Home page logo
/

basics logo Security Basics mailing list archives

Re:Spoof the TO field in emails
From: "Ghaith Nasrawi" <libero () aucegypt edu>
Date: Wed, 1 Dec 2004 17:45:34 +0000

if you send any email to "x" in the TO field, and "y" in the BCC filed.

"x" won't be able to know that the message was sent to "y" as well.
while "y" would see the message going to "x" only!

g.



---------- Initial Header -----------

From      : sf_mail_sbm () yahoo com
To          : security-basics () securityfocus com
Cc          :
Date      : 1 Dec 2004 11:40:41 -0000
Subject : Spoof the TO field in emails



Hi List,
Just got an incident today where a user reports to have received a
mails sent to another person

The mail is a phishing attempt

TECHNICALS:
-----------

'UserA' got the mail

'UserB' was in the 'TO' field


HEADER:
-------

Received: from mydomain1(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) by
mydomain2with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2653.13)
      id X340ZH77; Wed, 1 Dec 2004 06:51:01 +0400

Received: from SPAM-Domain- yyy.yyy.yyy.yyy by mydomain1 with
Microsoft SMTPSVC(5.5.1774.114.11);

FCC: mailbox://supprefnum1816646952075 () wamu com/Sent

From: Washington Mutual, Inc <supprefnum1816646952075 () wamu com>
X-Accept-Language: en-us, en

To: UserB
....
=======================================

As can be seen from the above, the mail is being sent to 'UserB'

How come 'UserA' got the mail? I know about spoofing the FROM field,
but as far as I know the TO field is not spoofed

May be the header was manipulated, but the IP address in the
RECEIVED part are OK

Is it a problem with my mail servers (you can see that Exchange is
being used :) ?

Or is it a technique used by spammers?

Your views will be greatly appreciated

Thanks to all
Ronish


"Our care should not be to have lived long as to have lived enough.",
Seneca


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]