Security Basics mailing list archives
Re: Spoof the TO field in emails
From: Robert Mezzone <RMezzone () PJSolomon com>
Date: Wed, 1 Dec 2004 18:00:45 -0500
I had a similiar situation today. One of my users received an email with an ex-employees name in the to: field. Turns out he was bcc: and the bcc info doesn't appear in the header. I confirmed this by sending an email from my yahoo account to my work account. Oddly enough Yahoo wouldn't let me send the message until there was at least on address in the To: field. I guess this explains why there is always one receipent in the To: field in almost every piece of Spam I've come across. Robert -----Original Message----- From: Alex 'CAVE' Cernat <cave () cernat ro> To: security-basics () securityfocus com <security-basics () securityfocus com> Sent: Wed Dec 01 13:21:00 2004 Subject: Re: Spoof the TO field in emails
Hi List, Just got an incident today where a user reports to have received a mails sent to another person The mail is a phishing attempt TECHNICALS: ----------- 'UserA' got the mail 'UserB' was in the 'TO' field
A normal SMTP session (don't now exactly the error codes, but it doesn't matter) ------------------------------------------ HELO MAIL xxx helo helo ... MAIL FROM: me () mydomain com xxx sender ok RCPT TO: you () yourdomain com xxx recipient ok DATA xxx ok, go ahead From: Me, Myself and I <myself () mydomain com> To: You <you.you.you () yourdomain com> Subject: This in the subject This is a test email ... blah blah blah ... . xxx ok, message queued ------------------------------------------- The SMTP session is valid and the message will be delivered to you () yourdomain com. But as you can see, in the headers, the "To:" address was you.you.you () yourdomain com (it could be even george.monkey.bush () usa net or smth.), and not the address that will actually receive the message (you () yourdomain com). Mail routing is done in most of cases only by "RCPT TO:" address. The "To:" header is only a content (not the body of the message), and is not usually altered. In some cases, some combinations of To:, Cc: and Bcc: headers could create some kind of 'incident' you've described. Alex Cernat
Current thread:
- Spoof the TO field in emails sf_mail_sbm (Dec 01)
- Re: Spoof the TO field in emails Satish Matta (Dec 01)
- Re: Spoof the TO field in emails Alexander Klimov (Dec 01)
- Re: Spoof the TO field in emails Alex 'CAVE' Cernat (Dec 01)
- Re: Spoof the TO field in emails Ansgar -59cobalt- Wiechers (Dec 02)
- <Possible follow-ups>
- Re:Spoof the TO field in emails Ghaith Nasrawi (Dec 01)
- Re: Spoof the TO field in emails Robert Mezzone (Dec 03)