Spoofing "TO" Address in email
 

I'm not sure if this is the right forum for this...if not please point me in
the right direction.

I'm receiving email that is addressed to someone else. Not using any real
emai addresses here, but here's an example: my email address is abc@rr.com
but the email is addressed to 123@rr.com . I've checked the headers and my
email address/name doesn't appear in there ANYWHERE. I talked to my ISP, I
have Time Warner's Road Runner service, and they said that the sender is
spoofing the "TO" address. The things he said just didn't make any sense -
granted I'm not a security expert, but I've got a little common sense.

First he said that the email would be addressed to the proper person, but
some software would then change the value in the "TO" field after it was
sent. I asked and he confirmed that he didn't mean software on my PC would
change the TO value (running daily AV). I then asked if it would be on the
Road Runner server...he said no, on the sender's server. What I don't
understand is how the email can be sent to the recipient address, then the
recipient address be changed on the server before it is sent. He said that
was a form of "spoofing". I've searched the web and can only find info
about spoofing the RETURN address.

Now I realize that he could have used some kind of mailing list, but the TO
address was another Road Runner email address...and they don't allow that
type of forwarding (or so they say). I thought that maybe I was a "BCC"
recipient, but other emails I've received like have had my correct email
address in the header somewhere.

Re: Spoofing "TO" Address in email
 

In article <vpsff.1386$3o6.701870@twister.southeast.rr.com> ,
"Phil Nospam" <philnospam@dontwantnospam.com> wrote:

> I'm not sure if this is the right forum for this...if not please point me in
> the right direction.
>
> I'm receiving email that is addressed to someone else. Not using any real
> emai addresses here, but here's an example: my email address is abc@rr.com
> but the email is addressed to 123@rr.com . I've checked the headers and my
> email address/name doesn't appear in there ANYWHERE. I talked to my ISP, I
> have Time Warner's Road Runner service, and they said that the sender is
> spoofing the "TO" address. The things he said just didn't make any sense -
> granted I'm not a security expert, but I've got a little common sense.
>
> First he said that the email would be addressed to the proper person, but
> some software would then change the value in the "TO" field after it was
> sent. I asked and he confirmed that he didn't mean software on my PC would
> change the TO value (running daily AV). I then asked if it would be on the
> Road Runner server...he said no, on the sender's server. What I don't
> understand is how the email can be sent to the recipient address, then the
> recipient address be changed on the server before it is sent. He said that
> was a form of "spoofing". I've searched the web and can only find info
> about spoofing the RETURN address.
>
> Now I realize that he could have used some kind of mailing list, but the TO
> address was another Road Runner email address...and they don't allow that
> type of forwarding (or so they say). I thought that maybe I was a "BCC"
> recipient, but other emails I've received like have had my correct email
> address in the header somewhere.
>
>
>

add 123@rr.com in the TO field
add the rest of th email adresses in the BCC (Blind Carbon Copy)

and every one gets a email with 123@rr.com in the TO field

--
-------------------------------------------
Swedish Webcams <http://www.webcams.zap.to>
-------------------------------------------

Re: Spoofing "TO" Address in email
 

On Fri, 18 Nov 2005 22:16:59 GMT, Phil Nospam wrote:
> I'm not sure if this is the right forum for this...if not please point me in
> the right direction.
>
> I'm receiving email that is addressed to someone else. Not using any real
> emai addresses here, but here's an example: my email address is abc@rr.com
> but the email is addressed to 123@rr.com . I've checked the headers and my
> email address/name doesn't appear in there ANYWHERE.


Yes, common method by spammers. Your email address is in the BCC field
which is why you can not see how you received it.

I make sure any email name I chose cannot be found with a search
engine.

I do not get any spam in any of the 8 email addresses I have picked.

Spammers collect email addys, strip the domain and add all the major
ISP names and shoot out the spam.

