Spam addressed to a sender but received by everyone else

Question

Spam's been getting through Postini lately that's addressed to a recipient (bob@example.com) in the To: field and in the headers. While this isn't that strange -- we've had spam get through before -- the fact that I can't tell how mail addressed to bob@example.com is going to myself and at least one other staff member.

The headers show that it's being received by Postini's gateway and sent to our Exchange Server, but spam or not, that shouldn't effect routing at all. None of us are getting any "regular" mail that's addressed to bob@example.com, just these spam messages. Just to make sure I wasn't crazy I telnet'ed into the Exchange Server from another machine and sent a message to bob@example.com and none of us got it.

I checked to see if there's delivery options with a forwarder on his Exchange mailbox, but there's none. I also checked to see if some distribution group was setup and there isn't.

Again, all of these checks I've done seem pointless because the rcpt to determines to what address delivery is attempted. I've turned on diagnostics logging to see if anything odd turns up but the Outlook headers shouldn't "lie", should they? Anything else I'm missing? We're running Exchange 2007 (SBS 2008).

score 5 · Accepted Answer · edited Oct 07 '21 at 06:47

5

This is just a BCC (Blind Carbon Copy). Test it by sending mail to Bob@example.com and BCCing yourself. It was originally specified in RFC 733 (replaced by RFC822 and later by RFC2822). Both RFC 2821 and RFC 2822 mention issues with BCC (see Security Considerations section).

edited Oct 07 '21 at 06:47

Community

1

answered Jul 02 '10 at 02:36

Jed Daniels

7,282
2
34
42

Wow I feel dumb; yeah, totally a BCC. Hey, it was Canada Day yesterday and was a few beers in. :) – WuckaChucka Jul 02 '10 at 13:07

Chris S · Answer 2 · 2010-07-02T13:23:45.410

The headers could say "To: The Whole World ", it means nothing to the actual routing and delivery of the message. The rcpt to:<you@example.com> is the only thing that matters; most servers also put the 'rcpt to' in the 'Received' header line.

Edit:
For example, I got an e-mail yesterday with these headers:

Received: from mx2.freebsd.org ([69.147.83.53])
     by aislynn.stoneyforest.net with esmtp; Thu, 01 Jul 2010 18:43:28 -0400
     id 00000108.4C2D1A10.00012CA8 for <chris[at]stoneyforest.net>
To: freebsd-security-notifications[at]freebsd.org,
     freebsd-announce[at]freebsd.org

In my e-mail reader it say "To: freebsd-announce[at]freebsd.org" and nothing at all about my e-mail address. If your running Exchange the e-mail has to come from an SMTP source for it to have the Received header; Exchange does not follow RFCs for internal e-mail.

Received is not in the header, but I was not aware of this at all. — WuckaChucka, Jul 02 '10 at 13:06

Spam addressed to a sender but received by everyone else

2 Answers2