TO Address missing from Header / Email
Question asked by Jason Wilhelm - 7/5/2019 at 12:58 PM
Answered
We have been seeing more spam that does not display the TO line. Looking at the headers I am not able to see what email addresst hese actually came in on, anyone have any ideas?

Below is a copy of the header **edited** as well as a screenshot of how the message displays in webmail.

—HEADER—
Return-Path: <xxxxx@hughes.net>
Received: from smtp.hughes.net (smtp.hughes.net [69.168.97.48]) by mail.aksales.com with SMTP;
Thu, 4 Jul 2019 15:01:20 -0800
Return-Path: <xxxxx@hughes.net>
X-Authed-Username: c21lbHNlckBodWdoZXMubmV0
X_CMAE_Category: 0,0 Undefined,Undefined
X-CNFS-Analysis: v=2.1 cv=Zr1NU4PG c=1 sm=0 tr=0 a=x1h0AhohGG/RTEN8nKxOCg==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=FKkrIqjQGGEA:10 a=OzoKo8IosRAA:10 a=LCQi__vR01sA:10 a=Tj91RCys1ClLmAzYAUkA:9 a=QEXdDO2ut3YA:10 a=ctaNYIjRYh9iwajjHFEA:9 a=_W_S_7VecoQA:10 a=jweTErd4iLRuMFRv-VAA:9 a=pa4nyK-_WsONU0Ym:18 a=KQqxNPgzF0kA:10
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: smtp01.hughes.cmh.synacor.com smtp.mail=xxxxx@hughes.net; spf=neutral; sender-id=neutral
Authentication-Results: smtp01.hughes.cmh.synacor.com header.from=xxxxx@hughes.net; sender-id=neutral
Received-SPF: neutral (smtp01.hughes.cmh.synacor.com: 10.33.66.7 is neither permitted nor denied by domain of hughes.net)
Received: from [10.33.66.7] ([10.33.66.7:44866] helo=md10.hughes.cmh.synacor.com)
by smtp.hughes.net (envelope-from <xxxxx    @hughes.net>)
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP
id 21/33-01829-C358E1D5; Thu, 04 Jul 2019 19:01:16 -0400
Date: Thu, 4 Jul 2019 19:01:16 -0400 (EDT)
From: MATTHEW xxxxxx <xxxxx@hughes.net>
Reply-To: compen <xx@exxxxxxxclusivemail.co.za>
Message-ID: <92683058.217549828.1562281276021.JavaMail.root@hughes.net>
In-Reply-To: <1927722475.217538691.1562280986012.JavaMail.root@hughes.net>
Subject: SPAM-MED: Your Delayed Payment
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary="----=_Part_217549824_314386286.1562281276002"
X-Originating-IP: [173.225.115.253]
X-Mailer: Zimbra 7.2.7_GA_2942 (ZimbraWebClient - GC75 (Win)/7.2.6_GA_2926)
X-CTCH-RefId: str=0001.0A090208.5D1E8544.0044,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: SPF [Pass]: -2, HostKarma - Whitelist: -4, UCEProtect Level 1: 3, Cyren [Unknown]: 0, Message Sniffer [code:58]: 30, DKIM [None]: 0
X-MessageSniffer-ResultCode: 58
X-SmarterMail-TotalSpamWeight: 27


8 Replies

Reply to Thread
0
Jade D Replied
Theres a similar thread which affected mimecast services - the sender will need to advise their provider of the issue.

PS Jason, you should redact all personal info considering that we're all subject to GDPR, and soon the POPI Act here in South Africa...
0
Jade D Replied
0
Jason Wilhelm Replied
Jade,
 Thanks for the info. I did edit the account information in the post. Let me ask you this, can you think of a rule that could be used where any email that comes through like this gets flagged as high spam? I don't think I have seen any legitimate messages without a proper TO address.
0
Jade D Replied
Id start by taking a look at your RBL and URBL settings, the sending server would not have been accepted on our servers based on the fact that its blacklisted on a few RBL's

Take a look at the rules and work that Steve has done 
0
Jade D Replied
PS, your Reply-To: compen  is still not redacted ;)
0
Kyle Kerst Replied
Employee Post Marked As Answer
The missing FROM/SUBJECT issue was related only to emails received via a MIMECast device, and should no longer be affecting incoming messages from what I understand. These appear to be standard spam emails but with no FROM field specified. As such, I recommend you adjust the Null Address spam check weights under Settings>Antispam>Spam Checks. Here you can set the weight to ~20 at which point messages with no FROM header should be sent to Junk Mail folder at the very least. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Jason Wilhelm Replied
Thanks Kyle, I am on it!
1
Kyle Kerst Replied
Employee Post
Sounds good Jason. When you finish up with that I definitely recommend checking out the following KB article/blog posts as they detail some recent changes in those areas and how you can combat incoming spam better: 


Let me know how it goes for you. Have a great rest of your week!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread