Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

The code is explained.

<?php
/*
email_validation.php
Coded by: Pentest ROMANIA; Dan Catalin VASILE; http://www.pentest.ro
*/

function email_validation($email)
{
 //Some vars we will need later
 $timeout = 5; // how much to wait for MX connection in seconds
 $helo = "helo example.com\r\n"; // helo string, feel free to modify but keep in mind that \r\n are necessary at the end of the string to send CR
 $mailfrom = "mail from: <somemail@example.com>\r\n"; // some mail and the domain used before, preferably a valid one

 //First we'll do a quick string validation
 if(filter_var($email, FILTER_VALIDATE_EMAIL))
  {
   //split the email address by the @ sign
   $email_str = explode ("@",$email); 
   //check for MX records
   if (getmxrr($email_str, $mxhosts)) //you could also check the weights of the MX hosts, some other time for me maybe
    {
    
    //opening sock connection to the forst MX host 
    $sock = fsockopen ( $mxhosts[0], 25, $errno, $errstr, $timeout);
     if (!$sock)
     {
      return "INVALID. COULD NOT OPEN CONNECTION TO MX HOST. ERROR: ".$errstr.$errno;
     }
     else
     {
      //sending commands to the MX host
      fwrite ($sock,$helo);
      fwrite ($sock,$mailfrom);
      $rcpt = "rcpt to: <".$email.">\r\n";
      fwrite ($sock,$rcpt);
      //reading responses
      for($j=0;$j<4;$j++)
       {
        $r[$j] = fgets($sock);
      }
      //exploding the last response line which should contain the answer we're looking for
      $r1=explode(" ",$r[3]);
      if($r1[0]=="250")
       return "VALID"; //according to the RFC "250" means valid
      else
       {
        echo "INVALID. ERROR CODE FROM MX SERVER: ".$r1[0];
       }
     }

    }
   else
    return "INVALID. NO MX RECORDS FOUND"; 
   
  } 
 else 
  return "INVALID EMAIL ADDRESS"; // the string submitted to filter_var is invalid 

} 

?>

First of all, there are some perquisites. One will need an insider or more in order to carry out the attack, but this should not be a problem based on the fact that a lot of attacks come from the inside. The second matter would be to get access to the central machine taking care of the database. Again, if not well protected, an insider should be able to provide enough data to gain access.

Let’s choose a lottery, 6/49 for instance. You choose 6 numbers, mark them on a ticket and pass it to the lottery guy. The lottery guy place the ticket in a machine that reads the marked numbers, prints them on the side of the ticket and cuts off a part of the ticket. This is the magic part, as the machine keeps a part of the ticket for validation in case you win.

The system is closing hours before the drawing so the machines does not accept any new ticket after a specific hour. The insider would place a bogus ticket with random numbers, it really doesn’t matter what this would be, preferably the last ticket on the machine. This ticket has a unique serial number that will be printed on it and on the part that will remain in the machine and also registered in the central database, so it’s imperative that this ticket is issued via the standard procedure before the deadline.

After the drawing, some official from the lottery must enter the results into the system to check the winners. Using the previously gained access to the database, the attacker will modify the record corresponding to the bogus ticket (based on the unique serial number) with the correct numbers, preferably in real time so when the checking is made, the correct values are already in the database. Lotteries are usually broadcasting live the drawings so this step would be feasible. Otherwise another insider must be in the room when the drawing takes place.

The last step would be for the insider to replace the cut part of the bogus ticket with one that is printed with the same unique serial but with the winning numbers instead of the bogus ones. The other part of the ticket must be printed as well with the correct numbers. This would require some hardware work, but I saw people doing crazy things for pennies.

Conclusion:

I don’t say it’s feasible. It’s more of a “James Bond”-like fantasy. There are a lot of ifs, and here are some good measures that the lottery can implement to prevent this from happening:

• copy the final database before the drawing to a safe off-line location and check the results in this copy (then again it’s important who can access and how can this database be accessed)
• implement hardware protection on the machines who are printing the tickets
• implement strong security policy and do regular checks on the staff, maybe rotating them from one station to another