Change your email addy to something like p3hil_8_nospam and your
spam problem will clear right up. Just never post you email on usenet
and only hand out throw away addresses like
p3hil_8_nospam@hotmail.com.

You need to use a third party news reader instead M$ apps.
Also seperate email/browser apps.
You might visit a site which ask your browser for annonymous ftp which
provides your email addy as password. Now they can sell it to
spammers.

Re: Spoofing "TO" Address in email
 

In the Usenet newsgroup alt.computer.security, in article
<vpsff.1386$3o6.701870@twister.southeast.rr.com> , Phil Nospam wrote:

>I'm not sure if this is the right forum for this...if not please point me in
>the right direction.

It'll do.

>I'm receiving email that is addressed to someone else. Not using any real
>emai addresses here, but here's an example: my email address is abc@rr.com
>but the email is addressed to 123@rr.com . I've checked the headers and my
>email address/name doesn't appear in there ANYWHERE. I talked to my ISP, I
>have Time Warner's Road Runner service, and they said that the sender is
>spoofing the "TO" address. The things he said just didn't make any sense -
>granted I'm not a security expert, but I've got a little common sense.

%telnet mail.your.isp 25
Trying 198.15.1.25 ...
Connected to mail.your.isp
Escape character is '^]'.
220 mail.your.isp ESMTP Sendmail 8.11.6/8.11.6; Sun, 18 Aug 2002 21:21:03 -0500
HELO south.pole.hq
250 mail.your.isp Hello south.pole.hq, pleased to meet you
MAIL FROM:<easter.bunny@north.pole.hq>
250 <easter.bunny@north.pole.hq>... sender ok
RCPT TO:<some.random.luser@your.isp>
250 <some.random.luser@your.isp>... recipient ok
RCPT TO:<unknown.luser@your.isp>
550 <unknown.luser@your.isp> mailbox unavailable
RCPT TO:<still.another@your.isp>
250 <still.another@your.isp>... recipient ok
DATA
354 Enter mail, and end with "." on a line by itself
From: Your favorite place to buy
To: Our valued customers
Date: Some random date-string
Subject: Have I got a deal for you!!!

Buy your pills from http://www.some.wankers.website.org/sucker.html
..
250 UAA01441 Message accepted for delivery
quit
221 mail.your.isp closing connection
Connection closed by foreign host.
%

and what you may see if you know how to find the raw mail (looking at the
headers and all that):

Return-Path: <easter.bunny@north.pole.hq>
Received: from south.pole.hq (host54.zombie.isp.com [[192.0.2.54])
by mail.your.isp (8.11.6/8.11.6) is ESMTP id UAA01441
Sat, 22 Nov 2003 15:42:28 -0700
Message-Id: 200311222242.mail.your.isp
From: Your favorite place to buy
To: Our valued customers
Date: Some random date-string
Subject: Have I got a deal for you!!!

Buy your pills from http://www.some.wankers.website.org/sucker.html

So, where did the crap come from? Certainly not what it says in the
"From:" header (which doesn't even _have_ a valid mail address here).
Some comments: 1) Notice the receiving mail server didn't blink when
the 'MAIL FROM:' didn't match the domain of the remote host. 2) In
the 'Received:' header, this receiving host did a lookup of the IP
address that the sending host was using - the PTR name is within the
parenthese, the actual IP within the square brackets. 3) Notice that
the To: and From: headers serve _no_ purpose in the delivery of the
mail - that's handled solely by the 'RCPT TO:' command to the Mail
Transfer Agent (MTA - or your mail server). 4) Because there were
multiple 'RCPT TO:' names, your name did not appear in the 'Received:'
header added by _your_ mail server (it would be just before the date
value in that 'Received:' header if you were the only recipient).
5) Notice the receiving mail server returning a 250 to "valid" names
of recipients, and a 550 when given an invalid name - in normal mail,
this would cause an error message back to the senders mail tool, but
a spammer ignores this, or never sees it.

