Cleaning My Desktop

As i come to office after two long weeks everything seems to be new.  When i logged onto my XP machine(yes XP, will migrate to vista soon) saw a pop saying that you have unused icons the desktop and pushed me to run the wizard which i didn't. Last two weeks have been very painful in fiber cast on left leg which i broke in a minor accident. I am lucky to have few nice colleagues at Microsoft who help me with some basic stuff in office.

After spending more than 30 minutes to filter emails i finally decided to clean up the desktop myself without using the wizard. While deleting most of the stuff  i found a Netmon capture file which seemed to be interesting. The date stamp on it was a year old but i could clearly recall the issue and then decided to share it with you.

Details:

Customer had a Exchange server configured with multiple recipient policies(domainA.com and domainB.com). They had this strange issue where User ABC(ABC@domainA.com) was receiving emails for User XYZ(XYZ@domainB.com).

When ABC opened email in his outlook he could see that on <TO:> field his name is not present and its been sent to XYZ@domainB.com. If we run message tracking, it says that the message was accepted for ABC and it was routed to his inbox. Is this some security flaw? not really, it turned out to be a simple trick later on. There were no rules present and after doing same basic testing I found that it is happening if email comes from one particular domain which is Sender.com. We did not have access to this domain so could not see what is that they are doing. Then i decided to take the netmon capture while a user from Sender.com sends an email.

 This is how it looked like:

SMTP: Command =MAIL FROM:<user@sender.com> SIZE=617

SMTP: Response =250 2.1.0 user@sender.com....Sender OK

SMTP: Command =RCPT TO:<ABC@domainA.com>

SMTP: Response =250 2.1.5 ABC@domainA.com

SMTP: Command =DATA

SMTP: Response =354 Start mail input; end with <CRLF>.<CRLF>

image

 

The sender server did RCP TO: for ABC@domainA.com but changed the To: field in data section to XYZ@domainB.com (Notice red line in picture). This is the reason why we saw ABC at all places like message tracking etc. Later on upon digging in a little i found that outlook uses the To: field in the data section to display the "To" when you open any email. It can easily confuse but soon i learnt that it could easily be done with some basic programming skills.

This falls into the category of rarest issue which you would ever see but certainly an interesting one.

Happy Reading !!!

 

(Actual user and domain names have been changed to maintain confidentiality)