[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vps-mail] mail to unknown user delivered to local mailbox

Subject: Re: [vps-mail] mail to unknown user delivered to local mailbox
From: Bennett Lanford <benlanford@xxxxxxxxx>
Date: Fri, 2 Dec 2005 09:41:48 -0700

On 12/2/05, Martin Fischer, ATvirtual.NET <martin.fischer@xxxxxxxxxxxxx>
wrote:
>
> Hi,
>
> on VPS 1 with catchall to nouser (ie dev/null) we noticed
> worm related spam mails addressed to non existing users delivered to local
> mailboxes
> external test of the non existing email address shows correct result:
>
> E-mail Tester results for erfolgreichtraden@xxxxxxxxxxxxx
> "[Could not connect: Got an unknown RCPT TO response: 550 5.1.1 ... User
> unknown "
>
> But mail for erfolgreichtraden@xxxxxxxxxxxxx is delivered to
> info@xxxxxxxxxxxxx:
>
> From: <Admin@xxxxxxxxxx>
> To: <ErfolgReichTraden@xxxxxxxxxxxxx>
> Subject: Registration Confirmation
> Date: Thu, 1 Dec 2005 13:22:24 +0100
> Message-ID: <f9e2304c61.775fa6ad@xxxxxxxxxx>
>
> Who this is possible?

To a spammer, the headers (From:, To: , etc.) that appear at the top of the
message is just text, which generally (usually?) has no correspondence to
the actual recipient specified in the SMTP conversation.

To find who the mail was *really* sent to, you need to look at the
"envelope" recipient. The envelope recipient is the recipient specified
during the SMTP conversation with the command (from the sender). In your
case, the spammer probably issued the command

RCPT TO:<info@xxxxxxxxxxxxx>

during the SMTP conversation. then during the DATA phase (when the text of
the e-mail is sent), the spammer included the line

To: <ErfolgReichTraden@xxxxxxxxxxxxx>

(along with the other lines in the message.)

If you display the full headers (all the Received: headers, etc.) of the
e-mail, you can look at the Received: headers, starting with the ones
farthest from the top of the message and working your way to the top of the
message, and usually trace the route of the e-mail from sender to its
ultimate destination.

Also, if you look in ~/var/log/messages (/var/log/maillog on VPS2), the "to=
...." equates list the envelope recipients (those specified with the RCPT TO
command). In the case of SPAM, it is very unlikely that the envelope
recipients will match the "To/Cc" headers at the top of the message text.

I hope this explains the mystery.

--
Bennett Lanford <benlanford@xxxxxxxxx>

There are 10 kinds of people: those that understand binary and those that
don't.

References:
- RE: [vps-mail] w32.sober script for spamassassin?
  - From: Alvin Tan
- [vps-mail] mail to unknown user delivered to local mailbox
  - From: Martin Fischer, ATvirtual.NET

Prev by Date: Re: [vps-mail] mail to unknown user delivered to local mailbox
Next by Date: RE: [vps-mail] mail to unknown user delivered to local mailbox
Previous by thread: Re: [vps-mail] mail to unknown user delivered to local mailbox
Next by thread: RE: [vps-mail] mail to unknown user delivered to local mailbox
Index(es):
- Date
- Thread

Main Index | Thread Index