TO Address missing from Header / Email

Question asked by Jason Wilhelm - 7/5/2019 at 12:58 PM

Answered

We have been seeing more spam that does not display the TO line. Looking at the headers I am not able to see what email addresst hese actually came in on, anyone have any ideas?

Below is a copy of the header **edited** as well as a screenshot of how the message displays in webmail.

—HEADER—

Return-Path: <xxxxx@hughes.net>

Received: from smtp.hughes.net (smtp.hughes.net [69.168.97.48]) by mail.aksales.com with SMTP;

Thu, 4 Jul 2019 15:01:20 -0800

Return-Path: <xxxxx@hughes.net>

X-Authed-Username: c21lbHNlckBodWdoZXMubmV0

X_CMAE_Category: 0,0 Undefined,Undefined

X-CNFS-Analysis: v=2.1 cv=Zr1NU4PG c=1 sm=0 tr=0 a=x1h0AhohGG/RTEN8nKxOCg==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=FKkrIqjQGGEA:10 a=OzoKo8IosRAA:10 a=LCQi__vR01sA:10 a=Tj91RCys1ClLmAzYAUkA:9 a=QEXdDO2ut3YA:10 a=ctaNYIjRYh9iwajjHFEA:9 a=_W_S_7VecoQA:10 a=jweTErd4iLRuMFRv-VAA:9 a=pa4nyK-_WsONU0Ym:18 a=KQqxNPgzF0kA:10

X-CM-Score: 0

X-Scanned-by: Cloudmark Authority Engine

Authentication-Results: smtp01.hughes.cmh.synacor.com smtp.mail=xxxxx@hughes.net; spf=neutral; sender-id=neutral

Authentication-Results: smtp01.hughes.cmh.synacor.com header.from=xxxxx@hughes.net; sender-id=neutral

Received-SPF: neutral (smtp01.hughes.cmh.synacor.com: 10.33.66.7 is neither permitted nor denied by domain of hughes.net)

Received: from [10.33.66.7] ([10.33.66.7:44866] helo=md10.hughes.cmh.synacor.com)

by smtp.hughes.net (envelope-from <xxxxx @hughes.net>)

(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP

id 21/33-01829-C358E1D5; Thu, 04 Jul 2019 19:01:16 -0400

Date: Thu, 4 Jul 2019 19:01:16 -0400 (EDT)

From: MATTHEW xxxxxx <xxxxx@hughes.net>

Reply-To: compen <xx@exxxxxxxclusivemail.co.za>

Message-ID: <92683058.217549828.1562281276021.JavaMail.root@hughes.net>

In-Reply-To: <1927722475.217538691.1562280986012.JavaMail.root@hughes.net>

Subject: SPAM-MED: Your Delayed Payment

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_Part_217549824_314386286.1562281276002"

X-Originating-IP: [173.225.115.253]

X-Mailer: Zimbra 7.2.7_GA_2942 (ZimbraWebClient - GC75 (Win)/7.2.6_GA_2926)

X-CTCH-RefId: str=0001.0A090208.5D1E8544.0044,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

X-CTCH-AVLevel: Unknown

X-SmarterMail-Spam: SPF [Pass]: -2, HostKarma - Whitelist: -4, UCEProtect Level 1: 3, Cyren [Unknown]: 0, Message Sniffer [code:58]: 30, DKIM [None]: 0

X-MessageSniffer-ResultCode: 58

X-SmarterMail-TotalSpamWeight: 27

10 Replies

Reply to Thread

Jade D Replied

7/5/2019 at 3:15 PM

Theres a similar thread which affected mimecast services - the sender will need to advise their provider of the issue.

PS Jason, you should redact all personal info considering that we're all subject to GDPR, and soon the POPI Act here in South Africa...

Jade https://absolutehosting.co.za

Jade D Replied

7/5/2019 at 3:17 PM

Jade https://absolutehosting.co.za

Jason Wilhelm Replied

7/5/2019 at 3:57 PM

Jade,

Thanks for the info. I did edit the account information in the post. Let me ask you this, can you think of a rule that could be used where any email that comes through like this gets flagged as high spam? I don't think I have seen any legitimate messages without a proper TO address.

Jade D Replied

7/5/2019 at 4:34 PM

Id start by taking a look at your RBL and URBL settings, the sending server would not have been accepted on our servers based on the fact that its blacklisted on a few RBL's

http://multirbl.valli.org/lookup/69.168.97.48.html

Take a look at the rules and work that Steve has done

https://portal.smartertools.com/community/a92147/smartermail-17-spam-settings.aspx

Jade https://absolutehosting.co.za

Jade D Replied

7/5/2019 at 4:34 PM

PS, your Reply-To: compen is still not redacted ;)

Jade https://absolutehosting.co.za

Kyle Kerst Replied

7/8/2019 at 9:50 AM

Employee Post Marked As Answer

The missing FROM/SUBJECT issue was related only to emails received via a MIMECast device, and should no longer be affecting incoming messages from what I understand. These appear to be standard spam emails but with no FROM field specified. As such, I recommend you adjust the Null Address spam check weights under Settings>Antispam>Spam Checks. Here you can set the weight to ~20 at which point messages with no FROM header should be sent to Junk Mail folder at the very least.

