Re: Spoofing "TO" Address in email
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/23/05
- Next message: Kadaitcha Man: "Re: k0oKSLURP!!!1!"
- Previous message: Moe Trin: "Re: Port scanned by these strange IPs..."
- In reply to: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Next in thread: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Reply: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 13:51:19 -0600
On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<RjSgf.4043$xD5.17613 95@twister.southeast.rr.com>, Phil Nospam wrote:
>
>"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
>news:slrndo491a.m3v.ibuprofin@compton.phx.az.us...
>One thing though...in the section where you wrote:
>> Now, send a mail to TWO (or more) people at once at the same address
>> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
>> in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
>> just the same.
>
>I tried that and the header still revealed the name of the intended
>recipient (addressed in the BCC field) in the header. Now it didn't reveal
>the name of the other blind recipients, just the one that actually received
>it as a blind recipient.
Try sending it as multiple recipients in the 'To:' field, rather than the
BCC, and make sure all recipients are located in the same domain (sending
to 'foo@rr.com' and 'bar@netscape.com' won't be the same - it must be
'foo@rr.com' and 'bar@rr.com'. Also remember that spammers are not using
your 'user' grade software like Outlook. Can you really imagine some
spammer sitting at a computer, and cutting/pasting the same message to a
hundred people, and repeating this for the one to fifteen _million_
recipients of a normal spam run? They're stupid, but not THAT st00pid.
>Could that be a function of the mail server software itself? It appears
>that RoadRunner is using the iPlanet Messaging Server from Sun. Maybe it
>can be configured to include the individual BCC recipient's email address
>in the header (but not the others, otherwise it wouldn't be blind) for
>security and tracking purposes?
I can't think why that would be needed, but then we're not using iPlanet.
>But it can only do it on outgoing emails, not incoming, because as you said
>the "envelope" gets thrown away. Just a thought.
The 'Received:' header is added by hosts that receive the mail. RFC0821
didn't spell it out as cleanly, but RFC2821 section 3.8.2 requires an
Internet gateway that receives the mail to ADD a received header, and to
not alter the already existing received headers. Thus, the headers should
show a chain from source to destination - or as RFC0821 shows
Received: from GHI.ARPA by JKL.ARPA ; 27 Oct 81 15:27:39 PST
Received: from DEF.ARPA by GHI.ARPA ; 27 Oct 81 15:15:13 PST
Received: from ABC.ARPA by DEF.ARPA ; 27 Oct 81 15:01:59 PST
The modern header (the above is from 1981) has more information such
as IP addresses, transaction IDs, and maybe software versions AND the name
of the ultimate recipient, but that name is only added when (for the
specific mail server in question) there is one and only one envelope
recipient.
Regarding those 'Received:' headers, you can only trust the "last' one
added (above, the 15:27:39 line) added by systems you (or perhaps your
ISP) control. Spammers often add faked lines to confuse the issue, and
those lines can contain any fairy tail the spammer wishes to include.
Old guy
- Next message: Kadaitcha Man: "Re: k0oKSLURP!!!1!"
- Previous message: Moe Trin: "Re: Port scanned by these strange IPs..."
- In reply to: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Next in thread: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Reply: Phil Nospam: "Re: Spoofing "TO" Address in email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
