Re: Spoof the TO field in emails

["Satish Matta" <matta_jobs () hotmail com>]

Ronish,
My guess is that User B was BCC'ed.
- Satish


----- Original Message ----- 
From: <sf_mail_sbm () yahoo com>
To: <security-basics () securityfocus com>
Sent: Wednesday, December 01, 2004 6:40 AM
Subject: Spoof the TO field in emails


> Hi List,
> Just got an incident today where a user reports to have received a mails
sent to another person
> The mail is a phishing attempt
>
> TECHNICALS:
> -----------
>
> 'UserA' got the mail
>
> 'UserB' was in the 'TO' field
>
>
> HEADER:
> -------
>
> Received: from mydomain1(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) by
mydomain2with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2653.13)
> id X340ZH77; Wed, 1 Dec 2004 06:51:01 +0400
>
> Received: from SPAM-Domain- yyy.yyy.yyy.yyy by mydomain1 with Microsoft
SMTPSVC(5.5.1774.114.11);
> FCC: mailbox://supprefnum1816646952075 () wamu com/Sent
>
> From: Washington Mutual, Inc <supprefnum1816646952075 () wamu com>
> X-Accept-Language: en-us, en
>
> To: UserB
> ....
> =======================================
>
> As can be seen from the above, the mail is being sent to 'UserB'
>
> How come 'UserA' got the mail? I know about spoofing the FROM field, but
as far as I know the TO field is not spoofed
> May be the header was manipulated, but the IP address in the RECEIVED part
are OK
> Is it a problem with my mail servers (you can see that Exchange is being
used :) ?
> Or is it a technique used by spammers?
>
> Your views will be greatly appreciated
>
> Thanks to all
> Ronish