Sending Email with Netcat

Is it possible to send an email from a host that has no email client software installed? As long as you have netcat, of course it is!

Netcat (/usr/bin/nc on Red Hat Enterprise Linux systems) is a simple utility for reading and writing data across TCP/UDP connections. It's often used for testing and debugging network connections. In its most basic usage, netcat allows you to feed a stream of data to a specific port on a specific host, which is perfect for our purpose here. Check the netcat man page for more information on it's various features. There are also sample scripts under /usr/share/doc/nc-*/. If netcat is not installed on your Red Hat Enterprise Linux, CentOS or Fedora system, you can install it with the command yum install nc.

What we will be doing with netcat is using it to feed a stream of data to port 25 (SMTP) on a mail relay, making it believe it's talking to a regular email client. In order to do this, we first need to figure out what our email server expects to see from a client. This can be done by connecting via telnet to our SMTP relay host and issuing the correct SMTP commands, as in the following example:

   [user@host]# telnet smtp.domain.com 25
   Trying 192.168.0.1...
   Connected to smtp.domain.com (192.168.0.1).
   Escape character is '^]'.
   220 myrelay.domain.com ESMTP
   HELO smtp.domain.com
   250 myrelay.domain.com
   MAIL FROM:<alice@hacker.com>
   250 sender <alice@hacker.com> ok
   RCPT TO:<bob@secure.net>
   250 recipient <bob@secure.net> ok
   DATA
   354 go ahead
   From: [Alice Hacker] <alice@hacker.com>
   To: [Bob Smith] <bob@secure.net>
   Date: Mon, 12 Apr 2010 14:21:26 -0400
   Subject: Test Message

   Hi there!
   This is supposed to be a real email...

   Have a good day!
   Alice


   .
   250 ok:  Message 222220902 accepted
   QUIT
   221 myrelay.domain.com
   Connection closed by foreign host.
   [user@host]#

Note that the userid part of the "From" address does not have to contain a valid userid, only a valid domain name. You will have to replace "smtp.domain.com" with a valid SMTP relay that allows relaying from your host. Generally, experienced admins will disallow relaying from unknown hosts to discourage spam. Additionally, the body of the email (everything after the "DATA" command) is ended by sending a blank line, followed by a line with a period (.) on it by itself.

Now that we know what the remote server expects to see, we can craft a text file with our SMTP commands and the message to be sent. The recipients mail server will expect the date to be in a particular format.

Use the command:

date '+%a, %d %b %Y %H:%M:%S %z'

To generate a date string that resembles:

Mon, 12 Apr 2010 14:21:26 -0400

The contents of your message file should resemble this example:

   HELO host.example.com
   MAIL FROM:<test@host.example.com>
   RCPT TO:<bob@example.com>
   DATA
   From: [Alice] <alice@geek.com>
   To: <bob@example.com>
   Date: Mon, 12 Apr 2010 14:21:26 -0400
   Subject: Test Message

   Hi there! This is supposed to be a real email...

   Have a good day!
   Alice


   .
   QUIT

Now we can feed this text file to the netcat program as follows:

   # /usr/bin/nc smtp.domain.com 25 < /tmp/message
   220 myrelay.domain.com ESMTP
   250 myrelay.domain.com
   250 sender <alice@hacker.com> ok
   250 recipient <bob@secure.net> ok
   354 go ahead
   250 ok:  Message 222220902 accepted
   221 myrelay.domain.com
   #

And your email has been sent!

Again, what we did here was feed data to netcat, which then sends that data to port 25 on the specified host (our mail relay). Since we've formatted the data to look like an email. the SMTP server accepts it as it would any other email and sends it, assuming of course that we're allowed to relay email.

Given a little time and effort, a nice bash or korn shell script can be written that automates the creation of the message text file. You can specify multiple recipients in the email header, and include the output of other commands in the body of the email. For example, a monitoring script which is periodically executed via a cron job can email it's standard output to a list of recipients.

______________________

Pete Vargas Mas is an avid indoorsman and a Linux Consultant in the Washington DC Metro area. Pete is a RHCE and a MCITP, which so far has not caused any eddies in the space-time continuum. He spends most of his time these days herding 529 Linux servers.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

How to test a smtp server

Anonymous's picture

Hi,

I've setup a new Exchange 2007 Edge as my smtp server for sending and receiving external emails. Now sending is fine. But i'm not able to receive from internet. The DNS for it domain in internet is already up This server is in DMZ and protected by firewall. I confirmed the rules are open for port 25 from any source. When i telnet from internet to my server using port 25, the connection timeout. Please tell me how i can test this from internet. Thanks.

Use /dev/tcp in bash

Hugh Saunders's picture

You dont need nc, when you can read/write to /dev/tcp :)

http://tldp.org/LDP/abs/html/devref1.html

the correct approach is to

Costin Gusa's picture

the correct approach is to programatically use "expect", for example (random google hit) http://petervibert.com/articles/2/ "Expect SMTP Script"

not quite

Costin Gusa's picture

when you speak smtp you need to wait for each server reply.
You REALLY do not want to to this agains any postfix boxes that I administer.

"221 2.7.0 Error: I can break rules, too. Goodbye." is my favorite postfix quote.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState