3

Is it possible to have a scenario where there are 3 email addresses. Each on a different mail server.

Charlie writes an email with Alice and Bob listed as recepients. Charlie uses a rogue SMTP server treyresearch.net that only carries out the SMTP transaction with Alice on the contoso.com server while listing Bob as a recepient but does not carry out the SMTP transaction with the SMTP server for fabrikam.com.

Alice belives that Bob is aware of the content in the email whereas he certainly is not.

Is this a possible scenario with SMTP and are there any measures to prevent this?

Improve this question
0

1 Answer 1

Reset to default
6

This is even possible without a rogue SMTP server. Alice has no access to the SMTP communication, so she cannot possibly know which addresses you sent the email to.

The only thing that Alice has access to, are the email headers.

The only thing the SMTP server cares about, is the SMTP envelope.

Nowhere it is written that the two must match.

You can simply do this:

HELO mx01.treyresearch.net MAIL FROM: <[email protected]> RCPT TO: <[email protected]> RCPT TO: <[email protected]> DATA From: Charlie <[email protected]> To: Alice <[email protected]>, Bob <[email protected]> Subject: Information for Bob Date: Fr, 06 Dec 2019 15:53:56 +0100 Message-ID: <[email protected]> Hello Alice, this is the information you wanted me to share with Bob. Greetings, Charlie .

As you can see, we have put Bob into the To: header of the message, but we simply did not instruct the server to send the message to him. Conversely, we did instruct the server to send the message to a secret listener, but the secret listener does not show up anywhere in the entire message.

Improve this answer
1
  • Thanks. This clears things for me. Commented Dec 6, 2019 at 15:31

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.