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

Jason Wilhelm Replied

7/8/2019 at 10:48 AM

Thanks Kyle, I am on it!

Kyle Kerst Replied

7/8/2019 at 4:08 PM

Employee Post

Sounds good Jason. When you finish up with that I definitely recommend checking out the following KB article/blog posts as they detail some recent changes in those areas and how you can combat incoming spam better:

https://portal.smartertools.com/kb/a2734/recommended-spam-settings.aspx

https://www.smartertools.com/blog/2019/02/18-understanding-spam

https://www.smartertools.com/blog/2019/04/09-understanding-spf-dkim-dmarc

Let me know how it goes for you. Have a great rest of your week!

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

CTL Replied

12/10/2019 at 9:21 AM

pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: outlook.com]
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
 1.2 MISSING_HEADERS        Missing To: header
 0.1 URI_HEX                URI: URI hostname has long hexadecimal sequence
 0.1 MISSING_MID            Missing Message-Id: header
 1.8 MISSING_SUBJECT        Missing Subject: header
 1.0 MISSING_FROM           Missing From: header
-0.0 NO_RECEIVED            Informational: message has no Received headers
 1.4 MISSING_DATE           Missing Date: header
 0.0 NO_HEADERS_MESSAGE     Message appears to be missing most RFC-822 headers

