Q: Convention on re-using mail-headers when replying ?

Michael Uplawski · 12-11-2018, 01:47 AM

Howdy.

I am flabbergasted ( <-- learned that word in 1978).

Yesterday someone responded on an email which I had posted on a distribution-list but her/his response contained all the headers which are usually generated by the mailing-list program (Sympa, in this case).

In consequence, the response looks as if it were coming from the list, while the originator addressed me directly. Even the header “Sender” is showing the mailing-list!

Her/his mail-software apparently does not remove or replace these headers, as I thought it should. I have to take this into account for my filters. Unfortunately, there is not only no hint on the mail-client used, but my own (hand-compiled) “Mutt 1.10.1+152 (78a60fc9) (2018-08-28)” is showing up!

Question: May it be that way?
I feel that rather someone has done only half the work and has devised an awfully “lazy” mail-client, to say the least.

Even if I found an RFC stating something more or less obvious.., who reads RFCs, these days... programmers?

MensaWater · 12-11-2018, 08:50 AM

The headers get added to when your mail RECIEVES the email. Those headers should show where it really came to you from and also show you if any checks (dkim, spf) passed or failed.

If this came to you from a mailing list then you'd need to talk to the admins of that list to report the problem.

Michael Uplawski · 12-13-2018, 02:15 AM

Quote:

Originally Posted by MensaWater

The headers get added to when your mail RECIEVES the email. Those headers should show where it really came to you from and also show you if any checks (dkim, spf) passed or failed.

If this came to you from a mailing list then you'd need to talk to the admins of that list to report the problem.

Did I express myself that badly..?

If I tried to re-formulate the issue, it would result in the same post as above. I am doomed.

MensaWater · 12-13-2018, 12:47 PM

Quote:

Originally Posted by Michael Uplawski

Did I express myself that badly..?

I was saying that the headers don't only include what the sender wants you to see. They get added to by the mail application that receives them to show where it came from.

You seemed to be implying the problem you were seeing was email you were getting from a mailing list. If so the headers are those put on it by the mail application the list uses to send TO you and would again have headers added by whatever mail application received it on your end.

If it is a mailing list it would not be surprising that the headers seen are always the same because you're not seeing the headers of the original sender TO the mailing list - you're seeing the headers of it being sent FROM the mailing list to you.

That was why I suggested contacting the mail list admins. They would have logs that showed who really sent it TO them even if he pretended to have sent it as you.

You might want to compare headers of a "legitimate" message from the mail list to the one you say was spoofed.

P.S. This is why troubleshooting mail issues is sometimes an issue. Users do inline forward of an email which means you only see the headers as if they had sent you an email out of the blue rather than the headers of the email as they received it. If they instead attach the problem email you can usually open the attachment and see its headers.

scasey · 12-13-2018, 01:08 PM

Quote:

Originally Posted by Michael Uplawski

Her/his mail-software apparently does not remove or replace these headers, as I thought it should. I have to take this into account for my filters. Unfortunately, there is not only no hint on the mail-client used, but my own (hand-compiled) “Mutt 1.10.1+152 (78a60fc9) (2018-08-28)” is showing up!

A comment regarding filters, which is a bit of a followup on what MensaWater is saying.

Filters should (probably) only look at the header lines added by the receiving (your) MTA. Other headers are not at all trustworthy (as you're seeing). For example, the only header line I usually concern myself with is the last (topmost) one:

Code:

Received: from unknown (HELO mailer151039.service.govdelivery.com) (209.134.151.39)
  by mail.mydomain.com with SMTP; 13 Dec 2018 11:36:31 -0700

my qmail is configured to always say "from unknown" -- so when scanning email, I look for that line...and I know that's the IP address of the server that connected to deliver the mail. This example is a legitimate email from Medicare.
That line in a spam message gives me the IP of the spammer, and I can then complain to their ISP and/or block the IP from delivering email to my server.

Michael Uplawski · 12-14-2018, 04:24 AM

If I target SPAM, I use to analyze the Received-headers.

