> Hi List,
> Just got an incident today where a user reports to have received a
> mails sent to another person
>
> The mail is a phishing attempt
>
> TECHNICALS:
> -----------
>
> 'UserA' got the mail
>
> 'UserB' was in the 'TO' field
>
A normal SMTP session (don't now exactly the error codes, but it doesn't
matter)
------------------------------------------
HELO MAIL
xxx helo helo ...
MAIL FROM: me_at_mydomain.com
xxx sender ok
RCPT TO: you_at_yourdomain.com
xxx recipient ok
DATA
xxx ok, go ahead
From: Me, Myself and I <myself_at_mydomain.com>
To: You <you.you.you_at_yourdomain.com>
Subject: This in the subject
This is a test email ... blah blah blah ...
.
xxx ok, message queued
-------------------------------------------
The SMTP session is valid and the message will be delivered to
you_at_yourdomain.com. But as you can see, in the headers, the "To:"
address was you.you.you_at_yourdomain.com (it could be even
george.monkey.bush_at_usa.net or smth.), and not the address that will
actually receive the message (you_at_yourdomain.com). Mail routing is done
in most of cases only by "RCPT TO:" address. The "To:" header is only a
content (not the body of the message), and is not usually altered.
In some cases, some combinations of To:, Cc: and Bcc: headers could
create some kind of 'incident' you've described.
Alex Cernat
Received on Dec 01 2004
Intro
