[BUGS] mail with odd headers .. me thinks

Greg 'groggy' Lehey grog at FreeBSD.org
Tue Jan 8 15:35:36 EST 2008 

On Tuesday,  8 January 2008 at 11:05:57 +1100, Andrew Reilly wrote:
> On Tue, 8 Jan 2008 10:42:42 +1100, Martin Barry <marty at supine.com> wrote:
>
>> $quoted_author = "jonathan michaels" ;
>>>
>>> i recieved an odd spam this morning .. i have looked at it an
>>> cannot find how it is addressesed so as to come here  to me
>
> You can't necessarily see that, from the headers in a stored
> message file.  To get to you there would have been *some* correct
> form of address in the SMTP envelope, but (it seems from the rest
> of the message), your MTA does not include that information in
> the Received: line that it adds.

Indeed.  The To: and Cc: headers are purely informative, and may lie.

> If Jonathan's SMTP installation doesn't record the envelope MAIL
> TO: address, then it's gone forever.

Unless it's in the log file.

> Some mailers will say something like "Received: from fake.address
> ([sender's IP]) by my.smtp.server (version) with SMTP id msgID for
> envelope-to"

More specifically, these are the relevant headers for the message to
which I'm replying:

> X-Original-To: grog at lemis.com
> Delivered-To: grog at ozlabs.org
> Received: from mail4out.barnet.com.au (mail4.barnet.com.au [202.83.178.125])
>         (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>         (Client CN "mail4out.barnet.com.au", Issuer "*.barnet.com.au" (not verified))
>         by ozlabs.org (Postfix) with ESMTP id C66B2DDE2F
>         for <grog at lemis.com>; Tue,  8 Jan 2008 11:08:04 +1100 (EST)
> From: Andrew Reilly <andrew at areilly.bpc-users.org>
> To: BUGS - Generic chat <bugs at bugs.au.freebsd.org>

So this message, too, doesn't have me in a To: or Cc: header.  The
same will apply to everybody who gets this message.

> My qmail-smtp server doesn't seem to, but I've seen Postfix servers
> do it.

Yes, as shown above.

>> maybe search your mail logs for the message ID?
>
> That could have it, if it came directly.  The original envelope
> address can very easily get wiped off or changed by intermediary
> MTAs. (and things like fetchmail)

It looks to me as if jlm is running sendmail.  I think the log file
should contain that info, but it's been a while since I've used
sendmail.

Greg
--
See complete headers for address and phone numbers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://mailman.barnet.com.au/pipermail/bugs/attachments/20080108/2bf5434a/attachment.bin

More information about the BUGS mailing list