Is it possible to spoof a recipient in a SMTP transaction? If not how does SMTP prevent this from happening?

Question

Is it possible to have a scenario where there are 3 email addresses. Each on a different mail server.

• alice@contoso.com
• bob@fabrikam.com
• charlie@treyresearch.net

Charlie writes an email with Alice and Bob listed as recepients. Charlie uses a rogue SMTP server treyresearch.net that only carries out the SMTP transaction with Alice on the contoso.com server while listing Bob as a recepient but does not carry out the SMTP transaction with the SMTP server for fabrikam.com.

Alice belives that Bob is aware of the content in the email whereas he certainly is not.

---

Is this a possible scenario with SMTP and are there any measures to prevent this?

Answer 1

This is even possible without a rogue SMTP server. Alice has no access to the SMTP communication, so she cannot possibly know which addresses you sent the email to.

The only thing that Alice has access to, are the email headers.

The only thing the SMTP server cares about, is the SMTP envelope.

Nowhere it is written that the two must match.

You can simply do this:

HELO mx01.treyresearch.net
MAIL FROM: <charlie@treyresearch.net>
RCPT TO: <alice@contoso.com>
RCPT TO: <secretlistener@example.com>
DATA
From: Charlie <charlie@treyresearch.net>
To: Alice <alice@contoso.com>, Bob <bob@fabrikam.com>
Subject: Information for Bob
Date: Fr, 06 Dec 2019 15:53:56 +0100
Message-ID: <ae9928a9-28bc-491c-80aa-6ce74b99fbff@treyresearch.net>

Hello Alice, 

this is the information you wanted me to share with Bob.

Greetings, 
    Charlie
.

As you can see, we have put Bob into the To: header of the message, but we simply did not instruct the server to send the message to him. Conversely, we did instruct the server to send the message to a secret listener, but the secret listener does not show up anywhere in the entire message.