Spoofing "TO" Address in email

Secure Home | Search | About

Lost Password?

Computer Software Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Spoofing "TO" Address in email

Phil Nospam

11-18-2005

Re: Spoofing "TO" Address in email

Harri Mellin

11-18-2005

Re: Spoofing "TO" Address in email

Bit Twister

11-18-2005

Re: Spoofing "TO" Address in email

Phil Nospam

11-20-2005

Re: Spoofing "TO" Address in email

Moe Trin

11-21-2005

Re: Spoofing "TO" Address in email

Phil Nospam

11-22-2005

Re: Spoofing "TO" Address in email

Moe Trin

11-24-2005

Re: Spoofing "TO" Address in email

Moe Trin

11-18-2005

Posted by Phil Nospam on November 18, 2005, 5:16 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I'm not sure if this is the right forum for this...if not please point me in
the right direction.

I'm receiving email that is addressed to someone else. Not using any real
emai addresses here, but here's an example: my email address is abc@rr.com
but the email is addressed to 123@rr.com . I've checked the headers and my
email address/name doesn't appear in there ANYWHERE. I talked to my ISP, I
have Time Warner's Road Runner service, and they said that the sender is
spoofing the "TO" address. The things he said just didn't make any sense -
granted I'm not a security expert, but I've got a little common sense.

First he said that the email would be addressed to the proper person, but
some software would then change the value in the "TO" field after it was
sent. I asked and he confirmed that he didn't mean software on my PC would
change the TO value (running daily AV). I then asked if it would be on the
Road Runner server...he said no, on the sender's server. What I don't
understand is how the email can be sent to the recipient address, then the
recipient address be changed on the server before it is sent. He said that
was a form of "spoofing". I've searched the web and can only find info
about spoofing the RETURN address.

Now I realize that he could have used some kind of mailing list, but the TO
address was another Road Runner email address...and they don't allow that
type of forwarding (or so they say). I thought that maybe I was a "BCC"
recipient, but other emails I've received like have had my correct email
address in the header somewhere.

Posted by Harri Mellin on November 18, 2005, 6:42 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> I'm not sure if this is the right forum for this...if not please point me in

> the right direction.

> I'm receiving email that is addressed to someone else. Not using any real

> emai addresses here, but here's an example: my email address is abc@rr.com

> but the email is addressed to 123@rr.com . I've checked the headers and my

> email address/name doesn't appear in there ANYWHERE. I talked to my ISP, I

> have Time Warner's Road Runner service, and they said that the sender is

> spoofing the "TO" address. The things he said just didn't make any sense -

> granted I'm not a security expert, but I've got a little common sense.

> First he said that the email would be addressed to the proper person, but

> some software would then change the value in the "TO" field after it was

> sent. I asked and he confirmed that he didn't mean software on my PC would

> change the TO value (running daily AV). I then asked if it would be on the

> Road Runner server...he said no, on the sender's server. What I don't

> understand is how the email can be sent to the recipient address, then the

> recipient address be changed on the server before it is sent. He said that

> was a form of "spoofing". I've searched the web and can only find info

> about spoofing the RETURN address.

> Now I realize that he could have used some kind of mailing list, but the TO

> address was another Road Runner email address...and they don't allow that

> type of forwarding (or so they say). I thought that maybe I was a "BCC"

> recipient, but other emails I've received like have had my correct email

> address in the header somewhere.

add 123@rr.com in the TO field
add the rest of th email adresses in the BCC (Blind Carbon Copy)

and every one gets a email with 123@rr.com in the TO field

--
-------------------------------------------
Swedish Webcams <http://www.webcams.zap.to>
-------------------------------------------

Posted by Bit Twister on November 18, 2005, 6:52 pm

If you were Registered and logged in, you could reply and use other advanced thread options

On Fri, 18 Nov 2005 22:16:59 GMT, Phil Nospam wrote:

> I'm not sure if this is the right forum for this...if not please point me in

> the right direction.

> I'm receiving email that is addressed to someone else. Not using any real

> emai addresses here, but here's an example: my email address is abc@rr.com

> but the email is addressed to 123@rr.com . I've checked the headers and my

> email address/name doesn't appear in there ANYWHERE.

Yes, common method by spammers. Your email address is in the BCC field
which is why you can not see how you received it.

I make sure any email name I chose cannot be found with a search
engine.

I do not get any spam in any of the 8 email addresses I have picked.

Spammers collect email addys, strip the domain and add all the major
ISP names and shoot out the spam.

Change your email addy to something like p3hil_8_nospam and your
spam problem will clear right up. Just never post you email on usenet
and only hand out throw away addresses like
p3hil_8_nospam@hotmail.com.

You need to use a third party news reader instead M$ apps.
Also seperate email/browser apps.
You might visit a site which ask your browser for annonymous ftp which
provides your email addy as password. Now they can sell it to
spammers.

Posted by Phil Nospam on November 20, 2005, 9:11 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> On Fri, 18 Nov 2005 22:16:59 GMT, Phil Nospam wrote:

> > I'm not sure if this is the right forum for this...if not please point

me in

> > the right direction.

> >

> > I'm receiving email that is addressed to someone else. Not using any

real

> > emai addresses here, but here's an example: my email address is

abc@rr.com

> > but the email is addressed to 123@rr.com . I've checked the headers and

> > email address/name doesn't appear in there ANYWHERE.

> Yes, common method by spammers. Your email address is in the BCC field

> which is why you can not see how you received it.

> I make sure any email name I chose cannot be found with a search

> engine.

> I do not get any spam in any of the 8 email addresses I have picked.

> Spammers collect email addys, strip the domain and add all the major

> ISP names and shoot out the spam.

> Change your email addy to something like p3hil_8_nospam and your

> spam problem will clear right up. Just never post you email on usenet

> and only hand out throw away addresses like

> p3hil_8_nospam@hotmail.com.

> You need to use a third party news reader instead M$ apps.

> Also seperate email/browser apps.

> You might visit a site which ask your browser for annonymous ftp which

> provides your email addy as password. Now they can sell it to

> spammers.

Thanks for all the great tips.

As a test, I sent myself an email without addressing the TO field at all,
and placing my email address in the BCC field (using Outlook Express 6). I
received it with the TO field blank, and when I examine the header I do see
the email address it was addressed to in the BCC field (it doesn't say it
was the BCC field, but I know it was because I sent it).

I performed the same test sending it from a free Netscape account to my Road
Runner account and saw the same thing. Doesn't the recipient's email
address have to be in the header SOMEWHERE in order for the recipient to
actually receive it?

Here's a copy of part of the header that shows how I can tell I'm receiving
an email as a BCC recipient if sent from Road Runner email address or
Netscape email address:

Received: from ms-mta-02-eri0 (ms-mta-02-eri0 [10.25.8.235])
by ms-mss-05.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005))
aBCCrecipient@sc.rr.com; Sun, 20 Nov 2005 20:48:58 -0500 (EST)

The end of that "Received: from" statement says that the email is "for
aBCCrecipient@sc.rr.com". I replaced the real email address with
"aBCCrecipient", but you see my point. The spam email I receive doesn't
have anything like that in it. So how does it know it's for me and end up
in my Inbox?

Here's the same part of the header from the spam email I received that was
addressed TO somebody else:

Received: from ms-mta-02-eri0 (ms-mta-02-eri0 [10.25.8.235])
by ms-mss-05.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005))
14 Nov 2005 13:19:35 -0500 (EST)

See... there's nothing there to show who it is going to.
Or maybe it's there and encrypted in the next to the last line where it says
0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?

Thanks again for your assistance.

Posted by Moe Trin on November 21, 2005, 2:46 pm

If you were Registered and logged in, you could reply and use other advanced thread options

In the Usenet newsgroup alt.computer.security, in article

>As a test, I sent myself an email without addressing the TO field at all,

>and placing my email address in the BCC field (using Outlook Express 6).

>I received it with the TO field blank, and when I examine the header I do

>see the email address it was addressed to in the BCC field (it doesn't

>say it was the BCC field, but I know it was because I sent it).

Your concept is correct, but spammers and bulk mailers do not use user
level tools like Outlook Express.

>Doesn't the recipient's email address have to be in the header SOMEWHERE

>in order for the recipient to actually receive it?

No. ALL mail delivery is based on the 'Envelope Recipient' and that
value may not show up in any header.

>Here's a copy of part of the header that shows how I can tell I'm

>receiving an email as a BCC recipient if sent from Road Runner email

>address or Netscape email address:

Now, send a mail to TWO (or more) people at once at the same address
(meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
just the same.

>The end of that "Received: from" statement says that the email is "for

>aBCCrecipient@sc.rr.com". I replaced the real email address with

>"aBCCrecipient", but you see my point. The spam email I receive doesn't

>have anything like that in it. So how does it know it's for me and end up

>in my Inbox?

Because it is being delivered to more than one person at rr.com, the
header does not show the individual addressees. In the conversation
between the sending mail server (ms-mta-02-eri0 in the case you show)
and receiving mail server (ms-mss-05.southeast.rr.com in the case you
show), the "MAIL FROM" term gets into the 'Return-path:' header (but
that name is under control of the sender, and can be faked), and the
"RCPT TO:" which is what actually controls delivery only gets passed
to the mail you see if there is only ONE instance and in that case
alone is it put in the "Received: header.

>Here's the same part of the header from the spam email I received that

>was addressed TO somebody else:

That's no help - you need to look at more than that one line. In this
case, it was actually sent to two OR MORE people at rr.com. See
http://www.stopspam.org/email/headers.html for more details.

>See... there's nothing there to show who it is going to.

Yup - the ENVELOPE gets thrown away on the receiving mail server, and
all you see is the contents. Sorry, but that's the way email works.

>Or maybe it's there and encrypted in the next to the last line where it

>says 0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?

No, that is the "serial number" of the message transaction on that specific
mail server.

See RFC0821, 0822, 2821, and 2822, which can be found on the web.

Old guy

Similar Threads	Posted
spoofing the e-mail address	March 28, 2006, 2:12 am
How the hell is someone getting my email address?	July 15, 2005, 6:05 pm
referrer spoofing protection	May 30, 2007, 8:40 am
Regarding Email..	October 14, 2005, 6:38 pm
my email got hijacked by spammers :-(	June 19, 2005, 8:02 pm
Say hello to the Skype Trojan (sent via email)	October 22, 2005, 11:55 am
Re: Email and Blind copying	February 28, 2006, 11:24 am
Re: Email and Blind copying	February 28, 2006, 6:31 pm
Eblaster Email question	June 6, 2006, 9:14 am
Soon 2bx husband snooping in email	December 18, 2006, 12:00 pm

The site map in XML format XML site map