Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Spoof the TO field in emails

From: <sf_mail_sbm () yahoo com>
Date: 1 Dec 2004 11:40:41 -0000


Hi List,
Just got an incident today where a user reports to have received a mails sent to another person

The mail is a phishing attempt

TECHNICALS:
-----------

'UserA' got the mail

'UserB' was in the 'TO' field


HEADER:
-------

Received: from mydomain1(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) by mydomain2with SMTP (Microsoft Exchange Internet Mail 
Service Version 5.5.2653.13)
        id X340ZH77; Wed, 1 Dec 2004 06:51:01 +0400

Received: from SPAM-Domain- yyy.yyy.yyy.yyy by mydomain1 with Microsoft SMTPSVC(5.5.1774.114.11);

FCC: mailbox://supprefnum1816646952075 () wamu com/Sent

From: Washington Mutual, Inc <supprefnum1816646952075 () wamu com>
X-Accept-Language: en-us, en

To: UserB
....
=======================================

As can be seen from the above, the mail is being sent to 'UserB'

How come 'UserA' got the mail? I know about spoofing the FROM field, but as far as I know the TO field is not spoofed

May be the header was manipulated, but the IP address in the RECEIVED part are OK

Is it a problem with my mail servers (you can see that Exchange is being used :) ? 

Or is it a technique used by spammers?

Your views will be greatly appreciated

Thanks to all
Ronish
Previous By Date Next
Previous By Thread Next

Current thread: