2

Has anyone noticed exploits involving the use of "X-Actual-Recipient" to covertly divert e-mail from an intended recipient to someone else? I have been told that only someone with root access on the recipient's mail service provider could insert an X-Actual-Recipient directive into the header of a message. It is not clear to me where X- directives are spun into the header information of an e-mail message. Can a sender do this kind of thing? Can the sender's ISP do this kind of thing? Or is it only on the receiving end that X- directives may be added in to the header information?

Thanks.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
Tim O'Tie
  • 21
  • 1
  • 5

1 Answers1

2

We can simplify this issue and say that any email administrator (or root account on an MTA) can redirect, bcc, resubmit, edit or delete any or all email on that given server "covertly". In other words, without the sender or recipient knowing about it. This modification can happen on the sender's side, recipient, any MTA in their path, or ISP (PRISM).

If such a modification were to occur then something called the "message envelope" would be right place to make this happen since it doesn't appear in the email headers. The only risk I could find regarding X-Actual-Recipient is that it may disclose the target email address in an NDR. If this header did affect mail routing than it would be worrisome, because that email server might as well be considered an open relay.

To correct this issue you should consider any of the technologies and implementations listed here:

Community
  • 1
makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • Thanks. So anybody who can function as an email administrator could divert mail addressed to Manny to Mac or Moe, and possibly also send the message to the intended recipient, Manny, so that its absence would not arouse suspicion (i.e., not simply divert but redirect so message received by 2 accts)? – Tim O'Tie Jun 25 '13 at 18:31
  • 1
    @TimO'Tie - Yes, all those scenarios are possible, and have legitimate reasons outside of "spying" such as SEC compliance, email archiving, attachment stubbing/shortcutting, delivering to someone else while on vacation, shared mailboxes, distribution lists, college alumni .forwards (etc). – makerofthings7 Jun 25 '13 at 20:30
  • I have another question then. The straightforward way for the sender of an e-mail message to send a copy of that e-mail, unbeknownst to its official recipient (Manny), would be to BCC: Mac. Perhaps there would be no legitimate reason to do otherwise, but could the sender himself write an X-Actual-Recipient directive into his e-mail message so that Mac would receive the e-mail (or a copy of the e-mail) that was ostensibly directed solely to Manny? Thanks. – Tim O'Tie Jun 26 '13 at 06:46
  • There are two portions of an email message the Envelope and the Header. (RFC2821 and RFC2822). The Envelope controls routing (BCCs etc) and the Body doesn't directly affect the message routing. The header you describe is in the header/body .. *not* the envelope. That means by having that header there shouldn't be any affect on routing. – makerofthings7 Jun 26 '13 at 06:57
  • Email software is infinitely customizable, so in theory someone could configure the system to inspect and respond to this header (with a BCC as you describe) that isn't expected or typical in normal practice. – makerofthings7 Jun 26 '13 at 06:58