Home
Posted By: ...JER eMail question - 05/29/11 12:44 AM
I have gotten several spam emails that have no "To" field in the header. Using long headers doesn't reveal any "To", "cc", or "bcc" fields. How is this stuff getting in my mailbox?

...JER
Posted By: artie505 Re: eMail question - 05/29/11 06:43 AM
Originally Posted By: ...JER
I have gotten several spam emails that have no "To" field in the header. Using long headers doesn't reveal any "To", "cc", or "bcc" fields. How is this stuff getting in my mailbox?

...JER

Can't help, but I wonder whether the answer to your question will also explain how, from time to time, I've found spam in my mailbox that had any number of different "To" addresses, none of which was mine.
Posted By: MacManiac Re: eMail question - 05/29/11 04:40 PM
My suspicion is that your address is being placed into the "Bcc" portion of the originating spam source and the actual addressees are all there instead of in the "To" field......
Posted By: ...JER Re: eMail question - 05/29/11 05:05 PM
Thanks, that was my guess but I didn't know if there was another way to do it.
Posted By: Virtual1 Re: eMail question - 05/29/11 08:26 PM
Remember that the first headers are created by the SENDING computer. Email clients and spammers have absolute control over the headers they place in them.

Most mailservers will append additional headers when they forward the message. Some will add a spamassassin score or an identifier for example, and most add information about the client that delivered the message to them.

Since most normal email passes through several mail gateways and servers en route to you, you can usually look at the full headers to follow its path to you. But I've seen at least a few cases of where the spammer tried to make that difficult by adding path-like headers in the message before sending it into the system. Since it can be difficult to determine where the actual mailserver provided headers start, you have to read them very carefully and determine at what point up the chain to stop trusting them. Client provided headers that are attempting to look like mailserver routing headers are usually referred to as "forged headers".

It's becoming common for spammers and virus writers to add forged spamassasin/avg scanned/passed headers in an attempt to fool downstream mailservers and recipients. (mailservers often will skip rescanning a message if it claims to have already been scanned)
Posted By: artie505 Re: eMail question - 05/29/11 11:14 PM
Originally Posted By: MacManiac
My suspicion is that your address is being placed into the "Bcc" portion of the originating spam source and the actual addressees are all there instead of in the "To" field......

That's a good thought, so I just tried it, and my e-mail got to me like so:

Quote:
From: Artie (Edited) <(Edited)@verizon.net>
Subject: sdfghjk
Date: May 29, 2011 7:59:05 PM EDT
To: Undisclosed recipients: ;
Return-Path: <(Edited)@verizon.net>
Received: from [192.168.1.46] ([unknown] [(Edited)]) by vms173001.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0LLZ005Y9EMH39D0@vms173001.mailsrvcs.net> for (Edited)@verizon.net; Sun, 29 May 2011 18:59:06 -0500 (CDT)
Message-Id: <894299AF-F901-43F5-9C91-FD250F202A34@verizon.net>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Original-Recipient: rfc822;(Edited)@verizon.net

Presumably, the "Undisclosed recipients" refers to the Bcc address, but the two red (Edited) addresses disclose it.

I guess each mail server handles such stuff differently?

But it could explain my spam. Hmmm... I'll have to pay closer attention next time.
© FineTunedMac