An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#15769 - 05/28/11 05:44 PM eMail question
...JER Offline


Registered: 08/04/09
I have gotten several spam emails that have no "To" field in the header. Using long headers doesn't reveal any "To", "cc", or "bcc" fields. How is this stuff getting in my mailbox?

...JER
_________________________
...JER (-: >

Top
#15775 - 05/28/11 11:43 PM Re: eMail question [Re: ...JER]
artie505 Online


Registered: 08/04/09
Originally Posted By: ...JER
I have gotten several spam emails that have no "To" field in the header. Using long headers doesn't reveal any "To", "cc", or "bcc" fields. How is this stuff getting in my mailbox?

...JER

Can't help, but I wonder whether the answer to your question will also explain how, from time to time, I've found spam in my mailbox that had any number of different "To" addresses, none of which was mine.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15778 - 05/29/11 09:40 AM Re: eMail question [Re: ...JER]
MacManiac Offline

Moderator

Registered: 08/04/09
Loc: Paradise....on the central Ore...
My suspicion is that your address is being placed into the "Bcc" portion of the originating spam source and the actual addressees are all there instead of in the "To" field......
_________________________
Freedom is never free....thank a Service member today.

Top
#15779 - 05/29/11 10:05 AM Re: eMail question [Re: MacManiac]
...JER Offline


Registered: 08/04/09
Thanks, that was my guess but I didn't know if there was another way to do it.
_________________________
...JER (-: >

Top
#15781 - 05/29/11 01:26 PM Re: eMail question [Re: ...JER]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Remember that the first headers are created by the SENDING computer. Email clients and spammers have absolute control over the headers they place in them.

Most mailservers will append additional headers when they forward the message. Some will add a spamassassin score or an identifier for example, and most add information about the client that delivered the message to them.

Since most normal email passes through several mail gateways and servers en route to you, you can usually look at the full headers to follow its path to you. But I've seen at least a few cases of where the spammer tried to make that difficult by adding path-like headers in the message before sending it into the system. Since it can be difficult to determine where the actual mailserver provided headers start, you have to read them very carefully and determine at what point up the chain to stop trusting them. Client provided headers that are attempting to look like mailserver routing headers are usually referred to as "forged headers".

It's becoming common for spammers and virus writers to add forged spamassasin/avg scanned/passed headers in an attempt to fool downstream mailservers and recipients. (mailservers often will skip rescanning a message if it claims to have already been scanned)
_________________________
I work for the Department of Redundancy Department

Top
#15785 - 05/29/11 04:14 PM Re: eMail question [Re: MacManiac]
artie505 Online


Registered: 08/04/09
Originally Posted By: MacManiac
My suspicion is that your address is being placed into the "Bcc" portion of the originating spam source and the actual addressees are all there instead of in the "To" field......

That's a good thought, so I just tried it, and my e-mail got to me like so:

Quote:
From: Artie (Edited) <(Edited)@verizon.net>
Subject: sdfghjk
Date: May 29, 2011 7:59:05 PM EDT
To: Undisclosed recipients: ;
Return-Path: <(Edited)@verizon.net>
Received: from [192.168.1.46] ([unknown] [(Edited)]) by vms173001.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0LLZ005Y9EMH39D0@vms173001.mailsrvcs.net> for (Edited)@verizon.net; Sun, 29 May 2011 18:59:06 -0500 (CDT)
Message-Id: <894299AF-F901-43F5-9C91-FD250F202A34@verizon.net>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Original-Recipient: rfc822;(Edited)@verizon.net

Presumably, the "Undisclosed recipients" refers to the Bcc address, but the two red (Edited) addresses disclose it.

I guess each mail server handles such stuff differently?

But it could explain my spam. Hmmm... I'll have to pay closer attention next time.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top

Moderator:  alternaut, dianne, MacManiac