1

Possible Duplicate:
How can email possibly be routed to the right place with no to: address?

I've seen this quite a few times now. I will receive an email at a domain that I manage (colin@example.com) from an @yahoo.com account but the To header has an email at some entirely unrelated domain name! The DKIM signature contains the To header and they pass validation. How can this be?

Example:

Return-Path: <kinani_lim@yahoo.com>
Received: from nm8.bullet.mail.ukl.yahoo.com (nm8.bullet.mail.ukl.yahoo.com [217.146.182.249]) by mx.example.com with SMTP;
   Mon, 19 Nov 2012 16:38:59 -0500
Received: from [217.12.10.106] by nm8.bullet.mail.ukl.yahoo.com with NNFMP; 19 Nov 2012 21:38:56 -0000
Received: from [217.146.183.128] by tm20.bullet.mail.ukl.yahoo.com with NNFMP; 19 Nov 2012 21:38:40 -0000
Received: from [127.0.0.1] by smtp113.mail.ukl.yahoo.com with NNFMP; 19 Nov 2012 21:38:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1353361120; bh=uCWr2zakkKwpxVn224ejIuEu24fxI7P+IKguxaa4T50=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:Subject:To:Content-Type:X-Mailer; b=O6...(shortened)
X-Yahoo-Newman-Id: 158288.17799.bm@smtp113.mail.ukl.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 7YH8p9Y...(shortened)
Received: from uxprj (kinani_lim@80.50.126.134 with login)
        by smtp113.mail.ukl.yahoo.com with SMTP; 19 Nov 2012 13:38:40 -0800 PST
Message-ID: <50AA5277.4653079B@smtp.mail.yahoo.com>
Date: Mon, 19 Nov 2012 15:38:40 -0600
From: "kinani_lim@yahoo.com" <kinani_lim@yahoo.com>
Subject: You have (1) new ecard!
To: vandevender78@sbcglobal.net
Content-Type: text/plain; charset=UTF-8
X-Mailer: Opera/6.05 (Windows 2000; U) [fi]

Click here to read it now! http://bit.ly/TMCHTA

To clarify: The above is an actual email that was sent to colin@example.com even though the To header shows an sbcglobal.net address.

Perhaps if I understand how the spammers are doing this I can prevent it on my server. If it matters, my server is running SmarterMail 10.x.

Community
  • 1
ColinM
  • 701
  • 8
  • 19

3 Answers3

4

The correct answer would be "read the RFC", but an easier to remember version would be "that's exactly how mailing lists work". You send an email "to" the mailing list, and then it gets delivered to all subscribers. None of the subscribers are in the To, Cc, or Bcc lines.

chutz
  • 7,888
  • 1
  • 29
  • 59
3

If I send you a letter, DKIM just confirms that I sent it and it wasn't tampered with.

The To header in the body of the email specifies who the body of the letter was written to, not who it was sent to. If I write a letter to Jack and send a copy to you, the To header should read Jack. The letter is to Jack, you're just receiving a copy. Think of the To header as specifying the person the sender claims the letter was originally addressed to.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • So is this behaviour RFC-compliant? I know most headers can easily be spoofed but it seems the MTA should require the recipient to appear in either the To, Cc or Bcc header.. – ColinM Nov 20 '12 at 00:13
  • Why? If I forward a copy of a letter to you, you shouldn't be in any of those fields. The letter wasn't written to you, so you shouldn't be in the `To` field. Nobody knows I sent you a copy, so you shouldn't be in the `Cc` field. And the whole point of `Bcc` is that the recipient *doesn't* appear in the body in a field. So none of those apply. The *letter* isn't to you in any way, someone just put a copy in an envelope addressed to you. There's no reason to molest the letter -- the point of an envelope is to protect the letter. – David Schwartz Nov 20 '12 at 00:16
  • Duh, no idea why I wasn't thinking about it that way.. Damn spammers got me all confused. – ColinM Nov 20 '12 at 00:18
  • And spam controls operate chiefly on the *envelope* -- asking "who said you should receive this letter?" not "who is this letter to?" However, some application do consider emails with mismatched envelope/body fields more likely to be spam, which can cause problems for legitimate forwarding and copying. – David Schwartz Nov 20 '12 at 00:28
2

The To: header is usually the same as the addresses of at least one of the recipients. Header addresses are like the contents of a letter. A letter can be addressed to anyone or noone, but it has no impact on who the mail is actually delivered to. The letter is placed in an envelope and the envelope is addressed to someone. Delivery depends on what is on the outside of the envelope, not the contents of the envelope.

Email delivery works like a letter. The headers and contents of the message are treated like a letter, and are ignored when it comes to delivery. The delivery mechanism relies on a separate set of addresses known as the envelope addresses. Delivery will be attempted to any destination addresses specified on the envelope.

For most software, the addresses specified as To: or CC: will be the recipients will be written to the headers. Additional BCC: address will be added to the envelope, but not written to the headers. Programs which generate email may not follow this behaviour.

Spambots (programs sending Spam) often have a fixed message which is sent out to a long list of recipients. This is one type of software which will generate the kind of email you received. There are legitimate cases which lead to the behavior you are seeing:

  • BCC addresses are not expected to appear in the headers. This includes broadcast messages sent to "Undisclosed recipients".
  • Redirected email, including mailing list distributions.
BillThor
  • 27,737
  • 3
  • 37
  • 69