TO Address missing from Header / Email
Question asked by Jason Wilhelm - 7/5/2019 at 12:58 PM
We have been seeing more spam that does not display the TO line. Looking at the headers I am not able to see what email addresst hese actually came in on, anyone have any ideas?

Below is a copy of the header **edited** as well as a screenshot of how the message displays in webmail.

Return-Path: <xxxxx@hughes.net>
Received: from smtp.hughes.net (smtp.hughes.net []) by mail.aksales.com with SMTP;
Thu, 4 Jul 2019 15:01:20 -0800
Return-Path: <xxxxx@hughes.net>
X-Authed-Username: c21lbHNlckBodWdoZXMubmV0
X_CMAE_Category: 0,0 Undefined,Undefined
X-CNFS-Analysis: v=2.1 cv=Zr1NU4PG c=1 sm=0 tr=0 a=x1h0AhohGG/RTEN8nKxOCg==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=FKkrIqjQGGEA:10 a=OzoKo8IosRAA:10 a=LCQi__vR01sA:10 a=Tj91RCys1ClLmAzYAUkA:9 a=QEXdDO2ut3YA:10 a=ctaNYIjRYh9iwajjHFEA:9 a=_W_S_7VecoQA:10 a=jweTErd4iLRuMFRv-VAA:9 a=pa4nyK-_WsONU0Ym:18 a=KQqxNPgzF0kA:10
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: smtp01.hughes.cmh.synacor.com smtp.mail=xxxxx@hughes.net; spf=neutral; sender-id=neutral
Authentication-Results: smtp01.hughes.cmh.synacor.com header.from=xxxxx@hughes.net; sender-id=neutral
Received-SPF: neutral (smtp01.hughes.cmh.synacor.com: is neither permitted nor denied by domain of hughes.net)
Received: from [] ([] helo=md10.hughes.cmh.synacor.com)
by smtp.hughes.net (envelope-from <xxxxx    @hughes.net>)
(ecelerity r(42060/42061)) with ESMTP
id 21/33-01829-C358E1D5; Thu, 04 Jul 2019 19:01:16 -0400
Date: Thu, 4 Jul 2019 19:01:16 -0400 (EDT)
From: MATTHEW xxxxxx <xxxxx@hughes.net>
Reply-To: compen <xx@exxxxxxxclusivemail.co.za>
Message-ID: <92683058.217549828.1562281276021.JavaMail.root@hughes.net>
In-Reply-To: <1927722475.217538691.1562280986012.JavaMail.root@hughes.net>
Subject: SPAM-MED: Your Delayed Payment
MIME-Version: 1.0
Content-Type: multipart/mixed; 
X-Originating-IP: []
X-Mailer: Zimbra 7.2.7_GA_2942 (ZimbraWebClient - GC75 (Win)/7.2.6_GA_2926)
X-CTCH-RefId: str=0001.0A090208.5D1E8544.0044,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: SPF [Pass]: -2, HostKarma - Whitelist: -4, UCEProtect Level 1: 3, Cyren [Unknown]: 0, Message Sniffer [code:58]: 30, DKIM [None]: 0
X-MessageSniffer-ResultCode: 58
X-SmarterMail-TotalSpamWeight: 27

10 Replies

Reply to Thread
Jade D Replied
Theres a similar thread which affected mimecast services - the sender will need to advise their provider of the issue.

PS Jason, you should redact all personal info considering that we're all subject to GDPR, and soon the POPI Act here in South Africa...
Jade D Replied
Jason Wilhelm Replied
 Thanks for the info. I did edit the account information in the post. Let me ask you this, can you think of a rule that could be used where any email that comes through like this gets flagged as high spam? I don't think I have seen any legitimate messages without a proper TO address.
Jade D Replied
Id start by taking a look at your RBL and URBL settings, the sending server would not have been accepted on our servers based on the fact that its blacklisted on a few RBL's

Take a look at the rules and work that Steve has done 
Jade D Replied
PS, your Reply-To: compen  is still not redacted ;)
Kyle Kerst Replied
Employee Post Marked As Answer
The missing FROM/SUBJECT issue was related only to emails received via a MIMECast device, and should no longer be affecting incoming messages from what I understand. These appear to be standard spam emails but with no FROM field specified. As such, I recommend you adjust the Null Address spam check weights under Settings>Antispam>Spam Checks. Here you can set the weight to ~20 at which point messages with no FROM header should be sent to Junk Mail folder at the very least. 
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
Jason Wilhelm Replied
Thanks Kyle, I am on it!
Kyle Kerst Replied
Employee Post
Sounds good Jason. When you finish up with that I definitely recommend checking out the following KB article/blog posts as they detail some recent changes in those areas and how you can combat incoming spam better: 

Let me know how it goes for you. Have a great rest of your week!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
CTL Replied
pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             for more information.
                            [URIs: outlook.com]
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
 1.2 MISSING_HEADERS        Missing To: header
 0.1 URI_HEX                URI: URI hostname has long hexadecimal sequence
 0.1 MISSING_MID            Missing Message-Id: header
 1.8 MISSING_SUBJECT        Missing Subject: header
 1.0 MISSING_FROM           Missing From: header
-0.0 NO_RECEIVED            Informational: message has no Received headers
 1.4 MISSING_DATE           Missing Date: header
 0.0 NO_HEADERS_MESSAGE     Message appears to be missing most RFC-822 headers

