Home page logo

basics logo Security Basics mailing list archives

Re: Spoof the TO field in emails
From: Alexander Klimov <alserkli () inbox ru>
Date: Wed, 1 Dec 2004 20:16:18 +0200 (IST)

On Wed, 1 Dec 2004 sf_mail_sbm () yahoo com wrote:
Just got an incident today where a user reports to have received a mails sent
to another person

'UserA' got the mail
'UserB' was in the 'TO' field

How come 'UserA' got the mail? I know about spoofing the FROM field, but as
far as I know the TO field is not spoofed

Very easily you can try it (see rfc821 for more information):

$ telnet host 25
Trying xx.xx.xx.xx...
Connected to host.
Escape character is '^]'.
220 host ESMTP
MAIL FROM: <abc () hostabc>
250 ok
RCPT TO: <def () host>
250 ok
354 go ahead
From: ghi () hostghi
To: jkl () hostjkl

250 ok
221 host
Connection closed by foreign host.

The only thing that should be correct is "rcpt to" field and everything else
could be anything you want (and there are legitimate reasons for it to be
anything -- think about forwarding).

BTW: at least on some systems "mail from" and "rcpt to" are saved in Return-Path
and Delivered-To header fields.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]