Re: Spoofing "TO" Address in email

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/19/05

• Next message: Art Deco: "Re: So you want to know about KM? :)"
• Previous message: Kadaitcha Man: "Re: Dustbin "I am not a stalker" Kook wants to real life..."
• In reply to: Phil Nospam: "Spoofing "TO" Address in email"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 18 Nov 2005 20:00:44 -0600

In the Usenet newsgroup alt.computer.security, in article
<vpsff.1386$3o6.701870@twister.southeast.rr.com>, Phil Nospam wrote:

>I'm not sure if this is the right forum for this...if not please point me in
>the right direction.

It'll do.

>I'm receiving email that is addressed to someone else. Not using any real
>emai addresses here, but here's an example: my email address is abc@rr.com
>but the email is addressed to 123@rr.com . I've checked the headers and my
>email address/name doesn't appear in there ANYWHERE. I talked to my ISP, I
>have Time Warner's Road Runner service, and they said that the sender is
>spoofing the "TO" address. The things he said just didn't make any sense -
>granted I'm not a security expert, but I've got a little common sense.

%telnet mail.your.isp 25
Trying 198.15.1.25 ...
Connected to mail.your.isp
Escape character is '^]'.
220 mail.your.isp ESMTP Sendmail 8.11.6/8.11.6; Sun, 18 Aug 2002 21:21:03 -0500
HELO south.pole.hq
250 mail.your.isp Hello south.pole.hq, pleased to meet you
MAIL FROM:<easter.bunny@north.pole.hq>
250 <easter.bunny@north.pole.hq>... sender ok
RCPT TO:<some.random.luser@your.isp>
250 <some.random.luser@your.isp>... recipient ok
RCPT TO:<unknown.luser@your.isp>
550 <unknown.luser@your.isp> mailbox unavailable
RCPT TO:<still.another@your.isp>
250 <still.another@your.isp>... recipient ok
DATA
354 Enter mail, and end with "." on a line by itself
From: Your favorite place to buy
To: Our valued customers
Date: Some random date-string
Subject: Have I got a deal for you!!!

Buy your pills from http://www.some.wankers.website.org/sucker.html
.
250 UAA01441 Message accepted for delivery
quit
221 mail.your.isp closing connection
Connection closed by foreign host.
%

and what you may see if you know how to find the raw mail (looking at the
headers and all that):

Return-Path: <easter.bunny@north.pole.hq>
Received: from south.pole.hq (host54.zombie.isp.com [[192.0.2.54])
        by mail.your.isp (8.11.6/8.11.6) is ESMTP id UAA01441
        Sat, 22 Nov 2003 15:42:28 -0700
Message-Id: 200311222242.mail.your.isp
From: Your favorite place to buy
To: Our valued customers
Date: Some random date-string
Subject: Have I got a deal for you!!!

Buy your pills from http://www.some.wankers.website.org/sucker.html

So, where did the crap come from? Certainly not what it says in the
"From:" header (which doesn't even _have_ a valid mail address here).
Some comments: 1) Notice the receiving mail server didn't blink when
the 'MAIL FROM:' didn't match the domain of the remote host. 2) In
the 'Received:' header, this receiving host did a lookup of the IP
address that the sending host was using - the PTR name is within the
parenthese, the actual IP within the square brackets. 3) Notice that
the To: and From: headers serve _no_ purpose in the delivery of the
mail - that's handled solely by the 'RCPT TO:' command to the Mail
Transfer Agent (MTA - or your mail server). 4) Because there were
multiple 'RCPT TO:' names, your name did not appear in the 'Received:'
header added by _your_ mail server (it would be just before the date
value in that 'Received:' header if you were the only recipient).
5) Notice the receiving mail server returning a 250 to "valid" names
of recipients, and a 550 when given an invalid name - in normal mail,
this would cause an error message back to the senders mail tool, but
a spammer ignores this, or never sees it.

For a lot more information, see http://www.stopspam.org/email/headers.html

        Old guy

---

• Next message: Art Deco: "Re: So you want to know about KM? :)"
• Previous message: Kadaitcha Man: "Re: Dustbin "I am not a stalker" Kook wants to real life..."
• In reply to: Phil Nospam: "Spoofing "TO" Address in email"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages problem with sendmail in solaris 9 ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ... (SunManagers) modification of field FROM ... names that should be exposed as from this host, ... # use Errors-To: header? ... recipient addresses" ... (comp.mail.sendmail) Re: 2 mail servers, 1 domain ... You would do this by assigning each mail server at each ... envelope addreses and header addresses. ... actually used by sendmail for delivery. ... delivery of the message to the correct host. ... (comp.mail.sendmail) Not Your Typical Mailer Question ... the Mlpop mailer listed. ... # Resolve map (to check if a host exists in check_mail) ... # use Errors-To: header? ... # work recipient factor ... (comp.mail.sendmail) Re: Same sendmail.cf files in different machines, cause different RULE EFFECTS ... # Copyright 1998-2001 Sendmail, ... names that should be exposed as from this host, ... # use Errors-To: header? ... (comp.mail.sendmail)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)