2
Internal Security - Emails not getting to the correct people
Problem reported by YS Tech - 3/24/2025 at 9:11 AM
Submitted
I've recently had a couple of instances where a few people I know have received emails supposedly sent to a person (outside of the SM server) from an account on my SM server. This email doesn't get to that person, but my friend (on my server) has received it (not in the To list of recipients and of no relation to the company or person sending the email).
When I check the header information, the person it gets delivered to is in the X-Rcpt-To: field.
The person who receives the email is also in the Authentication-Results: field as what looks like a bounce address.
e.g.:
Authentication-Results: spool.mail.myserver.co.uk; iprev=pass (168.245.29.3); spf=pass smtp.mailfrom="bounces+18002949-c062-emma=myfriendsdomain.co.uk@send.naturalspafactory.co.uk"; dkim=none

Any idea what's going on?

Further explanation (these are valid emails by the way, not spam, so could be confidential)

7 Replies

Reply to Thread
2
Douglas Foster Replied
If sender is using Outlook, I would suspect corruption in the remembered names list.  When that recipient is suggested, click the x to delete it (or them, if more than one).  Then re-enter the address.
0
Gabriele Maoret - SERSIS Replied
Hi Douglas!
I have this exact issue in the past also with Kerio and Exchange, the MS Outlook AutoComplete list sometime is a mess and you need to delete some of the entries to correct them...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
YS Tech Replied
One of the emails came from a Gmail account to an account on my server, but it went to another account on my server and never arrived at the To account.

The other was from an account on my server, sent to an account outside my server (never arrived) but went to another account on my server.

Both times (looking at the header info) it was only the X-Rcpt-To address that received the message and both times they had no relation to the sender.
1
Douglas Foster Replied
X-Rcpt-To is a custom header, and not part of SmarterMail.  It is probably created by your spam filter to indicate the SMTP recipient list.   Delivery is determined by the SMTP recipient list, not by the messaage's "TO" and "CC" lists.

You need to look at the raw EML of the odd messages to see the message flow, and then check the SMTP, Delivery, and other logs to see how each message was handled.

If the problem is not Outlook, then the next most likely explanation is an auto-forwarding rule (or alias or mailing list).   The Received headers in the message and the SmarterMail logs should help pin this down.

Dig deeper.  The problem is not SmarterMail.

0
Sébastien Riccio Replied
Maybe checking SM delivery logs for these particular deliveries would be a good start to identify what is the root cause of delivery to the wrong person.
Sébastien Riccio System & Network Admin https://swisscenter.com
0
Tony Scholz Replied
Employee Post
Hello, 

X-Rcpt-To: <Donald@domain.tld>

This means that they are a BCC address. 

Here is the original sent header. 

From: "Al@domain.tld" <Al@domain.tld>
Date: Tue, 25 Mar 2025 16:57:28 -0700
Subject: BCC Test
Message-Id: <084e866e88c5457fa89011ce051b9e70@762b77bfc83b4332ba371fa0489d7dab>
To: admin <admin@domain.tld>
Cc: "Daniel@domain.tld" <Daniel@domain.tld>, "Andy@domain.tld"
	<Andy@domain.tld>
Bcc: "Donald@domain.tld" <Donald@domain.tld>, "Eddie@domain.tld"
	<Eddie@domain.tld>, "Terry@domain.tld" <Terry@domain.tld>
Reply-To: Al@domain.tld
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-+TH94oZh5kaNdfkvihf8xw=="

