Actually, it is on topic as an Exchange admin should know how SMTP communications take place. The header and body of an e-mail message is called DATA. The DATA must be made up of certain information and formatted in a certain way. The information displayed in your e-mail client is taken from the DATA. The DATA portion can be any thing as long as it meets the formatting requirements. So I can have in the DATA from joeshomo to LimpyLucy and that is what your e-mail client will display but the servers do not use that information. When a SMTP communication takes place, it goes something like this: ---------------------------------------------------------------------------- --------------- SMTP (984b036600001015) processing F:\Spool\Q984b036600001015.SMD SMTP (984b036600001015) [x] looking up remotedomain.moc in HOSTS and MX SMTP (984b036600001015) Trying remotedomain.moc (0) SMTP (984b036600001015) [x] Connecting socket to service <SMTP> on host <remotedomain.moc> using protocol <tcp> SMTP (984b036600001015) [x] using source IP for mail.serverdomain.moc [67.94.227.39] SMTP (984b036600001015) Connect remotedomain.moc [65.54.167.5:25] (1) SMTP (984b036600001015) 220 mc11-f14.remotedomain.moc Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states. Wed, 13 Jul 2005 15:40:17 -0700 SMTP (984b036600001015) >EHLO mail.serverdomain.moc SMTP (984b036600001015) 250-mc11-f14.remotedomain.moc (3.0.1.19) Hello [67.94.227.39] SMTP (984b036600001015) 250-SIZE 29696000 SMTP (984b036600001015) 250-PIPELINING SMTP (984b036600001015) 250-8bitmime SMTP (984b036600001015) 250-BINARYMIME SMTP (984b036600001015) 250-CHUNKING SMTP (984b036600001015) 250-AUTH LOGIN SMTP (984b036600001015) 250-AUTH=LOGIN SMTP (984b036600001015) 250 OK ---------------------------------------------------------------------------- ---------- The above part is called the hand shake, where the sending server communicates with the receiving server and they kind of tell each other what commands are supported. ---------------------------------------------------------------------------- --------------- SMTP (984b036600001015) >MAIL FROM:<michele@xxxxxxxxxxxxxxx> SMTP (984b036600001015) 250 michele@xxxxxxxxxxxxxxxxxxxxxxxxx OK SMTP (984b036600001015) >RCPT To:<carlritzert@xxxxxxxxxxxxxxxx> SMTP (984b036600001015) 250 carlritzert@xxxxxxxxxxxxxxxx ---------------------------------------------------------------------------- ---------------- The above is where the sending e-mail server tells the receiving e-mail server who the message is from and who it is going to. The > is the line from the sending server and the 250 is the acknowledgement from the receiving server. ---------------------------------------------------------------------------- ----------------- SMTP (984b036600001015) >DATA SMTP (984b036600001015) 354 Start mail input; end with <CRLF>.<CRLF> SMTP (984b036600001015) >. SMTP (984b036600001015) 250 <7C287DEAD127A347B3011892C041AC33E2C545@xxxxxxxxxxxxxxxxxxxx> Queued mail for delivery ---------------------------------------------------------------------------- ------------------ The above is when the actual DATA is sent, the actual header and body of the message. ---------------------------------------------------------------------------- ----------------------- SMTP (984b036600001015) rdeliver remotedomain.moc carlritzert@xxxxxxxxxxxxxxxx (1) <michele@xxxxxxxxxxxxxxx> 3774 SMTP (984b036600001015) >QUIT SMTP (984b036600001015) 221 mc11-f14.remotedomain.moc Service closing transmission channel SMTP (984b036600001015) [u] closing socket (u) ---------------------------------------------------------------------------- ----------------------- The above are the 2 servers saying so long it was nice talking to you. John T eServices For You > -----Original Message----- > From: Kern, Tom [mailto:tkern@xxxxxxxxxxx] > Sent: Thursday, July 14, 2005 11:14 AM > To: [ExchangeList] > Subject: [exchangelist] spam question(OT) > > http://www.MSExchange.org/ > > not really exchange related. i was wondering how spammers are able to forge the TO: > header of an email so that you get the email even though its not addressed to you. > > like if i'm joe@xxxxxxxxxxxxxx, i get an email to my inbox addressed only to > bob@xxxxxxxxxxxxxx or bob@xxxxxxxxxxxxxxxxxxx? > is it that the envelope headers are addessed to me but the email TO: headers are > changed? > > Is this this the same thing as when you get spam and the TO: headers say > "undisclosed recipients"? > > thanks > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx