Email Virus Question: how can my interal addresses be 'spoofed'? 1

[wmichael]

I am not entirely certain if 'spoof' is even the correct word. Here's the situation;

I am running a mixed Exchange 5.5/2003 environment, with the MX being set to the 5.5 server. I use CA's eTrust AV solution.

Recently, a user came to me indicating they had received an email that was addressed to another user from the address: Admnistrator@aol.com. The email turned out to have the Sober worm attached, and our AV software stripped it easily. No threat, but the following thing bugs me;

How can the email sent to user A wind up in user B's inbox. No one did anything to forward on the email, it just went there. I wish I had the full message headers, but do not.

Any ideas?



~wmichael

"small change can often be found under seat cushions

 

[sleipnir214]

The acutal recipient of an email and the address in the "To:" header are not necessarily the same.

Let's call a piece of software that is trying to inject a message into an SMTP server the
"CLIENT". Let's call the SMTP server, itself, the "SERVER".

The CLIENT connects to the SERVER on port 25. A conversation then begins.

Near the beginning of that conversation, the CLIENT will send the SMTP directive:

[tt]RCPT TO: <theuser@theaddress.foo>[/tt]

Later in the SMTP conversation, the CLIENT will send:

[tt]DATA[/tt]

which begins the message body.

That message body contains message headers, one of which is:

[tt]To: User Name <username@theaddress.foo>[/tt]

And there is nothing that says the address in the "RCPT TO" directive must match the address in the "To:" message header. Legitimate MUAs ((Mail User Agents, of which Outlook and Eudora are two) will match the two addresses.

Here's the kicker: The SERVER will route the message to a user's mailbox based on the "RCPT TO:" directive. But your user's MUA will display the addressee of the message based on the "To:" message header.



Want the best answers? Ask the best questions!

TANSTAAFL!!