But if I want to filter out mail from mailing-lists for storage or whatever, I have to look somewhere else. The lists that I administer have a prefix in their subject-lines, this is simple. But this and anything else appears to be unreliable, now, as mail which is sent via “Reply-To” and not “Reply-to-all” or something similar, appears in my mailbox with the identical attributes as those messages originating from a mailing list, although they are not.

I can cope with this.

My only question is, so far: Is this behavior of a system faulty or not. As this very question is not very interesting to many people, I generalized it a little:
Convention on re-using mail-headers when replying.

In my opinion, a message that is not sent via a mailing-list should not pretend to be. But we can let that rest, here, if you prefer. Should the topic gain importance, I will look-up the RFCs and draw my own conclusions.

MensaWater · 12-14-2018, 03:03 PM

By "headers" I mean the full extra detail seen which usually requires expanding the default view of an email. It sounds to me as if you're just talking about the basic view of an email which is not "header" but rather just basic to/from/cc/subject info.

For example on junk email I received today it shows basic info:

Quote:

From: 24-7-Pharmacy <noreply@whidbeyislandbeaches.com>
To: <me@mydomain>
Subject: If you choose our pharmacy you get best customer service and most effective medications.

However, the full headers of the email include:

Quote:

Received: from DM6PR07MB5499.namprd07.prod.outlook.com (2603:10b6:a02:a8::19)
by BYAPR07MB5493.namprd07.prod.outlook.com with HTTPS via
BYAPR03CA0006.NAMPRD03.PROD.OUTLOOK.COM; Fri, 14 Dec 2018 18:21:48 +0000
Received: from DM5PR07CA0071.namprd07.prod.outlook.com (2603:10b6:4:ad::36) by
DM6PR07MB5499.namprd07.prod.outlook.com (2603:10b6:5:30::15) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1425.18; Fri, 14 Dec 2018 18:21:47 +0000
Received: from BL2NAM02FT013.eop-nam02.prod.protection.outlook.com
(2a01:111:f400:7e46::205) by DM5PR07CA0071.outlook.office365.com
(2603:10b6:4:ad::36) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1425.19 via Frontend
Transport; Fri, 14 Dec 2018 18:21:47 +0000
Authentication-Results: spf=none (sender IP is 35.174.145.124)
smtp.mailfrom=whidbeyislandbeaches.com; mycommpany.com; dkim=none (message
not signed) header.d=none;mycompany.com; dmarc=none action=none
header.from=whidbeyislandbeaches.com;compauth=fail reason=001
Received-SPF: None (protection.outlook.com: whidbeyislandbeaches.com does not
designate permitted sender hosts)
Received: from ec2-34-229-144-74.compute-1.amazonaws.com (35.174.145.124) by
BL2NAM02FT013.mail.protection.outlook.com (10.152.77.19) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1446.11 via Frontend Transport; Fri, 14 Dec 2018 18:21:46 +0000
Received: from emails-10-3-mt-prod-3.avanan.net (ip-10-10-18-120.ec2.internal [10.10.18.120])
by ec2-34-229-144-74.compute-1.amazonaws.com (Postfix) with ESMTPS id 8949E4118C
for <me@mydomain>; Fri, 14 Dec 2018 18:21:46 +0000 (UTC)
Received: from BYAPR07CA0031.namprd07.prod.outlook.com (2603:10b6:a02:bc::44)
by SN6PR07MB5501.namprd07.prod.outlook.com (2603:10b6:805:df::15)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.19; Fri, 14 Dec
2018 18:21:28 +0000
Received: from CY1NAM02FT020.eop-nam02.prod.protection.outlook.com
(2a01:111:f400:7e45::201) by BYAPR07CA0031.outlook.office365.com
(2603:10b6:a02:bc::44) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1425.19 via Frontend
Transport; Fri, 14 Dec 2018 18:21:27 +0000
Authentication-Results-Original: spf=none (sender IP is 212.110.2.16)
smtp.mailfrom=whidbeyislandbeaches.com; <mydomain>; dkim=none (message not
signed) header.d=none;<mydomain>; dmarc=none action=none
header.from=whidbeyislandbeaches.com;compauth=fail reason=001
Received-SPF: None (protection.outlook.com: whidbeyislandbeaches.com does not
designate permitted sender hosts)
Received: from whidbeyislandbeaches.com (212.110.2.16) by
CY1NAM02FT020.mail.protection.outlook.com (10.152.75.191) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1446.11 via Frontend Transport; Fri, 14 Dec 2018 18:21:25 +0000
Message-ID: <op.vac36d17106208@whidbeyislandbeaches.com>-alert
From: 24-7-Pharmacy <noreply@whidbeyislandbeaches.com>
Subject: [Spam] If you choose our pharmacy you get best customer service and
most effective medications.
Date: Fri, 14 Dec 2018 15:51:41 -0300
To: <me@mydomain>
Errors-To: noreply@whidbeyislandbeaches.com
List-Subscribe: <noreply@whidbeyislandbeaches.com>
Content-Type: multipart/alternative; boundary="-9j97W2U1q488x06R0664B966g"
MIME-Version: 1.0
X-EOPAttributedMessage: 1
X-EOPTenantAttributedMessage: 859a2eb9-8396-4cf2-933e-508ebef27efe:1
X-Forefront-Antispam-Report-Untrusted: CIP:212.110.2.16; IPV:NLI; CTRY:IT;
EFV:NLI; SFV:SPM;
SFS