Received: from SN1NAM04HT109.eop-NAM04.prod.protection.outlook.com (2603:10b6:4:16::28) by DM6PR20MB2890.namprd20.prod.outlook.com with HTTPS via DM5PR2001CA0018.NAMPRD20.PROD.OUTLOOK.COM; Tue, 10 Dec 2019 15:37:57 +0000 Received: from SN1NAM04FT055.eop-NAM04.prod.protection.outlook.com (10.152.88.60) by SN1NAM04HT109.eop-NAM04.prod.protection.outlook.com (10.152.89.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Tue, 10 Dec 2019 15:37:57 +0000 Authentication-Results: spf=pass (sender IP is 1.1.1.1) smtp.mailfrom=domain.com; msn.com; dkim=pass (signature was verified) header.d=domain.com;msn.com; dmarc=pass action=none header.from=domain.com; Received-SPF: Pass (protection.outlook.com: domain of domain.com designates 1.1.1.1 as permitted sender) receiver=protection.outlook.com; client-ip=1.1.1.1; helo=ip-hostname.com; Received: from hostname.com (1.1.1.1) by SN1NAM04FT055.mail.protection.outlook.com (10.152.89.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2495.18 via Frontend Transport; Tue, 10 Dec 2019 15:37:55 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:16A32B0AD31D936B2C291A8A1588233F530479D71E65E6EA7E5C46DB530E66A6;UpperCasedChecksum:5D230915B8CAE4A3127B63A81AB1FACA48B87D2B99BA53067919801849AC36BE;SizeAsReceived:1120;Count:11 X-SmarterMail-Authenticated-As: binesh@domain.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; s=secure; h=content-type:mime-version:message-id:reply-to:date:subject:to :from; bh=TE2EDjIuFNmDS5BEW6/RHy/dpi+BUZaN3wH/505TvN0=; b=lbFVmayz2/BKyYqyTaJvtqHmrTYiEFj4zP+Qko8M0x3hQC4NRwOEiDjKXu52ZvtSc ozc4LyTCsCe1Ro7oeHPWjBn6c8Zra1esljPgf6iGYZHesMQ3j1xnSPx5IwJRA78qJ oqVfiN0FrkQFDO+n+PTggZT72En2ukWaRNNzsr+LMqIzBLX9qZ04CUUYjyEWdZ4rq AMLOoWA+4jW7wJ1S+zINxkmS1ENQymvCaiojEvIPNtmmZK5O0bRX4Ebs+CQZGWuBS CFIm/WruD2GsccCO7LDv7o7U582N23LkBvTWMgJb3quch+nJmxMX9Wb8rzYzZudie 36PT5gIKBf10e12lQ== From: "Binesh Shamunni" To: Subject: Hotmail Date: Tue, 10 Dec 2019 15:37:47 GMT Reply-To: binesh@domain.com Message-ID: Content-Type: multipart/alternative; boundary=46d27dbef45b4ecb908302ef7d881e73 X-Exim-Id: d01192b8d6de4111a92a1dd3b1c219d8 X-IncomingHeaderCount: 11 Return-Path: binesh@domain.com X-MS-Exchange-Organization-ExpirationStartTime: 10 Dec 2019 15:37:56.8257 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: EFV:NLI; X-MS-Exchange-Organization-AuthSource: SN1NAM04FT055.eop-NAM04.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-UserLastLogonTime: 12/10/2019 3:35:45 PM X-MS-Office365-Filtering-Correlation-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-MS-TrafficTypeDiagnostic: SN1NAM04HT109: X-MS-Exchange-EOPDirect: true X-Sender-IP: 1.1.1.1 X-SID-PRA: BINESH@domain.COM X-SID-Result: PASS X-MS-Exchange-Organization-PCL: 2 X-Microsoft-Antispam: BCL:0; X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Dec 2019 15:37:55.5587 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM04HT109 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.9941850 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2516.000 X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:1;pcwl:1;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;OFR:TrustedSenderList;ENG:(5062000261)(5061607266)(5061608174)(4900115)(4920090)(6510075)(4950130)(570107); X-Message-Info: 5vMbyqxGkddoCPm6T3bgzztAhmb7fP34GMjTzHoJs9ZCkKYuUHodCmM1q9xE0krzbJYC8rEnkoA/Flro03Pb1MW1mzcFDWWCVXdGiXmjMtLtwDN9n2CkvOcgm5v4HKdD1MRMHz75cbmfKLJ64pmSKwlIWzvXTxX3jIkIaW1oR35tMjpICfezwbB95qYOVP8aLBAPZGZn/mZ4GVFxekWiEw== X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0tMQ== X-Microsoft-Antispam-Message-Info: kEq1COIFOUGLrm2cKRwnzqP7ZkFdtKVnU2KHTwJU4cmnBGOyVbWALBis8I2SVy0961XqM4rGPZztuWo6mFJHXJFQMMJzkrlt5w91LYjW5aaU6rYx9lgItv/jvRcaWsq/tdyNjbM6pq+O3I3ukKuIx19ytJFjtl2brVl4EaNPuYr9RVqUCqA7rvPQ71/XhdSfhls80tpShfJfCHDGeCU/OtZec792LLiLIFyZvdSP4n1N9R19kNrzPQQaNWTUQvhCsylj0Yiy/WkWaUOEoIgPzpPhGu778n3HflA1GZ8TOv0G8cq5AN3nlw006dqJSrp4W4B1tjY3PIjgE8IWa/JGPKORkcfdt67bMWyhQbybm1tNvKjhwXHEAU/VuFNCNr3dSgJw1DHZ5Q29YadjAF9YN2fzAuyLVfC28zcK7Vkl47KuuAf8J2MdirI5KSmL5orXgVJ3JykIBklC0GovIlzjXYk6j77uM6/uMs0Z84AjB8sBc6R3NXOu19GdQKQzRDcWxffjj3Ovdr+ZMn5XUcyeC9tRzEdmnukylClYvRfVjSuJJ5e/WnUxRJLvUH8crzD1SiahGfZUyFjHe8A+fSHEYMpRToXFVgyG/eQZWsxbGnJP6/rSTzgBQHby5vQ8vQh2hdJFl8uG/Dcv07gGp+sF3PtCDAuwuzCoEAhJrfG48tTo4B/pgJBjcJkQlWR157hmtWnqRTS3pHcV6FC30p3G32JUFK3ZQHAaqbHa1ta60fbr1f/I1unTwiXl1Tp2aXxGdm3CdhbJXgfjOEwllWubFuO1L9ux6Jp+OlkifzDolpkNNV5+iorY7Y3DwzzpQLtLAx3BHYHUOrLBIbY7Nsc0jA== MIME-Version: 1.0

Missing header cause major mail went spam folder Please advice

Thanks

Binesh

Douglas Foster Replied

12/25/2019 at 8:32 PM

Concepts: The mail message is a document with markup based on the RFC for "Internet Message Format". The document is transported using the SMTP protocol. The protocol does not use the document contents for routing. Instead, there is a virtual envelope transmitted during the SMTP connection request. The Envelope-From and Envelope-To are used for routing, not the Message's From and To headers. That is why you can receive an email where the To is a distribution list. The Envelope-From and Envelope-To are not part of the document unless you have an email filter that logs that information in a message header. Sometimes the Envelope-To is added to the Received header by appending "for user@domain" immediately before the semicolon and timestamp. Other times the information appears as a custom header. It appears that SmarterMail by itself does not add the Envelope-To information at all.

This regex on the header fields should find messages without a To: header:

(not contains) \nTo:\s[^\n]+@

(Tested on regex101.com with the /m switch)

Back to Community Threads

Please leave this box unchecked

10 Replies

Reply to Thread

Tags

Related Knowledge Base Articles