mailing list archives
Re: Spoof the TO field in emails
From: Alexander Klimov <alserkli () inbox ru>
Date: Wed, 1 Dec 2004 20:16:18 +0200 (IST)
On Wed, 1 Dec 2004 sf_mail_sbm () yahoo com wrote:
Just got an incident today where a user reports to have received a mails sent
to another person
'UserA' got the mail
'UserB' was in the 'TO' field
How come 'UserA' got the mail? I know about spoofing the FROM field, but as
far as I know the TO field is not spoofed
Very easily you can try it (see rfc821 for more information):
$ telnet host 25
Connected to host.
Escape character is '^]'.
220 host ESMTP
MAIL FROM: <abc () hostabc>
RCPT TO: <def () host>
354 go ahead
From: ghi () hostghi
To: jkl () hostjkl
Connection closed by foreign host.
The only thing that should be correct is "rcpt to" field and everything else
could be anything you want (and there are legitimate reasons for it to be
anything -- think about forwarding).
BTW: at least on some systems "mail from" and "rcpt to" are saved in Return-Path
and Delivered-To header fields.