Print Page | Close Window

Strange behaviour with CC and TO

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6979
Printed Date: 14 December 2017 at 2:07pm


Topic: Strange behaviour with CC and TO
Posted By: Wayne
Subject: Strange behaviour with CC and TO
Date Posted: 15 September 2011 at 5:38am
Hi Roberto
Finally I have a little problem again with the current release of SF and have to bother you Wink

We have the problem, that we often get a email, always from the same sender, who send these mails to one or two users addressed in the RCPT TO: field and one or two in the CC:
Strange behaviour is, the guys in the the CC: get the mail, one of the TO: also, but mostly one in the TO: not and it's allways the same user.

I'll try to explain with the Log's:

09.14.11 04:14:28:358 -- (1932) Detected TCP Connection: 98.139.91.96
09.14.11 04:14:28:358 -- (1932) Connection from: 98.139.91.96  -  Originating country : United States
09.14.11 04:14:28:733 -- (1932) Received MAIL FROM: <marge@gemagpp.com>
09.14.11 04:14:28:920 -- (1932) Received RCPT TO: g.ahrendt@mydomain.ch
09.14.11 04:14:28:920 -- (1932) Bypassed all rules for: g.ahrendt@mydomain.ch from marge@gemagpp.com ( Whitelisted EMail Address From)
09.14.11 04:14:29:811 -- (1932) Starting queueing procedures
09.14.11 04:14:29:826 -- (1932) EMail from marge@gemagpp.com to g.ahrendt@mydomain.ch was queued. Size: 18 KB, 18432 bytes
09.14.11 04:14:29:826 -- (888) Sending email from marge@gemagpp.com to g.ahrendt@mydomain.ch --
09.14.11 04:14:34:967 -- (1932) Starting bayesian procedures
09.14.11 04:14:35:155 -- (1932) Disconnect

Looks everything just as usual, but if you have a look at the header of the email, you will recognize there is one recipient more, and the guy who get the mail is not in the TO: field how the SF log lies to me, he's in the CC

Received: from mail.mydomain.ch (172.17.36.2) by EXGEMA.myinternaldomain.ads
 (172.17.36.75) with Microsoft SMTP Server id 8.3.159.2; Wed, 14 Sep 2011
 04:14:33 +0200
Received: from 98.139.91.96 by mail.mydomain.ch (LogSat Software SMTP Server);
 Wed, 14 Sep 2011 04:14:29 +0200
Received: from [98.139.91.66] by nm26.bullet.mail.sp2.yahoo.com with NNFMP; 13
 Sep 2011 05:03:41 -0000
Received: from [98.139.91.53] by tm6.bullet.mail.sp2.yahoo.com with NNFMP; 13
 Sep 2011 05:02:41 -0000
Received: from [127.0.0.1] by omp1053.mail.sp2.yahoo.com with NNFMP; 13 Sep
 2011 05:02:41 -0000
X-Yahoo-Newman-Id: 456611.67652.bm@omp1053.mail.sp2.yahoo.com
Received: (qmail 31463 invoked from network); 13 Sep 2011 05:02:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1315890161; bh=9ze7KKmKWTiItY8PlW1nXxjdbK+ymnmgtbzrgAMPrqs=; h=X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Return-Receipt-To:From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:Importance:Thread-Index:Content-Language:Disposition-Notification-To; b=Tgd9HjZZ5h2CeJxXtd1k0Hd5Le6np/fTFD4KbuOrEbuIhNn7wMNL25v9Vsa11bexWDccK7IXiADPK9zysSs4rac1VU3T1UEw/fIMnvQGFFnTgzkANin+Cpy/Lu0wJjKyhsRWdUALMQzRdQtKNre5kgOUh2mH/anYS/FJCiAV5d8=
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: .t7FvOYVM1kNqXzIGYpRLGrrbszZ33UG4n0Z8Q5vOFFh5Yc
 iIfyJmOLCD5UjKXvtOwnZ4C9bKgdohLogF9caimCjI6urXYUWTRcb9UOH4bR
 qqSqS8U0-
X-Yahoo-SMTP: jDvKeMqswBDGbotT02CRMr8zDHSm8fdgTRiOZjI2
Received: from DELLMARGE (marge@86.98.89.131 with login)        by
 smtp113.biz.mail.sp1.yahoo.com with SMTP; 12 Sep 2011 22:02:36 -0700 PDT
Return-Receipt-To: "Marge" <marge@gemagpp.com>
From: Marge <marge@gemagpp.com>
To: 'Christensen Sandra' <s.christensen@mydomain.ch>     <---- never received the mail
CC: 'Ahrendt Georg' <g.ahrendt@mydomain.ch>    <---- he got the mail
References: <528B040A4679FF4BAED4DB3C6EDD32A903437B6D53@EXGEMA.myinternaldomain.ads>
In-Reply-To: <528B040A4679FF4BAED4DB3C6EDD32A903437B6D53@EXGEMA.myinternaldomain.ads>
Subject: RE: Inquiry for Discount-Powder Hoses
Date: Tue, 13 Sep 2011 09:02:29 +0400
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAEbRgNQv/uhLgXwWpGKhvE3CgAAAEAAAAOaFe2dJyoZLur42h25gZE0BAAAAAA==@gemagpp.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0026_01CC71F3.E0908120"
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Office Outlook 12.0
Importance: High
Thread-Index: AcxQFA7Sxp3ibCibS0O+arh+hObWjQbtsCBAAAE64rAAAAeEAgAiVJSgADnlCkABJFGOkA==
Content-Language: en-us
Disposition-Notification-To: "Marge" <marge@gemagpp.com>
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <marge@gemagpp.com>
X-SF-HELO-Domain: nm26.bullet.mail.sp2.yahoo.com
X-SF-Originating-IP: 98.139.91.96
X-SF-WhiteListedReason: Whitelisted EMail Address From
Return-Path: marge@gemagpp.com

