3

I have received a suspicious e-mail. I am not affiliated with the company mentioned in the e-mail body, or the signer. However, I have been using the app they mention in the e-mail. They are inviting me to a Beta test. But the e-mail is not by the original author of the app. But I'm thinking they might have hired an external company to do this version of the app. There is a link to a TestFlight page. So I'm not sure what to make of this.

Now this is what mainly arose my attention.

From:    Anders Bergman <[email protected]>
To:      Bon Support
Cc:
Subject: Test av nya BBK för Android

This is how it shows up in Outlook 2010. The "To" field is addressed to "Bon Support" and when I double-click on that I see [email protected]. I can assure you that none of these are my e-mail addresses. So where the heck is my own e-mail address? How could I have received this if it was addressed to someone else? If not spammers and skimmers and other criminals, who else is using this practice and why? And how can I tell now to what e-mail account I received this? I have more than one account set up in Outlook.

Update

X-T2-Real-To: <[email protected]>
Return-Path: <[email protected]>
X-T2-Spam-Status: No, hits=-0.1 required=5.0 tests=BAYES_50,
    HTML_MESSAGE,RCVD_IN_DNSWL_LOW
Received: from <[email protected]>
  by mailbe03.swip.net (CommuniGate Pro RULE 5.4.4)
  with RULE id 171382165; Wed, 23 Oct 2013 10:30:14 +0200
X-Autogenerated: Mirror
Resent-From: <[email protected]>
Resent-Date: Wed, 23 Oct 2013 10:30:14 +0200
X-T2-Real-To: <[email protected]>
X-T2-Spam-Status: No, hits=-0.1 required=5.0 tests=BAYES_50,
    HTML_MESSAGE,RCVD_IN_DNSWL_LOW
Received: from mail-la0-f49.google.com ([209.85.215.49] verified)
  by mailfe07.swip.net (CommuniGate Pro SMTP 5.4.4)
  with ESMTPS id 446061965 for [email protected]; Wed, 23 Oct 2013 10:30:12 +0200
Received-SPF: none
 receiver=mailfe07.swip.net; client-ip=209.85.215.49; [email protected]
Received: by mail-la0-f49.google.com with SMTP id eh20so357260lab.8
        for <[email protected]>; Wed, 23 Oct 2013 01:30:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:content-type:date:subject:to:message-id
         :mime-version;
        bh=JprkfYQhNUhcVFA7ZpzJa94c1OV0Fabysm64G9QOXlI=;
        b=XGMTt4NB4404RL0z5tKQNIYX8WJw6fr73dQNS3+wXxijyXWcXY0AVjQkKg6r9mY3uy
         RecuFcwuZo6UeXNr6fDqR3gVTsEfXKe8OxNQAZY5LJVCUKbX9LvxkBnFvcRt690fLe2l
         CRlJkfrGg/pxsX1dvoCbtGpR/zOZLkt+3Y1p6LyYuMZBtTMSKxyF0lNoML2JwnF0hf5w
         LayOFidlYtYhCwXo01tpg2MXxIAxrk3UH+IcVLDjr/M/+Cd+I0j3COeKTq3oL7e3p58s
         vuRUZrYdgsdOYxWwD8UmIrS40sTsSgV3hMm1jftCiQGqnTT6o3llYxCVjIE5Ki0HG/My
         RkfQ==
X-Gm-Message-State: ALoCoQkZJT/ZGaGrnfpKLyO8LRTO1EuDp39F4SZ9Gax9puG3RlHfTAe8cUIqZdvPSVOiiXJ0gS+l
X-Received: by 10.152.171.72 with SMTP id as8mr258717lac.33.1382517010017;
        Wed, 23 Oct 2013 01:30:10 -0700 (PDT)
X-Original-Return-Path: <[email protected]>
Received: from [10.0.1.144] (77.72.97.10.c.fiberdirekt.net. [77.72.97.10])
        by mx.google.com with ESMTPSA id mr1sm18536043lbc.16.2013.10.23.01.30.04
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 23 Oct 2013 01:30:09 -0700 (PDT)
From: Anders Bergman <[email protected]>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D829B436-0812-4CDC-BE9A-555257A9A44B"
Date: Wed, 23 Oct 2013 10:30:02 +0200
Subject: =?iso-8859-1?Q?Testa_av_nya_BBK_f=F6r_Android?=
To: Bon Support <[email protected]>
Message-Id: <[email protected]>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)

Now here are the interesting bits of information. The "real" To address:

X-T2-Real-To: <[email protected]>

The "return path" address:

Return-Path: <[email protected]>

It has been scanned for SPAM with Spam Assasin (Bayes 50 rule). "SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. Bayesian spam probability is 40 to 60%."