For a lot more information, see http://www.stopspam.org/email/headers.html

Old guy

Re: Spoofing "TO" Address in email
 

"Bit Twister" <BitTwister@mouse-potato.com> wrote in message
news:slrndnsq9s.te9.BitTwister@wb.home.invalid...
> On Fri, 18 Nov 2005 22:16:59 GMT, Phil Nospam wrote:
> > I'm not sure if this is the right forum for this...if not please point
me in
> > the right direction.
> >
> > I'm receiving email that is addressed to someone else. Not using any
real
> > emai addresses here, but here's an example: my email address is
abc@rr.com
> > but the email is addressed to 123@rr.com . I've checked the headers and
my
> > email address/name doesn't appear in there ANYWHERE.
>
>
> Yes, common method by spammers. Your email address is in the BCC field
> which is why you can not see how you received it.
>
> I make sure any email name I chose cannot be found with a search
> engine.
>
> I do not get any spam in any of the 8 email addresses I have picked.
>
> Spammers collect email addys, strip the domain and add all the major
> ISP names and shoot out the spam.
>
> Change your email addy to something like p3hil_8_nospam and your
> spam problem will clear right up. Just never post you email on usenet
> and only hand out throw away addresses like
> p3hil_8_nospam@hotmail.com.
>
> You need to use a third party news reader instead M$ apps.
> Also seperate email/browser apps.
> You might visit a site which ask your browser for annonymous ftp which
> provides your email addy as password. Now they can sell it to
> spammers.
>

Thanks for all the great tips.

As a test, I sent myself an email without addressing the TO field at all,
and placing my email address in the BCC field (using Outlook Express 6). I
received it with the TO field blank, and when I examine the header I do see
the email address it was addressed to in the BCC field (it doesn't say it
was the BCC field, but I know it was because I sent it).

I performed the same test sending it from a free Netscape account to my Road
Runner account and saw the same thing. Doesn't the recipient's email
address have to be in the header SOMEWHERE in order for the recipient to
actually receive it?

Here's a copy of part of the header that shows how I can tell I'm receiving
an email as a BCC recipient if sent from Road Runner email address or
Netscape email address:

Return-path: <someunnamedperson@netscape.net>
Received: from ms-mta-02-eri0 (ms-mta-02-eri0 [10.25.8.235])
by ms-mss-05.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005))
with ESMTP id <0IQA00KC77PLAX@ms-mss-05.southeast.rr.com> for
aBCCrecipient@sc.rr.com; Sun, 20 Nov 2005 20:48:58 -0500 (EST)

The end of that "Received: from" statement says that the email is "for
aBCCrecipient@sc.rr.com". I replaced the real email address with
"aBCCrecipient", but you see my point. The spam email I receive doesn't
have anything like that in it. So how does it know it's for me and end up
in my Inbox?

Here's the same part of the header from the spam email I received that was
addressed TO somebody else:

Return-path: <balisabhette@auswww.com>
Received: from ms-mta-02-eri0 (ms-mta-02-eri0 [10.25.8.235])
by ms-mss-05.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005))
with ESMTP id <0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com>; Mon,
14 Nov 2005 13:19:35 -0500 (EST)

See... there's nothing there to show who it is going to.
Or maybe it's there and encrypted in the next to the last line where it says
0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?

Thanks again for your assistance.

Re: Spoofing "TO" Address in email
 

In the Usenet newsgroup alt.computer.security, in article
<d1agf.2796$xD5.1454574@twister.southeast.rr.com >, Phil Nospam wrote:

>As a test, I sent myself an email without addressing the TO field at all,
>and placing my email address in the BCC field (using Outlook Express 6).
>I received it with the TO field blank, and when I examine the header I do
>see the email address it was addressed to in the BCC field (it doesn't
>say it was the BCC field, but I know it was because I sent it).

