I have been through the logs and header information, it's probably just being able to understand why the email would get to someone unrelated to the sender or receiving person. It can't just be a coincidence that the spammer has got hold of a valid email and sent it to a random person that just happens to be on the same server.
Example of one of the emails (I've changed the domains):
From
Gordon Halfacre <ghalfacre@clientdomain.co.uk>
To
Toby Revell <toby@seconddomain.co.uk>
Header:
Return-Path: <ghalfacre@clientdomain.co.uk>
Received: from GordonPC (host86-160-42-18.range86-160.btcentralplus.com [86.160.42.18]) by mail.ysmail.co.uk with SMTP;
Thu, 10 Oct 2024 16:11:59 +0100
Authentication-Results: spool.mail.myserver.co.uk; iprev=pass (168.245.29.3); spf=pass smtp.mailfrom="bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk"; dkim=none
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: -3
X-SmarterMail-Spam: DMARC [skipped - DMARC Disabled]: 0, Reverse DNS Lookup [Passed]: 0, SPF [Pass]: 0, DKIM [None]: 0, _ARC: none, BACKSCATTER: 0, SENDERSCORE: 0, GBUDB: 0, MSRBL: 0, SEM-BS: 0, UCEProtect Level 3: 0, IX: 0, UBL: 0, SORBS - NoMail: 0, SORBS - Recent: 0, Barracuda: 0, Spamhaus - ZEN: 0, CBL - Abuse Seat: 0, UCEProtect Level 1: 0, Spamrats: 0, SORBS - New: 0, SpamCop: 0, MCAFEE: 0, UCEProtect Level 2: 0, SORBS: 0, SEM-BL: 0, HostKarma - Yellow: 0, Surriel: 0, HostKarma - Blacklist: 0, Declude: -3
X-Rcpt-To: <emma@domainthatreceived.co.uk>
From: "Gordon Halfacre" <ghalfacre@clientdomain.co.uk>
To: "'Toby Revell'" <toby@seconddomain.co.uk>
References: <028601db1a5c$fe60c5f0$fb2251d0$@clientdomain.co.uk> <CWLP123MB5747F9EAB8E8D9D992B7144DCF782@CWLP123MB5747.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <CWLP123MB5747F9EAB8E8D9D992B7144DCF782@CWLP123MB5747.GBRP123.PROD.OUTLOOK.COM>
Subject: RE: Review meeting
Date: Thu, 10 Oct 2024 16:11:58 +0100
Message-Id: <034a01db1b26$c0723920$4156ab60$@clientdomain.co.uk>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_034B_01DB1B2F.223DA600"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHJ0hiUf5eatkuh2qGAMdZQvQDDHgLFTphXsox+y8A=
Content-Language: en-gb
X-Declude-Sender: ghalfacre@clientdomain.co.uk [86.160.42.18]
X-Declude-Spoolname: 18613547.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Outgoing Score [0] at 16:12:00 on 10 Oct 2024
X-Declude-Tests: None
X-Country-Chain:
X-Declude-Code: 0
X-HELO: GordonPC
X-Identity: 86.160.42.18 | | seconddomain.co.uk
LOGS:
[2025.03.20] 10:15:39.695 [18613547] Delivery started for bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk at 10:15:39
[2025.03.20] 10:15:45.734 [18613547] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.03.20] 10:15:45.734 [18613547] [SpamCheckQueue] Begin Processing.
[2025.03.20] 10:15:45.736 [18613547] Blocked Sender Checks started.
[2025.03.20] 10:15:45.737 [18613547] Blocked Sender Checks completed.
[2025.03.20] 10:15:45.978 [18613547] Spam Checks started.
[2025.03.20] 10:15:56.193 [18613547] Finished running spam checks. Time (non-rbls): 214ms, Time (URIBL/RBLS): 9999ms
[2025.03.20] 10:15:56.193 [18613547] Spam Check results: [_DMARC: 0,skipped - DMARC Disabled], [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,Pass], [_DKIM: 0,None], [_ARC: none], [BACKSCATTER: 0], [SENDERSCORE: 0], [GBUDB: 0], [MSRBL: 0], [SEM-BS: 0], [UCEPROTECT LEVEL 3: 0], [IX: 0], [UBL: 0], [SORBS - NOMAIL: 0], [SORBS - RECENT: 0], [BARRACUDA: 0], [SPAMHAUS - ZEN: 0], [CBL - ABUSE SEAT: 0], [UCEPROTECT LEVEL 1: 0], [SPAMRATS: 0], [SORBS - NEW: 0], [SPAMCOP: 0], [MCAFEE: 0], [UCEPROTECT LEVEL 2: 0], [SORBS: 0], [SEM-BL: 0], [HOSTKARMA - YELLOW: 0], [SURRIEL: 0], [HOSTKARMA - BLACKLIST: 0]
[2025.03.20] 10:15:56.193 [18613547] Spam Checks completed.
[2025.03.20] 10:15:56.199 [18613547] Removed from SpamCheckQueue (0 queued or processing)
[2025.03.20] 10:15:57.788 [18613547] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2025.03.20] 10:15:57.788 [18613547] [LocalDeliveryQueue] Begin Processing.
[2025.03.20] 10:15:57.790 [18613547] Starting local delivery to emma@domainthatreceived.co.uk
[2025.03.20] 10:15:57.807 [18613547] Message saved to MailProcessing directory for emma@domainthatreceived.co.uk. File name: 18613547-10009-NOID.tmpmsg
[2025.03.20] 10:15:57.807 [18613547] Process delivery status notification step from local recipient success. Recipient: [emma@domainthatreceived.co.uk], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.03.20] 10:15:57.807 [18613547] Delivery for bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk to emma@domainthatreceived.co.uk has completed (Delivered) Filter: None
[2025.03.20] 10:15:57.807 [18613547] End delivery to emma@domainthatreceived.co.uk (MessageID: <034a01db1b26$c0723920$4156ab60$@clientdomain.co.uk>)
[2025.03.20] 10:15:57.807 [18613547] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.03.20] 10:16:00.810 [18613547] Removing Spool message: Killed: False, Failed: False, Finished: True
[2025.03.20] 10:16:00.810 [18613547] Delivery finished for bounces+18002949-c062-emma=domainthatreceived.co.uk@send.naturalspafactory.co.uk at 10:16:00 [id:x18613547]
So:
received this email from
and
never received it, or so he says.
So @tony are you saying that for some reason
emma@domainthatreceived.co.uk was in the bcc field of this message, even though that sending person doesn't know or have that email account in their address book?
PS. none of us know who send.naturalspafactory.co.uk is!
Could it be a compromised laptop or SM account or SM, that's adding spurious email accounts to bcc messages sent out by this person?