10001)(5340300001)(2980300002)(428003)(189003)(199004)(66010400004)(236005)(66080400003);
DIR:INB; SFP:; SCL:5; SRVR:SN6PR07MB5501; H:whidbeyislandbeaches.com; FPR:;
SPF:None; LANG:en; PTR:ip-2-16.sn-212-110.clouditalia.com; MX:1; A:1;
CAT:SPM;
X-Microsoft-Exchange-Diagnostics-untrusted: 1; CY1NAM02FT020;
1:JYha1pFIO2obX/1PQ/8CR0xlTWMhpEWL+rVP5aXiNBbjo7KfD9kibYWuoFlEZSSh/6qgUAvotJZ+53ZdIY8tEpyEqleWeyoXrcMI6hbjBmYrdLIwOjJ65RtvSG+cilXH
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 666e0ab5-cbac-4517-7c08-08d661f101f2
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0;
RULEID

2390118)(7020095)(4652040)(5600074)(711020)(4605076)(1401299)(1421009)(71702078);
SRVR:SN6PR07MB5501;
X-Microsoft-Exchange-Diagnostics-untrusted: 1; SN6PR07MB5501;
...
SpamDiagnosticOutput: 1:13
SpamDiagnosticMetadata: Default
X-Microsoft-Exchange-Diagnostics-untrusted: 1; SN6PR07MB5501;
20:6tKWFxftdGeJcq6lu546b589AOBwC5KL4YNg+s9NDuDEtgHid6zxXHzA+oC1BhH6xta7VpAzyOthSJULVQ/XMchdBxtHsTGrJQwAe2sAEYV+6+So8/Tk5oWlhhslzUujICxPEEWjuIZCWwwDcJvxmgJacuBDyq83P36NY/exn8U=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB5501
X-CLOUD-SEC-AV-SCL: true
customer: <mycompany>
X-CLOUD-SEC-AV-Mode: inline
X-CLOUD-SEC-AV-Receiver: <me@mydomain>
X-CLOUD-SEC-AV-UUID: 5189845574db4332b2006b4ca93fabe7
X-CLOUD-SEC-AV-Sender: noreply@whidbeyislandbeaches.com
X-CLOUD-SEC-AV-MTA: 10.10.6.177
Return-Path: noreply@whidbeyislandbeaches.com
X-MS-Exchange-Organization-ExpirationStartTime: 14 Dec 2018 18:21:46.7185
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
666e0ab5-cbac-4517-7c08-08d661f101f2
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
BL2NAM02FT013.eop-nam02.prod.protection.outlook.com
X-Forefront-Antispam-Report:
CIP:35.174.145.124;IPV:CAL;SCL:-1;CTRY:US;EFV:NLI;SFV:SKN;SFS:;DIR:INB;SFP:;SCL:-1;SRVR

