Re:Spoof the TO field in emails

["Ghaith Nasrawi" <libero () aucegypt edu>]

if you send any email to "x" in the TO field, and "y" in the BCC filed.

"x" won't be able to know that the message was sent to "y" as well.
while "y" would see the message going to "x" only!

g.



---------- Initial Header -----------

> From      : sf_mail_sbm () yahoo com
To          : security-basics () securityfocus com
Cc          :
Date      : 1 Dec 2004 11:40:41 -0000
Subject : Spoof the TO field in emails

> Hi List,
> Just got an incident today where a user reports to have received a
mails sent to another person
> The mail is a phishing attempt
>
> TECHNICALS:
> -----------
>
> 'UserA' got the mail
>
> 'UserB' was in the 'TO' field
>
>
> HEADER:
> -------
>
> Received: from mydomain1(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) by
mydomain2with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2653.13)
>       id X340ZH77; Wed, 1 Dec 2004 06:51:01 +0400
>
> Received: from SPAM-Domain- yyy.yyy.yyy.yyy by mydomain1 with
Microsoft SMTPSVC(5.5.1774.114.11);
> FCC: mailbox://supprefnum1816646952075 () wamu com/Sent
>
> From: Washington Mutual, Inc <supprefnum1816646952075 () wamu com>
> X-Accept-Language: en-us, en
>
> To: UserB
> ....
> =======================================
>
> As can be seen from the above, the mail is being sent to 'UserB'
>
> How come 'UserA' got the mail? I know about spoofing the FROM field,
but as far as I know the TO field is not spoofed
> May be the header was manipulated, but the IP address in the
RECEIVED part are OK
> Is it a problem with my mail servers (you can see that Exchange is
being used :) ?
> Or is it a technique used by spammers?
>
> Your views will be greatly appreciated
>
> Thanks to all
> Ronish

"Our care should not be to have lived long as to have lived enough.",
Seneca