Re: Spoofing "TO" Address in email
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/21/05
- Next message: Moe Trin: "Re: virtue of salted passwords"
- Previous message: Moe Trin: "Re: Blocking Yahoo Messenger With Firewall??"
- In reply to: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Next in thread: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Reply: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Nov 2005 13:46:58 -0600
In the Usenet newsgroup alt.computer.security, in article
<d1agf.2796$xD5.1454574@twister.southeast.rr.com>, Phil Nospam wrote:
>As a test, I sent myself an email without addressing the TO field at all,
>and placing my email address in the BCC field (using Outlook Express 6).
>I received it with the TO field blank, and when I examine the header I do
>see the email address it was addressed to in the BCC field (it doesn't
>say it was the BCC field, but I know it was because I sent it).
Your concept is correct, but spammers and bulk mailers do not use user
level tools like Outlook Express.
>Doesn't the recipient's email address have to be in the header SOMEWHERE
>in order for the recipient to actually receive it?
No. ALL mail delivery is based on the 'Envelope Recipient' and that
value may not show up in any header.
>Here's a copy of part of the header that shows how I can tell I'm
>receiving an email as a BCC recipient if sent from Road Runner email
>address or Netscape email address:
Now, send a mail to TWO (or more) people at once at the same address
(meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
just the same.
>The end of that "Received: from" statement says that the email is "for
>aBCCrecipient@sc.rr.com". I replaced the real email address with
>"aBCCrecipient", but you see my point. The spam email I receive doesn't
>have anything like that in it. So how does it know it's for me and end up
>in my Inbox?
Because it is being delivered to more than one person at rr.com, the
header does not show the individual addressees. In the conversation
between the sending mail server (ms-mta-02-eri0 in the case you show)
and receiving mail server (ms-mss-05.southeast.rr.com in the case you
show), the "MAIL FROM" term gets into the 'Return-path:' header (but
that name is under control of the sender, and can be faked), and the
"RCPT TO:" which is what actually controls delivery only gets passed
to the mail you see if there is only ONE instance and in that case
alone is it put in the "Received: header.
>Here's the same part of the header from the spam email I received that
>was addressed TO somebody else:
That's no help - you need to look at more than that one line. In this
case, it was actually sent to two OR MORE people at rr.com. See
http://www.stopspam.org/email/headers.html for more details.
>See... there's nothing there to show who it is going to.
Yup - the ENVELOPE gets thrown away on the receiving mail server, and
all you see is the contents. Sorry, but that's the way email works.
>Or maybe it's there and encrypted in the next to the last line where it
>says 0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?
No, that is the "serial number" of the message transaction on that specific
mail server.
See RFC0821, 0822, 2821, and 2822, which can be found on the web.
Old guy
- Next message: Moe Trin: "Re: virtue of salted passwords"
- Previous message: Moe Trin: "Re: Blocking Yahoo Messenger With Firewall??"
- In reply to: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Next in thread: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Reply: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
