Re: Spoofing "TO" Address in email

From: Phil Nospam (philnospam_at_dontwantnospam.com)
Date: 11/23/05


Date: Wed, 23 Nov 2005 04:34:57 GMT


"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndo491a.m3v.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup alt.computer.security, in article
> <d1agf.2796$xD5.1454574@twister.southeast.rr.com>, Phil Nospam wrote:
>
> >As a test, I sent myself an email without addressing the TO field at all,
> >and placing my email address in the BCC field (using Outlook Express 6).
> >I received it with the TO field blank, and when I examine the header I do
> >see the email address it was addressed to in the BCC field (it doesn't
> >say it was the BCC field, but I know it was because I sent it).
>
> Your concept is correct, but spammers and bulk mailers do not use user
> level tools like Outlook Express.
>
> >Doesn't the recipient's email address have to be in the header SOMEWHERE
> >in order for the recipient to actually receive it?
>
> No. ALL mail delivery is based on the 'Envelope Recipient' and that
> value may not show up in any header.
>
> >Here's a copy of part of the header that shows how I can tell I'm
> >receiving an email as a BCC recipient if sent from Road Runner email
> >address or Netscape email address:
>
> Now, send a mail to TWO (or more) people at once at the same address
> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
> in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
> just the same.
>
> >The end of that "Received: from" statement says that the email is "for
> >aBCCrecipient@sc.rr.com". I replaced the real email address with
> >"aBCCrecipient", but you see my point. The spam email I receive doesn't
> >have anything like that in it. So how does it know it's for me and end
up
> >in my Inbox?
>
> Because it is being delivered to more than one person at rr.com, the
> header does not show the individual addressees. In the conversation
> between the sending mail server (ms-mta-02-eri0 in the case you show)
> and receiving mail server (ms-mss-05.southeast.rr.com in the case you
> show), the "MAIL FROM" term gets into the 'Return-path:' header (but
> that name is under control of the sender, and can be faked), and the
> "RCPT TO:" which is what actually controls delivery only gets passed
> to the mail you see if there is only ONE instance and in that case
> alone is it put in the "Received: header.
>
> >Here's the same part of the header from the spam email I received that
> >was addressed TO somebody else:
>
> That's no help - you need to look at more than that one line. In this
> case, it was actually sent to two OR MORE people at rr.com. See
> http://www.stopspam.org/email/headers.html for more details.
>
> >See... there's nothing there to show who it is going to.
>
> Yup - the ENVELOPE gets thrown away on the receiving mail server, and
> all you see is the contents. Sorry, but that's the way email works.
>
> >Or maybe it's there and encrypted in the next to the last line where it
> >says 0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?
>
> No, that is the "serial number" of the message transaction on that
specific
> mail server.
>
> See RFC0821, 0822, 2821, and 2822, which can be found on the web.
>
> Old guy

Old guy (or Moe),

Thanks for your help and excellent explanations...it's making a lot more
sense now.

One thing though...in the section where you wrote:
> Now, send a mail to TWO (or more) people at once at the same address
> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
> in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
> just the same.

I tried that and the header still revealed the name of the intended
recipient (addressed in the BCC field) in the header. Now it didn't reveal
the name of the other blind recipients, just the one that actually received
it as a blind recipient. Could that be a function of the mail server
software itself? It appears that RoadRunner is using the iPlanet Messaging
Server from Sun. Maybe it can be configured to include the individual BCC
recipient's email address in the header (but not the others, otherwise it
wouldn't be blind) for security and tracking purposes? But it can only do
it on outgoing emails, not incoming, because as you said the "envelope" gets
thrown away. Just a thought.

Thanks again,

Phil



Relevant Pages

  • Re: Setup problem with SenderID and OWA
    ... >mail with OWA. ... of the Exchange server, not the IP address of the machine running the ... >Sample SMTP Header from Exchange server.... ... surely isn't the one inserted by the receiving server. ...
    (microsoft.public.exchange.admin)
  • Re: Email Virus
    ... >>>Each Received is a postmaster receiving the message with ... > header as out017.verizon.net but didn't include an IP address. ... > enter.net ISP is the true sender. ...
    (comp.os.linux.security)
  • Re: Lynn at garlic.com
    ... please not that the only part of the e-mail I am receiving is from my ISP telling me that a virus has been deleted. ... it is probably somebody impersonating "lynn@xxxxxxxxxx" (that ... header information (many don't bother since ...
    (bit.listserv.ibm-main)
  • Re: Spoofing "TO" Address in email
    ... value may not show up in any header. ... >receiving an email as a BCC recipient if sent from Road Runner email ... between the sending mail server ... "RCPT TO:" which is what actually controls delivery only gets passed ...
    (alt.computer.security)
  • Re: archival/compliance/etc.
    ... of e-mail for searching on sender, recipient, date, subject, body, etc. ... messages that you are archiving. ... macro which is then passed to a Milter that would add an archive Bcc: ... it does not generate a Bcc: header so these recipients do not show ...
    (comp.mail.sendmail)