Received: from SN1NAM04HT109.eop-NAM04.prod.protection.outlook.com (2603:10b6:4:16::28) by DM6PR20MB2890.namprd20.prod.outlook.com with HTTPS via DM5PR2001CA0018.NAMPRD20.PROD.OUTLOOK.COM; Tue, 10 Dec 2019 15:37:57 +0000 Received: from SN1NAM04FT055.eop-NAM04.prod.protection.outlook.com ( by SN1NAM04HT109.eop-NAM04.prod.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Tue, 10 Dec 2019 15:37:57 +0000 Authentication-Results: spf=pass (sender IP is smtp.mailfrom=domain.com; msn.com; dkim=pass (signature was verified) header.d=domain.com;msn.com; dmarc=pass action=none header.from=domain.com; Received-SPF: Pass (protection.outlook.com: domain of domain.com designates as permitted sender) receiver=protection.outlook.com; client-ip=; helo=ip-hostname.com; Received: from hostname.com ( by SN1NAM04FT055.mail.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2495.18 via Frontend Transport; Tue, 10 Dec 2019 15:37:55 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:16A32B0AD31D936B2C291A8A1588233F530479D71E65E6EA7E5C46DB530E66A6;UpperCasedChecksum:5D230915B8CAE4A3127B63A81AB1FACA48B87D2B99BA53067919801849AC36BE;SizeAsReceived:1120;Count:11 X-SmarterMail-Authenticated-As: binesh@domain.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; s=secure; h=content-type:mime-version:message-id:reply-to:date:subject:to :from; bh=TE2EDjIuFNmDS5BEW6/RHy/dpi+BUZaN3wH/505TvN0=; b=lbFVmayz2/BKyYqyTaJvtqHmrTYiEFj4zP+Qko8M0x3hQC4NRwOEiDjKXu52ZvtSc ozc4LyTCsCe1Ro7oeHPWjBn6c8Zra1esljPgf6iGYZHesMQ3j1xnSPx5IwJRA78qJ oqVfiN0FrkQFDO+n+PTggZT72En2ukWaRNNzsr+LMqIzBLX9qZ04CUUYjyEWdZ4rq AMLOoWA+4jW7wJ1S+zINxkmS1ENQymvCaiojEvIPNtmmZK5O0bRX4Ebs+CQZGWuBS CFIm/WruD2GsccCO7LDv7o7U582N23LkBvTWMgJb3quch+nJmxMX9Wb8rzYzZudie 36PT5gIKBf10e12lQ== From: "Binesh Shamunni" To: Subject: Hotmail Date: Tue, 10 Dec 2019 15:37:47 GMT Reply-To: binesh@domain.com Message-ID: Content-Type: multipart/alternative; boundary=46d27dbef45b4ecb908302ef7d881e73 X-Exim-Id: d01192b8d6de4111a92a1dd3b1c219d8 X-IncomingHeaderCount: 11 Return-Path: binesh@domain.com X-MS-Exchange-Organization-ExpirationStartTime: 10 Dec 2019 15:37:56.8257 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: EFV:NLI; X-MS-Exchange-Organization-AuthSource: SN1NAM04FT055.eop-NAM04.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-UserLastLogonTime: 12/10/2019 3:35:45 PM X-MS-Office365-Filtering-Correlation-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-MS-TrafficTypeDiagnostic: SN1NAM04HT109: X-MS-Exchange-EOPDirect: true X-Sender-IP: X-SID-PRA: BINESH@domain.COM X-SID-Result: PASS X-MS-Exchange-Organization-PCL: 2 X-Microsoft-Antispam: BCL:0; X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Dec 2019 15:37:55.5587 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM04HT109 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.9941850 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2516.000 X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:1;pcwl:1;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;OFR:TrustedSenderList;ENG:(5062000261)(5061607266)(5061608174)(4900115)(4920090)(6510075)(4950130)(570107); X-Message-Info: 5vMbyqxGkddoCPm6T3bgzztAhmb7fP34GMjTzHoJs9ZCkKYuUHodCmM1q9xE0krzbJYC8rEnkoA/Flro03Pb1MW1mzcFDWWCVXdGiXmjMtLtwDN9n2CkvOcgm5v4HKdD1MRMHz75cbmfKLJ64pmSKwlIWzvXTxX3jIkIaW1oR35tMjpICfezwbB95qYOVP8aLBAPZGZn/mZ4GVFxekWiEw== X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0tMQ== X-Microsoft-Antispam-Message-Info: kEq1COIFOUGLrm2cKRwnzqP7ZkFdtKVnU2KHTwJU4cmnBGOyVbWALBis8I2SVy0961XqM4rGPZztuWo6mFJHXJFQMMJzkrlt5w91LYjW5aaU6rYx9lgItv/jvRcaWsq/tdyNjbM6pq+O3I3ukKuIx19ytJFjtl2brVl4EaNPuYr9RVqUCqA7rvPQ71/XhdSfhls80tpShfJfCHDGeCU/OtZec792LLiLIFyZvdSP4n1N9R19kNrzPQQaNWTUQvhCsylj0Yiy/WkWaUOEoIgPzpPhGu778n3HflA1GZ8TOv0G8cq5AN3nlw006dqJSrp4W4B1tjY3PIjgE8IWa/JGPKORkcfdt67bMWyhQbybm1tNvKjhwXHEAU/VuFNCNr3dSgJw1DHZ5Q29YadjAF9YN2fzAuyLVfC28zcK7Vkl47KuuAf8J2MdirI5KSmL5orXgVJ3JykIBklC0GovIlzjXYk6j77uM6/uMs0Z84AjB8sBc6R3NXOu19GdQKQzRDcWxffjj3Ovdr+ZMn5XUcyeC9tRzEdmnukylClYvRfVjSuJJ5e/WnUxRJLvUH8crzD1SiahGfZUyFjHe8A+fSHEYMpRToXFVgyG/eQZWsxbGnJP6/rSTzgBQHby5vQ8vQh2hdJFl8uG/Dcv07gGp+sF3PtCDAuwuzCoEAhJrfG48tTo4B/pgJBjcJkQlWR157hmtWnqRTS3pHcV6FC30p3G32JUFK3ZQHAaqbHa1ta60fbr1f/I1unTwiXl1Tp2aXxGdm3CdhbJXgfjOEwllWubFuO1L9ux6Jp+OlkifzDolpkNNV5+iorY7Y3DwzzpQLtLAx3BHYHUOrLBIbY7Nsc0jA== MIME-Version: 1.0

Missing header cause major mail went spam folder   Please advice

Douglas Foster Replied
Concepts:   The mail message is a document with markup based on the RFC for "Internet Message Format".  The document is transported using the SMTP protocol.   The protocol does not use the document contents for routing.  Instead, there is a virtual envelope transmitted during the SMTP connection request.    The Envelope-From and Envelope-To are used for routing, not the Message's From and To headers.   That is why you can receive an email where the To is a distribution list.    The Envelope-From and Envelope-To are not part of the document unless you have an email filter that logs that information in a message header.   Sometimes the Envelope-To is added to the Received header by appending "for user@domain" immediately before the semicolon and timestamp.   Other times the information appears as a custom header.  It appears that SmarterMail by itself does not add the Envelope-To information at all.

This regex on the header fields should find messages without a To: header:
(not contains)  \nTo:\s[^\n]+@ 
(Tested on regex101.com with the /m switch)

Reply to Thread