And here is what one of the BCC Addresses get 

Received: ; Tue, 25 Mar 2025 16:57:28 -0700
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)
X-Rcpt-To: <Donald@domain.tld>
From: "Al@domain.tld" <Al@domain.tld>
Date: Tue, 25 Mar 2025 16:57:28 -0700
Subject: BCC Test
Message-Id: <084e866e88c5457fa89011ce051b9e70@762b77bfc83b4332ba371fa0489d7dab>
To: admin <admin@domain.tld>
Cc: "Daniel@domain.tld" <Daniel@domain.tld>, "Andy@domain.tld"
	<Andy@domain.tld>
Reply-To: Al@domain.tld
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-rFIETt5xWY9V/egz3bX1pg=="

versus what a CC address will see

Received: ; Tue, 25 Mar 2025 16:57:28 -0700
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)
From: "Al@domain.tld" <Al@domain.tld>
Date: Tue, 25 Mar 2025 16:57:28 -0700
Subject: BCC Test
Message-Id: <084e866e88c5457fa89011ce051b9e70@762b77bfc83b4332ba371fa0489d7dab>
To: admin <admin@domain.tld>
Cc: "Daniel@domain.tld" <Daniel@domain.tld>, "Andy@domain.tld"
	<Andy@domain.tld>
Reply-To: Al@domain.tld
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-rFIETt5xWY9V/egz3bX1pg=="

Here you see no reference to any of the BCC Addresses

Hope this helps. 

~Tony
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
YS Tech Replied
I have been through the logs and header information, it's probably just being able to understand why the email would get to someone unrelated to the sender or receiving person. It can't just be a coincidence that the spammer has got hold of a valid email and sent it to a random person that just happens to be on the same server.

Example of one of the emails (I've changed the domains):

From
Gordon Halfacre <ghalfacre@clientdomain.co.uk>
To
Toby Revell <toby@seconddomain.co.uk>

Header:

Return-Path: <ghalfacre@clientdomain.co.uk>
Received: from GordonPC (host86-160-42-18.range86-160.btcentralplus.com [86.160.42.18]) by mail.ysmail.co.uk with SMTP;
Thu, 10 Oct 2024 16:11:59 +0100
Authentication-Results: spool.mail.myserver.co.uk; iprev=pass (168.245.29.3); spf=pass smtp.mailfrom="bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk"; dkim=none
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: -3
X-SmarterMail-Spam: DMARC [skipped - DMARC Disabled]: 0, Reverse DNS Lookup [Passed]: 0, SPF [Pass]: 0, DKIM [None]: 0, _ARC: none, BACKSCATTER: 0, SENDERSCORE: 0, GBUDB: 0, MSRBL: 0, SEM-BS: 0, UCEProtect Level 3: 0, IX: 0, UBL: 0, SORBS - NoMail: 0, SORBS - Recent: 0, Barracuda: 0, Spamhaus - ZEN: 0, CBL - Abuse Seat: 0, UCEProtect Level 1: 0, Spamrats: 0, SORBS - New: 0, SpamCop: 0, MCAFEE: 0, UCEProtect Level 2: 0, SORBS: 0, SEM-BL: 0, HostKarma - Yellow: 0, Surriel: 0, HostKarma - Blacklist: 0, Declude: -3
X-Rcpt-To: <emma@domainthatreceived.co.uk>
From: "Gordon Halfacre" <ghalfacre@clientdomain.co.uk>
To: "'Toby Revell'" <toby@seconddomain.co.uk>
References: <028601db1a5c$fe60c5f0$fb2251d0$@clientdomain.co.uk> <CWLP123MB5747F9EAB8E8D9D992B7144DCF782@CWLP123MB5747.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <CWLP123MB5747F9EAB8E8D9D992B7144DCF782@CWLP123MB5747.GBRP123.PROD.OUTLOOK.COM>
Subject: RE: Review meeting
Date: Thu, 10 Oct 2024 16:11:58 +0100
Message-Id: <034a01db1b26$c0723920$4156ab60$@clientdomain.co.uk>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_034B_01DB1B2F.223DA600"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHJ0hiUf5eatkuh2qGAMdZQvQDDHgLFTphXsox+y8A=
Content-Language: en-gb
X-Declude-Sender: ghalfacre@clientdomain.co.uk [86.160.42.18]
X-Declude-Spoolname: 18613547.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Outgoing Score [0] at 16:12:00 on 10 Oct 2024
X-Declude-Tests: None
X-Country-Chain:
X-Declude-Code: 0
X-HELO: GordonPC
X-Identity: 86.160.42.18 | | seconddomain.co.uk


