View Full Version : How could this have gotten through?

04-19-2004, 11:58 AM
I don't have the catch-all enabled on this account yet this e-mail was accepted for a non existent alias or user. Here is what the header looks like.

Return-Path: <llekbpr@mailexite.com>
Received: from dl-lns3-poa-C89AA334.p001.terra.com.br (dl-lns3-poa-C89AA334.p001.terra.com.br [])
by wildjokerdesign.com (8.11.6/8.11.6) with SMTP id i3J3bQA26614;
Sun, 18 Apr 2004 21:37:49 -0600
Received: from chfpeql (y10-100-596.lpt.att.net [])
by pop-0.pta.yahoo.com (8.12.8/8.12.8) with ESMTP id m5N3P1ZQ666820
for <wedesign@wildjokerdesign.com>; Sun, 18 Apr 2004 23:37:20 -0500
Message-ID: <5263731158.304@concentric.net>
Reply-To: "Bennett Gipson" <Gwjngg@concentric.net>
From: "Bennett Gipson" <Ntzank@concentric.net>
To: <wedesign@wildjokerdesign.com>
Subject: Re: ybk Application Declined
Date: Sun, 18 Apr 2004 23:37:20 -0500
Organization: shenanigan
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, hits=2.7 required=5.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 2.52 (
X-UIDL: Z;*"!0ZV"!B0c"!2^=!!

wedesign like I said is not a user or aliase that I have set up. What was even more interesting was when I took a look at the message source it looked like this...

<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1=
</HEAD><body><font face=3D"Verdana, Arial, Helvetica">
<font size=3D1 color=3D"#fcfcfc">desirous classify lyon chesterton crewman=
twenty woodshed conveyance upsetting furze sheepskin electron legendre=20=
Yo<grveflwbojzb>u hav</zefaixnpdymx>e <mkfemynrnyrsxnv>a l</PYXrtjbaG>egal=
ri</xygnpbapekp>ght t<hyfopkiqbj>o CA</VqmbyGNU>NCEL your D</SsczaKE>EBTs=
</h3><font size=3D1 color=3D"#fefefe">garlic around cost brake degeneracy =
bookplate aaron stockroom sanborn angstrom grover cinnabar=20</font><br><f=
ont size=3D2>

That is just the first bit of it not the whole thing.

I did not actually open up the email but noticed that SpamAssasin had some how picked up on content that mentioned Credit and wondered how. When I looked closer I realized that what I have posted above actually says....
"You have a legal right to CANCEL your DEBTS"
Don't think that has anything with the email being allowed through for a non user but did find it interesting. I assume it is an attempt to defeat spam checking programs.

So I was just wondering if anyone can see anything in the header that would have faked out sendmail into accepting this? What am I missing here? I got two of these today and have recieved similar ones in the past that are addressed to wedesign.

04-19-2004, 12:01 PM
It is possible that your real address was a bcc: on the message. Remember that the From: line really means nothing in a message, it is the TO part that is sent via the SMTP protocol that determines how something is delivered. Very often I receive messages that aren't explicitly addressed to me.

Remember: You cannot believe RFC822 headers. They are text, in-band, and can be easily changed, forged, or misrepresented.


04-19-2004, 12:22 PM
I always thought that the Recieved info in the header was "true" so to speak. The little I do understand about it is that it shows the path the email has taken and that the bottom one is where it started and then the top one was when it finnally got to my sendmail system. I just can't seem to get my head wrapped around this email stuff. :)


04-19-2004, 12:37 PM
Certainly "Received:" headers can be deleted before they are received by your system; nothing ensures they will be kept.

The best way to describe Email is a postcard written in pencil. When it comes to your system, you can do anything with the headers, etc. You're trusting programs to be good, but spammers aren't good.

This is a large problem in the computer security community, and why protocols that provide authentication are moving forward (such as IPSec). Hell, in an IP message, you can't even believe the claimed IP address!

(can you tell I work in the computer security field for a living? I did my thesis on electronic mail, and was on a panel on electronic mail at last year's ACSAC (which I chair, www.acsac.org).

04-19-2004, 04:32 PM
The top entry

Received: from dl-lns3-poa-C89AA334.p001.terra.com.br (dl-lns3-poa-C89AA334.p001.terra.com.br [])
by wildjokerdesign.com (8.11.6/8.11.6) with SMTP id i3J3bQA26614;
Sun, 18 Apr 2004 21:37:49 -0600

Was that written by my system when it accepted the mail? The reason I ask is that it does not have a normal for entry. What is telling sendmail who the mail is for when it gets to my system? It really does seem like there should be a better way for internet mail. Just when I think I have figured out one part of it something else comes up. :)

04-19-2004, 08:49 PM
I don't know if that line is a forgery, but much of the rest of it is. It is from concentric.net, but the reply to is different that the From:. Both look like fake IDs. However, it wasn't received from concentric, but supossedly from chfpeq1 to yahoo. It never went to that site in brazil that supposedly sent it to your host, and the return path is yet another host. I wouldn't believe anything in this header.