Re: [IMail Forum] OT(?): suspicious x-rcpt-to

Thu, 07 Mar 2002 18:20:16 -0800 


>I admit I don't know much about X-RCPT-TO, but it's time I learn, because...

X-RCPT-TO: is a header that IMail adds, which has the E-mail address that 
the E-mail was sent to.  This can be useful if you use aliases or forwarding.

>An employee is getting messages where the TO is 
>"[EMAIL PROTECTED]" and the X-RCPT-TO is 
>"[EMAIL PROTECTED]". The username is the same.

That's common when people are sending spam.  The E-mail is being sent to 
the user on your server, but the To: header has someone else's address, 
because they can send the spam cheaper by having a generic set of headers 
going to lots of people.

>She's gotten two so far, both from two different addresses, and each of 
>the TOs are different. No attachments. The messages are suspiciously 
>generic and short. For instance: "Fred, Thanks again for lunch it was 
>great. Steve". (Oddly enough, "Steve" is not the same name as the 
>message's TO).

That's a spammer either [1] using a dictionary attack (trying thousands or 
millions of possible usernames at your domain to see which are valid), or 
[2] fishing for valid addresses (hoping that your user will respond with 
"Sorry, I'm not Fred", so they know for certain it's a valid E-mail 
address, and an honest person to boot).

>I suspect it's some ploy to get my employee to reply (which she has to one 
>of them), to validate her address for spamming, but that's just a guess.

And a very good guess.  I've seen at least one generic "lunch" E-mail fall 
into our spamtraps.

>Can anyone help me understand X-RCPT-TOs, including thier vulnerabilities?

There are no vulnerabilities -- that header is added by IMail when the 
E-mail is delivered, so only the final recipient sees it.

When an E-mail is sent, there is a "To:" header that shows who the E-mail 
was *supposed* to be sent to (who the sender is claiming that the E-mail is 
being sent to).  However, an E-mail may come to your system for legitimate 
reasons with a different address (such as Cc:'s or Bcc:'s), or for 
illegitimate reasons (such as spammers).


                                                    -Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for 
IMail.  http://www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]


Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to