LOGS:

[2025.03.20] 10:15:39.695 [18613547] Delivery started for bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk at 10:15:39
[2025.03.20] 10:15:45.734 [18613547] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.03.20] 10:15:45.734 [18613547] [SpamCheckQueue] Begin Processing.
[2025.03.20] 10:15:45.736 [18613547] Blocked Sender Checks started.
[2025.03.20] 10:15:45.737 [18613547] Blocked Sender Checks completed.
[2025.03.20] 10:15:45.978 [18613547] Spam Checks started.
[2025.03.20] 10:15:56.193 [18613547] Finished running spam checks. Time (non-rbls): 214ms, Time (URIBL/RBLS): 9999ms
[2025.03.20] 10:15:56.193 [18613547] Spam Check results: [_DMARC: 0,skipped - DMARC Disabled], [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,Pass], [_DKIM: 0,None], [_ARC: none], [BACKSCATTER: 0], [SENDERSCORE: 0], [GBUDB: 0], [MSRBL: 0], [SEM-BS: 0], [UCEPROTECT LEVEL 3: 0], [IX: 0], [UBL: 0], [SORBS - NOMAIL: 0], [SORBS - RECENT: 0], [BARRACUDA: 0], [SPAMHAUS - ZEN: 0], [CBL - ABUSE SEAT: 0], [UCEPROTECT LEVEL 1: 0], [SPAMRATS: 0], [SORBS - NEW: 0], [SPAMCOP: 0], [MCAFEE: 0], [UCEPROTECT LEVEL 2: 0], [SORBS: 0], [SEM-BL: 0], [HOSTKARMA - YELLOW: 0], [SURRIEL: 0], [HOSTKARMA - BLACKLIST: 0]
[2025.03.20] 10:15:56.193 [18613547] Spam Checks completed.
[2025.03.20] 10:15:56.199 [18613547] Removed from SpamCheckQueue (0 queued or processing)
[2025.03.20] 10:15:57.788 [18613547] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2025.03.20] 10:15:57.788 [18613547] [LocalDeliveryQueue] Begin Processing.
[2025.03.20] 10:15:57.790 [18613547] Starting local delivery to emma@domainthatreceived.co.uk
[2025.03.20] 10:15:57.807 [18613547] Message saved to MailProcessing directory for emma@domainthatreceived.co.uk. File name: 18613547-10009-NOID.tmpmsg
[2025.03.20] 10:15:57.807 [18613547] Process delivery status notification step from local recipient success. Recipient: [emma@domainthatreceived.co.uk], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.03.20] 10:15:57.807 [18613547] Delivery for bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk to emma@domainthatreceived.co.uk has completed (Delivered) Filter: None
[2025.03.20] 10:15:57.807 [18613547] End delivery to emma@domainthatreceived.co.uk (MessageID: <034a01db1b26$c0723920$4156ab60$@clientdomain.co.uk>)
[2025.03.20] 10:15:57.807 [18613547] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.03.20] 10:16:00.810 [18613547] Removing Spool message: Killed: False, Failed: False, Finished: True
[2025.03.20] 10:16:00.810 [18613547] Delivery finished for bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk at 10:16:00    [id:x18613547]

So:
received this email from
and 
never received it, or so he says.

So @tony are you saying that for some reason emma@domainthatreceived.co.uk was in the bcc field of this message, even though that sending person doesn't know or have that email account in their address book?

PS. none of us know who send.naturalspafactory.co.uk  is!

Could it be a compromised laptop or SM account or SM, that's adding spurious email accounts to bcc messages sent out by this person?

Reply to Thread

Enter the verification text