X-T2-Spam-Status: No, hits=-0.1 required=5.0 tests=BAYES_50

I can see it was sent to multiple recipients. I'd say this is indicative of a Bcc mail.

for <multiple recipients>

I also see he used Apple Mail 6.5 to send the e-mail.

Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)

So it looks like he's running OS X 10.8.x Mountain Lion. That's kind of cool to know.

He is in fact running Mac OS X, so I'd say it's a genuine e-mail, and not a spam. Yes, I know that by the fact that he is using a Mac! Apple users have a life, they don't do spam. ;)

Improve this question
9
  • 2
    If it was BCC'ed to you then you will not see your email address. Useful when BCC'ing to several people without leaking their emails addresses to all recipients.
    – Hennes
    Commented Oct 25, 2013 at 21:52
  • 2
    Your e-mail was probably in the BCC (Blind Carbon Copy). This is usually done when sending to multiple recipients and the recipients must not see each-other. In these kind of "mass"-mailing you always use your own e-mail in the from and to header and use all the recipients in the BCC.
    – Rik
    Commented Oct 25, 2013 at 21:53
  • @Hennes Okay. So is there a way to reveal the Bcc list?
    – Samir
    Commented Oct 25, 2013 at 22:18
  • @Rik I see that I can view the Bcc option when I create a new e-mail, by going to Options, and then Bcc in the "Show fields" section in Outlook 2010. But is there no way for me to reveal the Bcc list of a received e-mail?
    – Samir
    Commented Oct 25, 2013 at 22:19
  • 1
    Nope, you'll never be able to see all the recipients. That's the whole idea of BCC. It is possible to see that is is really intended for you by viewing the "Received"-header. In these your e-mail address should be visible (but your address only and never the others).
    – Rik
    Commented Oct 25, 2013 at 22:24

2 Answers 2

Reset to default
4

The From, To, and Cc headers might have no relation at all to where the mail was delivered. They are not authenticated by the mail systems that the mail passes through and are completely forgeable. A good analogy for these headers is the address, greeting and signature on the pages of a business letter. These usually match the author and recipient of the letter because most messages aren't forgeries but there's nothing that prevents them from being complete fabrications.

What determines where a physical letter is delivered is the address on the outside of the envelope. Similarly, what determines where an electronic mail message is delivered is the address or addresses on its protocol envelope. This information is passed out-of-band via the SMTP protocol and are wholly independent of the message headers. Sometimes SMTP envelope information is copied into the mail headers (e.g. Received and Return-Path headers), but you have no way of knowing how much of the headers reflect this envelope and how much is forged, so you should trust none of it for anything vital. But as with business letters most of the time, excepting spam, messages are not forgeries, so the sender and recipient headers are truthful, for some values of truth.

Improve this answer
6
  • So what you're saying is that the SMTP envelope dictates where the message is going? Is this something I can see in Outlook?
    – Samir
    Commented Oct 25, 2013 at 22:21
  • No. The mail server will see this. The mail recipient not. (If you are thinking in windows/outlook terms then the mail server is exchange and the client outlook. There might be many non-exchange servers between the sender and the mail server which delivers it to you though).
    – Hennes
    Commented Oct 25, 2013 at 22:26
  • From the first mail-server the BCC-field in the envelope will be evaluated and the mail will be split in many copies and the BCC field is stripped. From then on each mail goes its own way to the recipient. The recipients can't even see if the mail is send to multiple recipients because that information (BCC) is stripped.
    – Rik
    Commented Oct 25, 2013 at 22:29
  • You got me on the right track, looking for the right clues. So thank you!
    – Samir
    Commented Oct 25, 2013 at 23:15
  • 1
    Do you mean the for <multiple recipients>? You can't always trust that. The Google mail-relays are the only one i know of who give that line. (My provider does not). You only get this line if Google is the first mail-server handling the mail or if it's "on the route to you" and there are more e-mail addresses within the same domain as you. In this case the Google-mail server was the first to handle the mail. (Even gmail.com itself does not add that line if send to multiple BCCs)
    – Rik
    Commented Oct 25, 2013 at 23:40
0

Try to learn about SMTP envelope and SMTP headers:

The headers is what you actually receive and can see, while the envelope is being used during transport only (see also https://stackoverflow.com/q/1750194/6607497). Basically the "To:" header is completely irrelevant to where a message is being sent; instead the RCPT TO SMTP command tells the "next hop" where to send the message (headers + body) following should be sent to (see RFC 5321: RECIPIENT (RCPT)).

In many cases (like yours) that recipient is logged in a Received: header as "... for ...", like in " for [email protected]".

Received: by mail-la0-f49.google.com with SMTP id eh20so357260lab.8
        for <[email protected]>; Wed, 23 Oct 2013 01:30:10 -0700 (PDT)
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .