Security Basics mailing list archives
Re: Spoof the TO field in emails
From: Alexander Klimov <alserkli () inbox ru>
Date: Wed, 1 Dec 2004 20:16:18 +0200 (IST)
On Wed, 1 Dec 2004 sf_mail_sbm () yahoo com wrote:
Just got an incident today where a user reports to have received a mails sent to another person TECHNICALS: ----------- 'UserA' got the mail 'UserB' was in the 'TO' field How come 'UserA' got the mail? I know about spoofing the FROM field, but as far as I know the TO field is not spoofed
Very easily you can try it (see rfc821 for more information): $ telnet host 25 Trying xx.xx.xx.xx... Connected to host. Escape character is '^]'. 220 host ESMTP MAIL FROM: <abc@hostabc> 250 ok RCPT TO: <def@host> 250 ok DATA 354 go ahead From: ghi@hostghi To: jkl@hostjkl Test . 250 ok quit 221 host Connection closed by foreign host. The only thing that should be correct is "rcpt to" field and everything else could be anything you want (and there are legitimate reasons for it to be anything -- think about forwarding). BTW: at least on some systems "mail from" and "rcpt to" are saved in Return-Path and Delivered-To header fields. -- Regards, ASK
Current thread:
- Spoof the TO field in emails sf_mail_sbm (Dec 01)
- Re: Spoof the TO field in emails Satish Matta (Dec 01)
- Re: Spoof the TO field in emails Alexander Klimov (Dec 01)
- Re: Spoof the TO field in emails Alex 'CAVE' Cernat (Dec 01)
- Re: Spoof the TO field in emails Ansgar -59cobalt- Wiechers (Dec 02)
- <Possible follow-ups>
- Re:Spoof the TO field in emails Ghaith Nasrawi (Dec 01)
- Re: Spoof the TO field in emails Robert Mezzone (Dec 03)