Re: Spoof the TO field in emails

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-12-01 sf_mail_sbm () yahoo com wrote:
> Just got an incident today where a user reports to have received a
> mails sent to another person
[...]
> 'UserA' got the mail
> 'UserB' was in the 'TO' field
[...]
> How come 'UserA' got the mail? I know about spoofing the FROM field,
> but as far as I know the TO field is not spoofed

That's how SMTP works. Mail is delivered by to the address specified in
the RCPT TO field in the envelope. The value in the TO field is usually,
but not necessarily, used to generate the RCPT TO.

Have a look at this mail. Though your mail address presumably is not
"security-basics () securityfocus com" you received this mail. Another
example: if you BCC a mail, the recipient will receive the mail, though
his address doesn't show up anywhere in the headers.

> May be the header was manipulated, but the IP address in the RECEIVED
> part are OK

No, the headers most likely have not been manipulated.

> Is it a problem with my mail servers (you can see that Exchange is
> being used :) ? 

No.

> Or is it a technique used by spammers?

It is abused by spammers.

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin