Email Spoofing "David Parkes" <wibble[ at ]wobble.com> 29.06.2007 12:59:45 I know this isn't really meant to be in here but i thought i would ask to see if anyone could give a quick explanation. We have received a number of spam emails which are non delivery reports. The to email address isn't in our organisation but how does it end up in a users mailbox? Ok the first part is similar but the rest including the domain isn't. Could someone breifly explaine this to me as I have been asked the question by the site admin and to be honest I'm not 100% sure. Any advice would be great.

Re: Email Spoofing "Claus" <cjobes[ at ]nova-tech.org> 29.06.2007 14:48:00 They are not NDRs they are spam emails forged as NDRs. They have been around for a while. -- Claus "David Parkes" <wibble[ at ]wobble.com> wrote in message news:OgK7d1kuHHA.4504[ at ]TK2MSFTNGP05.phx.gbl... [Quoted Text] >I know this isn't really meant to be in here but i thought i would ask to >see if anyone could give a quick explanation. > > We have received a number of spam emails which are non delivery reports. > The to email address isn't in our organisation but how does it end up in a > users mailbox? Ok the first part is similar but the rest including the > domain isn't. Could someone breifly explaine this to me as I have been > asked the question by the site admin and to be honest I'm not 100% sure. > Any advice would be great. > >

Re: Email Spoofing Joe <joe[ at ]jretrading.com> 29.06.2007 15:27:50 David Parkes wrote: [Quoted Text] > I know this isn't really meant to be in here but i thought i would ask to > see if anyone could give a quick explanation. > > We have received a number of spam emails which are non delivery reports. The > to email address isn't in our organisation but how does it end up in a users > mailbox? Ok the first part is similar but the rest including the domain > isn't. Could someone breifly explaine this to me as I have been asked the > question by the site admin and to be honest I'm not 100% sure. Any advice > would be great. > > The short answer is that nearly any part of an email's headers can be forged. The destination of SMTP mail is specified when the two SMTP servers talk to each other, and has nothing to do with anything in the headers, otherwise BCC could not work. So somebody sent an email to your user's address but put something completely different in the To: header. This is exactly how BCC works, and a legitimate email client like Outlook could generate this kind of forgery. Almost certainly, however, the email came from a program which randomly assembles sets of email addresses harvested from the Internet and sold openly on CDs. A forged email must reach a legitimate server at some point. The IP address used to connect to that server cannot be forged, but it is just about the only thing which cannot be. If you wish, you can trace the email back through the legitimate servers until you reach one that isn't, then trace the IP address to its owner. Since you will invariably end up with an IP block belonging to an ISP, one of whose customers has a compromised machine in his home, it's a bit of a waste of time.

Re: Email Spoofing "Brian Cryer" <brianc[ at ]127.0.0.1.activesol.co.uk> 29.06.2007 16:17:33 "David Parkes" <wibble[ at ]wobble.com> wrote in message news:OgK7d1kuHHA.4504[ at ]TK2MSFTNGP05.phx.gbl... [Quoted Text] >I know this isn't really meant to be in here but i thought i would ask to >see if anyone could give a quick explanation. > > We have received a number of spam emails which are non delivery reports. > The to email address isn't in our organisation but how does it end up in a > users mailbox? Ok the first part is similar but the rest including the > domain isn't. Could someone breifly explaine this to me as I have been > asked the question by the site admin and to be honest I'm not 100% sure. > Any advice would be great. Its called a Reverse NDR attack. Most administrators in this group probably worry more about their server being used as the source of the RNDR. Whilst there are steps you can take to prevent your server being used as the source (and delivering these to other people outside your organisation) there isn't a lot you can do to prevent these from landing in your users in-boxes beyond a spam filter. For a little more on RNDR see http://www.cryer.co.uk/glossary/r/reverse_ndr.htm. -- Brian Cryer www.cryer.co.uk/brian