Your concept is correct, but spammers and bulk mailers do not use user
level tools like Outlook Express.

>Doesn't the recipient's email address have to be in the header SOMEWHERE
>in order for the recipient to actually receive it?

No. ALL mail delivery is based on the 'Envelope Recipient' and that
value may not show up in any header.

>Here's a copy of part of the header that shows how I can tell I'm
>receiving an email as a BCC recipient if sent from Road Runner email
>address or Netscape email address:

Now, send a mail to TWO (or more) people at once at the same address
(meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
just the same.

>The end of that "Received: from" statement says that the email is "for
>aBCCrecipient@sc.rr.com". I replaced the real email address with
>"aBCCrecipient", but you see my point. The spam email I receive doesn't
>have anything like that in it. So how does it know it's for me and end up
>in my Inbox?

Because it is being delivered to more than one person at rr.com, the
header does not show the individual addressees. In the conversation
between the sending mail server (ms-mta-02-eri0 in the case you show)
and receiving mail server (ms-mss-05.southeast.rr.com in the case you
show), the "MAIL FROM" term gets into the 'Return-path:' header (but
that name is under control of the sender, and can be faked), and the
"RCPT TO:" which is what actually controls delivery only gets passed
to the mail you see if there is only ONE instance and in that case
alone is it put in the "Received: header.

>Here's the same part of the header from the spam email I received that
>was addressed TO somebody else:

That's no help - you need to look at more than that one line. In this
case, it was actually sent to two OR MORE people at rr.com. See
http://www.stopspam.org/email/headers.html for more details.

>See... there's nothing there to show who it is going to.

Yup - the ENVELOPE gets thrown away on the receiving mail server, and
all you see is the contents. Sorry, but that's the way email works.

>Or maybe it's there and encrypted in the next to the last line where it
>says 0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?

No, that is the "serial number" of the message transaction on that specific
mail server.

See RFC0821, 0822, 2821, and 2822, which can be found on the web.

Old guy

Re: Spoofing "TO" Address in email
 

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndo491a.m3v.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup alt.computer.security, in article
> <d1agf.2796$xD5.1454574@twister.southeast.rr.com >, Phil Nospam wrote:
>
> >As a test, I sent myself an email without addressing the TO field at all,
> >and placing my email address in the BCC field (using Outlook Express 6).
> >I received it with the TO field blank, and when I examine the header I do
> >see the email address it was addressed to in the BCC field (it doesn't
> >say it was the BCC field, but I know it was because I sent it).
>
> Your concept is correct, but spammers and bulk mailers do not use user
> level tools like Outlook Express.
>
> >Doesn't the recipient's email address have to be in the header SOMEWHERE
> >in order for the recipient to actually receive it?
>
> No. ALL mail delivery is based on the 'Envelope Recipient' and that
> value may not show up in any header.
>
> >Here's a copy of part of the header that shows how I can tell I'm
> >receiving an email as a BCC recipient if sent from Road Runner email
> >address or Netscape email address:
>
> Now, send a mail to TWO (or more) people at once at the same address
> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
> in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
> just the same.
>
> >The end of that "Received: from" statement says that the email is "for
> >aBCCrecipient@sc.rr.com". I replaced the real email address with
> >"aBCCrecipient", but you see my point. The spam email I receive doesn't
> >have anything like that in it. So how does it know it's for me and end
up
> >in my Inbox?
>
> Because it is being delivered to more than one person at rr.com, the
> header does not show the individual addressees. In the conversation
> between the sending mail server (ms-mta-02-eri0 in the case you show)
> and receiving mail server (ms-mss-05.southeast.rr.com in the case you
> show), the "MAIL FROM" term gets into the 'Return-path:' header (but
> that name is under control of the sender, and can be faked), and the
> "RCPT TO:" which is what actually controls delivery only gets passed
> to the mail you see if there is only ONE instance and in that case
> alone is it put in the "Received: header.
>
> >Here's the same part of the header from the spam email I received that
> >was addressed TO somebody else:
>
> That's no help - you need to look at more than that one line. In this
> case, it was actually sent to two OR MORE people at rr.com. See
> http://www.stopspam.org/email/headers.html for more details.
>
> >See... there's nothing there to show who it is going to.
>
> Yup - the ENVELOPE gets thrown away on the receiving mail server, and
> all you see is the contents. Sorry, but that's the way email works.
>
> >Or maybe it's there and encrypted in the next to the last line where it
> >says 0IPY007F0IWCXZ@ms-mss-05.southeast.rr.com?
>
> No, that is the "serial number" of the message transaction on that
specific
> mail server.
>
> See RFC0821, 0822, 2821, and 2822, which can be found on the web.
>
> Old guy

