Home page logo

basics logo Security Basics mailing list archives

Re: Spoof the TO field in emails
From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Wed, 1 Dec 2004 20:21:00 +0200

Hi List,
Just got an incident today where a user reports to have received a
mails sent to another person

The mail is a phishing attempt


'UserA' got the mail

'UserB' was in the 'TO' field

A normal SMTP session (don't now exactly the error codes, but it doesn't

xxx helo helo ...
MAIL FROM: me () mydomain com
xxx sender ok
RCPT TO: you () yourdomain com
xxx recipient ok
xxx ok, go ahead
From: Me, Myself and I <myself () mydomain com>
To: You <you.you.you () yourdomain com>
Subject: This in the subject

This is a test email ... blah blah blah ...
xxx ok, message queued

The SMTP session is valid and the message will be delivered to
you () yourdomain com  But as you can see, in the headers, the "To:"
address was you.you.you () yourdomain com (it could be even
george.monkey.bush () usa net or smth.), and not the address that will
actually receive the message (you () yourdomain com). Mail routing is done
in most of cases only by "RCPT TO:" address. The "To:" header is only a
content (not the body of the message), and is not usually altered.

In some cases, some combinations of To:, Cc: and Bcc: headers could
create some kind of 'incident' you've described.

Alex Cernat

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]