M6PR07MB5499;H:ec2-34-229-144-74.compute-1.amazonaws.com;FPR:;SPF:None;LANG:en;
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Exchange-Diagnostics:
1;BL2NAM02FT013;1:t3lrXNtKSXvQ6ke3E10iijV3cUHDM2rZIwuzXUurkXB+apZlvnY19jdK3fZKaAhUylwUmSm5+H95pz8Ett oQ2+jqmls+gDXTp77tUAODmdxsQZNdoISecFG4exWcKPbC
X-MS-Exchange-Organization-AuthSource:
BL2NAM02FT013.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs:
bb45ae61-9d7a-4f69-af97-08d661f0f675
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID

2390118)(7020095)(4652040)(5600074)(710020)(711020)(4605076)(1401299)(1421009)(7 1702078);SRVR

M6PR07MB5499;
X-Microsoft-Exchange-Diagnostics:
...
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2018 18:21:46.6560
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 666e0ab5-cbac-4517-7c08-08d661f101f2
X-MS-Exchange-CrossTenant-Id: 859a2eb9-8396-4cf2-933e-508ebef27efe
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR07MB5499
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.6866584
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1404.009
X-Microsoft-Exchange-Diagnostics
...
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;ex:1;auth:0;dest:J;OFR:ExclusiveSettings;ENG

750119)(520011016)(520003179)(708172)(9445 06303)(944626516);RF:JunkEmail;
X-Microsoft-Antispam-Message-Info:

Much of the foregoing is from Microsoft Office365 which we use for inbound email. Also you see Avanan which is a mail filter company and an AmazonWS IP which they use. This is what I meant when I said the system that receives it adds to the headers.

In the BOLD section you see that it claimed to have come from domain, whidbeyislandbeaches.com, but it actually came from IP 212.110.2.16. It shows that IP is not authorized to send emails for that domain.

If I check that IP it shows the PTR (reverse) is:
host 212.110.2.16
16.2.110.212.in-addr.arpa domain name pointer ip-2-16.sn-212-110.clouditalia.com.
A whois lookup of the IP confirms that it is in Roma Italy.

Since the email purports to be from a Canadian Pharmacy it seems unlikely they'd be using Italian cloud hosting services.

It is very unlikely that anyone that spoofed a list domain would send to the list in such a way that it would have the same headers as the original legitimate email.

You now seem to be saying the mail list in question is one you you administer. If so you should be able to examine the logs to see who actually sent it to the list. The only way someone could completely spoof the headers FROM the list would be if they hacked your mail server and were actually sending it from that. You would want to verify very quickly your mail server is not an "open relay" accepting emails to send as if they originated on the mail server itself. That will get you blacklisted in a hurry. So would any hack where they were directly connecting and send emails from your mail server.

Michael Uplawski · 12-14-2018, 11:44 PM

I cannot explain myself in plain English.
This is the current result of this thread.

Let us, for a moment, forget mailing-lists. Do as if they do not exist.
Let us, for a moment, forget SPAM. Do as if it does not exist. My OP has nothing to do with SPAM. There is none, has been none, I am not referring to SPAM.

I receive an email from someone I know. Personally. I can go and see him, and happen to meet him in town. This is the authentic part.

This mail contains headers which declare that the sending mail-client is not his but mine and headers which declare that the mail were sent via a mailing list, which it is not. Even if you ignored the existence of mailing lists and ignored the possibility of SPAM, you can detect that something is awkward.

If I am still not able to explain the point, I want to ask you to forget it. Do as if I do not exist.