Security Basics mailing list archives
Re: Spoof the TO field in emails
From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Wed, 1 Dec 2004 20:21:00 +0200
Hi List, Just got an incident today where a user reports to have received a mails sent to another person The mail is a phishing attempt TECHNICALS: ----------- 'UserA' got the mail 'UserB' was in the 'TO' field
A normal SMTP session (don't now exactly the error codes, but it doesn't matter) ------------------------------------------ HELO MAIL xxx helo helo ... MAIL FROM: me () mydomain com xxx sender ok RCPT TO: you () yourdomain com xxx recipient ok DATA xxx ok, go ahead From: Me, Myself and I <myself () mydomain com> To: You <you.you.you () yourdomain com> Subject: This in the subject This is a test email ... blah blah blah ... . xxx ok, message queued ------------------------------------------- The SMTP session is valid and the message will be delivered to you () yourdomain com. But as you can see, in the headers, the "To:" address was you.you.you () yourdomain com (it could be even george.monkey.bush () usa net or smth.), and not the address that will actually receive the message (you () yourdomain com). Mail routing is done in most of cases only by "RCPT TO:" address. The "To:" header is only a content (not the body of the message), and is not usually altered. In some cases, some combinations of To:, Cc: and Bcc: headers could create some kind of 'incident' you've described. Alex Cernat
Current thread:
- Spoof the TO field in emails sf_mail_sbm (Dec 01)
- Re: Spoof the TO field in emails Satish Matta (Dec 01)
- Re: Spoof the TO field in emails Alexander Klimov (Dec 01)
- Re: Spoof the TO field in emails Alex 'CAVE' Cernat (Dec 01)
- Re: Spoof the TO field in emails Ansgar -59cobalt- Wiechers (Dec 02)
- <Possible follow-ups>
- Re:Spoof the TO field in emails Ghaith Nasrawi (Dec 01)
- Re: Spoof the TO field in emails Robert Mezzone (Dec 03)