Old guy (or Moe),

Thanks for your help and excellent explanations...it's making a lot more
sense now.

One thing though...in the section where you wrote:
> Now, send a mail to TWO (or more) people at once at the same address
> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
> in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
> just the same.

I tried that and the header still revealed the name of the intended
recipient (addressed in the BCC field) in the header. Now it didn't reveal
the name of the other blind recipients, just the one that actually received
it as a blind recipient. Could that be a function of the mail server
software itself? It appears that RoadRunner is using the iPlanet Messaging
Server from Sun. Maybe it can be configured to include the individual BCC
recipient's email address in the header (but not the others, otherwise it
wouldn't be blind) for security and tracking purposes? But it can only do
it on outgoing emails, not incoming, because as you said the "envelope" gets
thrown away. Just a thought.

Thanks again,

Phil

Re: Spoofing "TO" Address in email
 

On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<RjSgf.4043$xD5.17613 95@twister.southeast.rr.com>, Phil Nospam wrote:
>
>"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
>news:slrndo491a.m3v.ibuprofin@compton.phx.az.us.. .

>One thing though...in the section where you wrote:
>> Now, send a mail to TWO (or more) people at once at the same address
>> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the difference
>> in the headers. NEITHER NAME WILL APPEAR, but the crap will be delivered
>> just the same.
>
>I tried that and the header still revealed the name of the intended
>recipient (addressed in the BCC field) in the header. Now it didn't reveal
>the name of the other blind recipients, just the one that actually received
>it as a blind recipient.

Try sending it as multiple recipients in the 'To:' field, rather than the
BCC, and make sure all recipients are located in the same domain (sending
to 'foo@rr.com' and 'bar@netscape.com' won't be the same - it must be
'foo@rr.com' and 'bar@rr.com'. Also remember that spammers are not using
your 'user' grade software like Outlook. Can you really imagine some
spammer sitting at a computer, and cutting/pasting the same message to a
hundred people, and repeating this for the one to fifteen _million_
recipients of a normal spam run? They're stupid, but not THAT st00pid.

>Could that be a function of the mail server software itself? It appears
>that RoadRunner is using the iPlanet Messaging Server from Sun. Maybe it
>can be configured to include the individual BCC recipient's email address
>in the header (but not the others, otherwise it wouldn't be blind) for
>security and tracking purposes?

I can't think why that would be needed, but then we're not using iPlanet.

>But it can only do it on outgoing emails, not incoming, because as you said
>the "envelope" gets thrown away. Just a thought.

The 'Received:' header is added by hosts that receive the mail. RFC0821
didn't spell it out as cleanly, but RFC2821 section 3.8.2 requires an
Internet gateway that receives the mail to ADD a received header, and to
not alter the already existing received headers. Thus, the headers should
show a chain from source to destination - or as RFC0821 shows

Received: from GHI.ARPA by JKL.ARPA ; 27 Oct 81 15:27:39 PST
Received: from DEF.ARPA by GHI.ARPA ; 27 Oct 81 15:15:13 PST
Received: from ABC.ARPA by DEF.ARPA ; 27 Oct 81 15:01:59 PST

The modern header (the above is from 1981) has more information such
as IP addresses, transaction IDs, and maybe software versions AND the name
of the ultimate recipient, but that name is only added when (for the
specific mail server in question) there is one and only one envelope
recipient.

