Re: E-mail related question.

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: N. Miller (nsm_at_blackhole.aosake.net)
Date: 04/20/04 

Date: Tue, 20 Apr 2004 16:49:53 -0700

In article <148101c4266c$41fb7ae0$a301280a@phx.gbl>, mexxpers@yahoo.com
says...

> Every now and then I get e-mails that have no
> sendername,are about 500kb large and when I open them
> there's not a word in them.
> How is this possible and where do these e-mails come
> from,since there's no sendername not even an adress to see
> where they came from?
> Explanation would be appreciated!

In SMTP, there are only a few requirements to move a message. There has to
be a HELO from the sending client. This can be anything the sender wants it
to be. There has to be a MAIL FROM: <email address>. This can be anything
that the sender wants it to be; but this is not the same as the From: <email
address>. There has to be a RCPT TO: <email address>. This can be anything
the sender wants it to be; but you won't get the email unless it is your
email address. This is not the same as the To: <email address>.

Pretty much that is it. Date:, Subject:, To:, Cc:, From:, even the message
body itself, are all optional, and need not be present. You can even test
this by using Telnet to send a message from your computer to your ISP's MX,
if you know how to do it.

How to know where the message comes from? All messages delivered by SMTP
service will have headers which detail the routing. Here is an example of an
email sent by Telnet to my own local MTA:

> 004: Return-path: <somebody@wild.invalid>
> 002: Received: from forged.domain (64.161.30.125) by aosake.net (Mercury/32 v4.01a) ID MG00007E;
> 002: 20 Apr 2004 16:07:01 -0700

That is it. Of course, I had to add <somebody@wild.invalid> to an exception
list to avoid the "555 Message rejected: site policy requires all mail to
have a 'Subject' field." message my MTA normally responds to messages with
no "Subject". The sequence is correct, the sequence number match to the SMTP
commands, which are shown below. In accordance with my overly simple
description of the SMTP process, "HELO" = "forged.domain", and "MAIL FROM" =
"somebody@wild.invalid". The "RCPT TO" can be inferred from the receiving
account. Email is not delivered to accounts except when there is a valid
"RCPT TO" in the envelope. If you get an email to <anybody@example.com>,
then there was a "RCPT TO: <anybody@example.com>" in the received message.
Some ISPs, but not all, will include the envelope to address. Yahoo! records
this as "X-Apparently-To: <somebody@yahoo.invalid>".

As for the source, there is only one valid identifier of the source of the
message: the IP address. Both of the lines above were created by the local
MTA. The MTA recorded the IP address of the connecting computer, and the
local time; everything else is what the sender claimed. A little work with
Sam Spade will reveal the source; sort of. If you look it up, you will see
that it is one of the Pacbell PPPoX pools of customer IP addresses.
Presumably the Pacbell administrator could match the time in that message
with their logs of which customer was connected to the Internet when that
message was sent.

If you wanted to complain, a message to the abuse department of the ISP
responsible for the IP address would be in line. Include the full headers
with the complaint. If there is a virus, do not include the full message. I
usually include the MIME headers, and just the first three, or so, lines of
the base64 encoded viral code. Otherwise, just delete the message.

I should point out that if you are receiving email through your ISP's POP3
servers, there could be two, or more "Received:" lines. Email to my Juno
accounts has two such lines for internal hand offs, plus a third to detail
the remote connection. You need to look at a piece of good email to sort out
the routing lines your server adds locally. 

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Relevant Pages

  • Re: reply-to
    ... homegrown PHP, for many, many reasons.) ... These may be totally irrespective of the actual headers ... Because the envelope from is a crucial part of the SMTP conversation, its the easiest place to apply sender based rules, and reject spam. ... The MTA wont use it - its the user agent that scans Bccs and CCS and so on and makes a list of envelopes to pass to the MTA. ...
    (comp.lang.php)
  • Re: Sites that block dynamic/dialups
    ... The receiving MTA sends a 'fake' DSN ... if you meant to say that the verification connection would be to ANY server ... > second after DATA (to test the header sender, ... > What I meant was that in case of a bounce instead of a reject the bounce ...
    (comp.os.linux.networking)
  • RE: [Full-Disclosure] Improving E-mail security...
    ... though sending and receiving relays aren't always the ... Subject: [Full-Disclosure] Improving E-mail security... ... As everybody knows that recent viruses spread via sending spoofed 'sender ...
    (Full-Disclosure)
  • Re: Not Receiving Email from Some Known Senders
    ... They are not going to my Junk Email folder or my McAfee ... One sender whose email I am not receiving is my husbands. ... He is getting a message back from his postmaster that says "Delivery is ... Your sender is receiving a notification from his mail server that it can't reach your mail server so the message isn't reaching your mailbox. ...
    (microsoft.public.outlook.general)
  • Re: procmail problem
    ... You should not use procmail to do this since the message has already been accepted by your MTA and handed off to the MDA in this case "procmail". ... If you accept an email at the MTA level, then later on send a reject notice to the apparent sender you'll most often just be sending email to a forged from address because the sender lied to your SMTP daemon about who they are. ... For example with sendmail this can be done by adding the sendmail command line option MaxMessageSize=200000 to sendmail when your system starts the daemon. ...
    (comp.mail.misc)