A hacker doesn't really need PHP to send an Email. He needs only a command prompt and a telnet program, that's all. But we are in the PHP Zone, so we will do it with PHP too. All the stuff here is for learning purpose. Don't use it to hack or to spam or to do any other illegal action.

First, a good start is to read the SMTP specification protocol. It helps to understand how things work. You can read the Request For Comments number 2821 document (RFC2821) for that. It's a good idea to read the entire document, but if you haven't the time, just read the chapter 4.

So, let's first do it with a shell prompt and a telnet program and then write the PHP code. In windows, click Start->Run and type cmd.exe to open the command prompt. In a nix environment, guess what :-)

We connect to the SMTP server:

telnet smtp.mydomain.com 25


Change smtp.mydomain.com with the address of your SMTP server. The 25 is the port number on which the SMTP server listens. If you are connected, you should get a string that starts with 220 as a response and you have to introduce your self with the HELO command:

HELO its_me


No matter what you give as argument to the HELO command, most SMTP servers will show you your real address and your IP in a response to this command. If all is ok, you will get a string that starts with 250.

Let's now quickly finish this session:
1: MAIL FROM:<me@mydomain.com>

 2: 250 OK

 3: RCPT TO:<myfreind@hisdomain.com>

 4: 250 OK

 5: DATA

 6: 354 Start mail input; end with <CRLF>.<CRLF>

 7: Received: from mydomain.com by hisdomain.com ; Thu, 03 Jan 2006 12:33:29 -0700

 8: Date: Thu, 03 Jan 2006 12:33:22 -0700

 9: From: Me <me@mydomain.com>

10: Subject:  The Next Meeting of the Board

11: To: myfreind@hisdomain.com

12:

13: MyFreind:

14: How are you?

15:

16:             Me.

17: .

18: 250 OK

19: QUIT

20: 221 mydomain.com Service closing transmission channel


OK, we are done and the email is sent.

Lines 2, 4, 6, 18 and 20 are the server responses.
Line 1: Enter the address of the sender (required). Pay attention to "<" and ">". Don't forget them.
Line 3: Enter the address of the receiver (required). Pay attention to "<" and ">". Don't forget them.
Line 5: We say to the server: now, we start the message to send (required)
Lines 7 to 11: We write some headers (Not required)
Lines 12 to 16: The message we want to send
Lines 16-17: empty line and a point: that's how to finish and send the email. Look at the response of the server at Line 6.

Note about Lines 7 to 11:
This is what the receiver gets in the email header. So, if you want to send anonymous mail (don't do it. It's easy to TraceRoute back your email and get to you) or if you want to have fun with your friend, you can set his email address in the "From" field. He will get an email sent from him to him. For fun also, you can set in the "Date" field a date in the future. You friend will receive an email from the future.

Let's write the PHP code now:

To connect to the server:

$smtp_server = fsockopen("smtp.mydomain.com", 25, $errno, $errstr, 30);


The fsocketopen will time out after 30 seconds if the connection failed. The $errorno and $errstr will contain the error number and the error message if an error happens.

if(!$server_smtp)

{

	// we have an error, do something

	exit;

}


To get the server response use the fgets function like this:

$server_response = fgets($smtp_server);


I'll not care about the server responses here; I want just to send the email. If you want to write a good program you should care.

To send a string to the server use fwrite function:

fwrite($smtp_server, $command);


IMPORTANT: all commands to be sent to server must end with "\r\n" : CR + LF

Here is the code (no error handling here too):
fwrite($smtp_server, "HELO its_me\r\n");

fwrite($smtp_server, "MAIL FROM:<me@mydomain.com>\r\n");

fwrite($smtp_server, "RCPT TO:<myfreind@hisdomain.com>\r\n");

fwrite($smtp_server, "DATA\r\n");

fwrite($smtp_server, "Received: from mydomain.com by hisdomain.com ; Thu, 03 Jan 2006 12:33:29 -0700\r\n");

fwrite($smtp_server, "Date: Thu, 03 Jan 2006 12:33:22 -0700\r\n");

fwrite($smtp_server, "From: Me <me@mydomain.com>\r\n");

fwrite($smtp_server, "Subject:  The Next Meeting of the Board\r\n");

fwrite($smtp_server, "To: myfreind@hisdomain.com\r\n");

fwrite($smtp_server, "\r\nMyFreind:\r\nHow are you ?\r\n\r\n                       Me.\r\n");

fwrite($smtp_server, ".\r\nQUIT\r\n");


That's all. The email is sent.

Here is the full script:
<?php



$smtp_server = fsockopen("smtp.mydomain.com", 25, $errno, $errstr, 30);



if(!$server_smtp)

{

	// We have an error, do something

	exit;

}



fwrite($smtp_server, "HELO its_me\r\n");

fwrite($smtp_server, "MAIL FROM:<me@mydomain.com>\r\n");

fwrite($smtp_server, "RCPT TO:<myfreind@hisdomain.com>\r\n");

fwrite($smtp_server, "DATA\r\n");

fwrite($smtp_server, "Received: from mydomain.com by hisdomain.com ; Thu, 03 Jan 2006 12:33:29 -0700\r\n");

fwrite($smtp_server, "Date: Thu, 03 Jan 2006 12:33:22 -0700\r\n");

fwrite($smtp_server, "From: Me <me@mydomain.com>\r\n");

fwrite($smtp_server, "Subject:  The Next Meeting of the Board\r\n");

fwrite($smtp_server, "To: myfreind@hisdomain.com\r\n");

fwrite($smtp_server, "\r\nMyFreind:\r\nHow are you ?\r\n\r\n             Me.\r\n");

fwrite($smtp_server, ".\r\nQUIT\r\n");

?>


This script can be improved to send mails with attachments. You need only to code a base64 coding function. The algorithm for base64 coding is very simple: from 3 bytes we construct 4 bytes. May be I'll write something about it one day.

Conclusion:
You can always get a PHP class from out there easy to work with and hides all this stuff, but the hacker way is to do things by hand with the minimum and simplest tools like a command prompt or a simple text editor.