Home page logo
/

basics logo Security Basics mailing list archives

Re: Spoof the TO field in emails
From: "Satish Matta" <matta_jobs () hotmail com>
Date: Wed, 1 Dec 2004 12:58:41 -0500

Ronish,
My guess is that User B was BCC'ed.
- Satish


----- Original Message ----- 
From: <sf_mail_sbm () yahoo com>
To: <security-basics () securityfocus com>
Sent: Wednesday, December 01, 2004 6:40 AM
Subject: Spoof the TO field in emails




Hi List,
Just got an incident today where a user reports to have received a mails
sent to another person

The mail is a phishing attempt

TECHNICALS:
-----------

'UserA' got the mail

'UserB' was in the 'TO' field


HEADER:
-------

Received: from mydomain1(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) by
mydomain2with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2653.13)
id X340ZH77; Wed, 1 Dec 2004 06:51:01 +0400

Received: from SPAM-Domain- yyy.yyy.yyy.yyy by mydomain1 with Microsoft
SMTPSVC(5.5.1774.114.11);

FCC: mailbox://supprefnum1816646952075 () wamu com/Sent

From: Washington Mutual, Inc <supprefnum1816646952075 () wamu com>
X-Accept-Language: en-us, en

To: UserB
....
=======================================

As can be seen from the above, the mail is being sent to 'UserB'

How come 'UserA' got the mail? I know about spoofing the FROM field, but
as far as I know the TO field is not spoofed

May be the header was manipulated, but the IP address in the RECEIVED part
are OK

Is it a problem with my mail servers (you can see that Exchange is being
used :) ?

Or is it a technique used by spammers?

Your views will be greatly appreciated

Thanks to all
Ronish



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault