Home page logo

basics logo Security Basics mailing list archives

Re: Spoof the TO field in emails
From: Robert Mezzone <RMezzone () PJSolomon com>
Date: Wed, 1 Dec 2004 18:00:45 -0500

I had a similiar situation today. One of my users received an email with an
ex-employees name in the to: field. Turns out he was bcc: and the bcc info
doesn't appear in the header. I confirmed this by sending an email from my
yahoo account to my work account. Oddly enough Yahoo wouldn't let me send
the message until there was at least on address in the To: field. I guess
this explains why there is always one receipent in the To: field in almost
every piece of Spam I've come across. 


-----Original Message-----
From: Alex 'CAVE' Cernat <cave () cernat ro>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Wed Dec 01 13:21:00 2004
Subject: Re: Spoof the TO field in emails

Hi List,
Just got an incident today where a user reports to have received a
mails sent to another person

The mail is a phishing attempt


'UserA' got the mail

'UserB' was in the 'TO' field

A normal SMTP session (don't now exactly the error codes, but it doesn't

xxx helo helo ...
MAIL FROM: me () mydomain com
xxx sender ok
RCPT TO: you () yourdomain com
xxx recipient ok
xxx ok, go ahead
From: Me, Myself and I <myself () mydomain com>
To: You <you.you.you () yourdomain com>
Subject: This in the subject

This is a test email ... blah blah blah ...
xxx ok, message queued

The SMTP session is valid and the message will be delivered to
you () yourdomain com  But as you can see, in the headers, the "To:"
address was you.you.you () yourdomain com (it could be even
george.monkey.bush () usa net or smth.), and not the address that will
actually receive the message (you () yourdomain com). Mail routing is done
in most of cases only by "RCPT TO:" address. The "To:" header is only a
content (not the body of the message), and is not usually altered.

In some cases, some combinations of To:, Cc: and Bcc: headers could
create some kind of 'incident' you've described.

Alex Cernat

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]