Regarding those 'Received:' headers, you can only trust the "last' one
added (above, the 15:27:39 line) added by systems you (or perhaps your
ISP) control. Spammers often add faked lines to confuse the issue, and
those lines can contain any fairy tail the spammer wishes to include.

Old guy

Re: Spoofing "TO" Address in email
 

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndo9i1f.di9.ibuprofin@compton.phx.az.us...
> On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in
article
> <RjSgf.4043$xD5.17613 95@twister.southeast.rr.com>, Phil Nospam wrote:
> >
> >"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
> >news:slrndo491a.m3v.ibuprofin@compton.phx.az.us.. .
>
> >One thing though...in the section where you wrote:
> >> Now, send a mail to TWO (or more) people at once at the same address
> >> (meaning 'userA@rr.com' and 'userB@rr.com', and then notice the
difference
> >> in the headers. NEITHER NAME WILL APPEAR, but the crap will be
delivered
> >> just the same.
> >
> >I tried that and the header still revealed the name of the intended
> >recipient (addressed in the BCC field) in the header. Now it didn't
reveal
> >the name of the other blind recipients, just the one that actually
received
> >it as a blind recipient.
>
> Try sending it as multiple recipients in the 'To:' field, rather than the
> BCC, and make sure all recipients are located in the same domain (sending
> to 'foo@rr.com' and 'bar@netscape.com' won't be the same - it must be
> 'foo@rr.com' and 'bar@rr.com'. Also remember that spammers are not using
> your 'user' grade software like Outlook. Can you really imagine some
> spammer sitting at a computer, and cutting/pasting the same message to a
> hundred people, and repeating this for the one to fifteen _million_
> recipients of a normal spam run? They're stupid, but not THAT st00pid.
>

> Old guy

Well, you can actually perform email merges between Excel and Word
(beginning with Office 2003) so they wouldn't have to cut and paste like
that. But I get your point. Maybe it's just time for me to get a new email
address. Or I could just get a domain name, set up my own web site and mail
server in my house (I actually own a legit copy of MS Exchange). It might
be a great learning experience.

:-)

Re: Spoofing "TO" Address in email
 

On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<4vahf.3153$q93.1177191@twister.southeast.rr.com >, Phil Nospam wrote:

>Well, you can actually perform email merges between Excel and Word
>(beginning with Office 2003) so they wouldn't have to cut and paste like
>that.

Now, if you actually read some of that wonderful spam^Woffers of most
interesting products and services you've been receiving, you'd find
software kits that contains a list of 15 million addresses, and come with
a set of mail delivery tools that would let you contact the millions of
victi^Wsucke^Wpotential customers out there on this Interweb thingy - yours
for a mere $249 plus shipping and handling, overnight service extra. ;-)

>Maybe it's just time for me to get a new email address.

That's usually the simpler choice. I stopped publishing my email addresses
years ago, and because the spammers are getting more devious my current
semi-public address doesn't even have a recognizable string in it. I'm
actually using something like '"Moe Trin" <Nk7fUMYovez7Qc@example.com>'.
Random string generators used to be only used for making un-guessable
passwords - now I'm using them to create usernames.

>Or I could just get a domain name, set up my own web site and mail server
>in my house (I actually own a legit copy of MS Exchange).

Check with your ISP - most residential service providers get all frowny
when you do that, 'cause the can charge for that. More and more are also
blocking inbound service ports to prevent the abuse I mentioned in the
other response. While not trying to sound trollish, most people in the
mail business are horrified at the idea of MSexchange servers connected
to the Internet - they're way to easy to subvert.

>It might be a great learning experience.

Then again...

Old guy