH: ." yo! are on a Ini% plat"orm then ettin the I!encode o" a "ile
becomes e%tremely easy. Simply o to the Ini% shell so yo! can !se !!encode on the "ile
yo!Xre tryin to send. For p!rposes o" this e%ample# letXs pres!me the "ile yo!Xre tryin to
send is called Emy"ile.docE.

At the Ini% shell prompt# type the command:

!!encode my"ile.doc my"ile.doc 4 temp"ile.!!

This tells the !!encode command to encode the "ile Emy"ile.docE and store the name
Emy"ile.docE in the res!ltin encoded "ile. The res!lts are then redirected (by the 4 sin)
into another "ile that yo!Xll place into yo!r mail messae later.

@NS $ersions o" this !tility are also easily a$ailable at $ario!s download sites.
YYYYYYYYYYYYYYYYYYYY

*ow# once yo! ha$e encoded the "ile and obtained the I!encoded "orm# then all yo!
need to do is 2opy it and 'aste it a"ter the @ATA command has been iss!ed at the
Sendmail prompt. This will send the "ile as an attachment.

This was the method in which one can send attachment !sin the I!encodin standard. .
will describe how to send attachments !sin the new &.&6 standard in the later $ersion
o" this man!al.

&ore Sendmail Tips and Tricks

*ormally when yo! connect to the Sendmail 'ort o" a system# then yo! only ha$e
standard S&T' commands a$ailable to yo!. Altho!h they are more than what yo! will
e$er need# howe$er# "or those o" yo! who like to play with $ario!s options# there are also
some other commands# which are by de"a!lt not a$ailable to yo!.

What . am talkin abo!t here is 6S&T' commands or 6%tended &ail Trans"er 'rotocol
commands. A mail ser$er with 6S&T' enabled decides whether these 6S&T'
commands are a$ailable to the client on the basis o" how the client introd!ces itsel" to it.
*ow# normally yo! introd!ce yo!rsel" by i$in the below command:

H6JN domain

*ow# when yo! introd!ce yo!rsel" !sin the H6JN command# then most mail ser$ers by
de"a!lt make only the S&T' commands a$ailable to the client. *ow# in order to make
s!re that e$en the 6S&T' commands are a$ailable to yo!# yo! need to introd!ce yo!rsel"
to the ser$er by the 6HJN command. For 6%ample:

ehlo ankit.com

*ow# i" the mail ser$er yo! are connected to# has 6S&T' enabled# then it will respond by
i$in a list o" 6S&T' commands. Somethin like the below:

++5 mail.isp.com 6S&T' Sendmail 7.8.9 (9.9.+5.:;5<=!l55>589?A&) Th!# < @ec+555
9<:97:,5 A5,:5 (.ST)
ehlo ankit.com
+,5>mail.isp.com Hello B+5:.%%.yy.89C# pleased to meet yo!
+,5>6H'*
+,5>`61B
+,5>7B.T&.&6
+,5>S.[6
+,5>@S*
+,5>N*6H
+,5>6T1*
+,5>HIS1
+,5 H6J'

YYYYYYYYYYYYYYYYYYYY
HA2K.*R T1ITH: Nne way o" "indin o!t whether yo!r .S' has 6S&T' commands
enabled# is to see the daemon banner that comes !p# when yo! telnet to 'ort +, o" its mail
ser$er. The word /6S&T'0 tells yo! that s!ch commands are a$ailable. For 6%ample#

++5 mail.isp.com 6S&T' Sendmail 7.8.9 (9.9.+5.:;5<=!l55>589?A&) Th!# < @ec+555
9<:97:,5 A5,:5 (.ST)
YYYYYYYYYYYYYYYYYYY

2omin Soon ('robably on &onday): How to send more a!thenticate mails. &ore Tricks
to play with email headers.

Ankit Fadia
[email protected]

http:;;www.ankit"adia.com

To recei$e man!als on 6`61PTH.*R PNI @16A&T NF written by Ankit Fadia# in
yo!r .nbo% Koin his mailin list# by sendin a blank email to: prorammin"orhackers>
s!bscribe@ero!ps.com