Do you have any idea what happen here? It looks like this sender is always using Yahoo to forward the mail, but if one recipient is getting the mail, why the hell the second not? I have no f**king clue LOL

Thx for any suggestions

Reagrds Wayne
 


-------------
SF4.5.0.1-beta



Replies:
Posted By: LogSat
Date Posted: 15 September 2011 at 10:50pm
Hi Wayne,

Most of the headers in an email that is received (including the To: and the CC: ones) are inserted by the mail client. Those addresses in the headers are actually not related in any way to the addresses that the sender's mail server provides in the RCPT TO command. The emails specified in the RCPT TO command are the actual recipients of the email, not the ones specified in the TO: and CC: headers. 

This said, in "normal" non-spam emails the addresses in the headers and the ones provided in the RCPT TO commands do match, but please do remember that I could for example send you an email in which the TO: headers shows "president@whitehouse.gov" and the CC: header shows "vice.president@whitehouse.gov".

In this specific email, Yahoo did indeed sent to SpamFilter only one RCTP TO command, specifying the email address "g.ahrendt@mydomain.ch". As the email looks legitimate, non-spam, it's a bit unusual that the TO and CC headers do not match the RCPT TO, but the issue should be looked into by the sender, as ultimately it is the remote server that only asked for delivery to one user.

What's odd is that there appears to be a delay of about one hour and 11 minutes before the email is received by SpamFilter from Yahoo's servers. Are you using greylisting by any chance? Yahoo has known problems with greylisting - see this thread  http://www.logsat.com/SpamFilter/Forums/forum_posts.asp?TID=6942#14084 - http://www.logsat.com/SpamFilter/Forums/forum_posts.asp?TID=6942#14084 for a more detailed description (and solution). I would not see why greylisting could cause Yahoo to deliver emails to one user and not another, but if they violate RFCs in one way they could be doing it in others....

 and they do not necessarily have to match 


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Wayne
Date Posted: 19 September 2011 at 8:41am
Hi Roberto

Thx for your comments.
Of course I know that it's possible to fake the TO: headers, but in this case our customer is not doing that and is just using Outlook as mail client. So that means Yahoo is mixing up or deleting some header informations when they forward his mail and that's really strange for such a big internet company like Yahoo is. This is simply unbelievable.

The delay problem of Yahoo is beacuse we use the greylist feature. It's again just unbelievable that Yahoo is still having problems with such a old function like greylisting and still violates the RFCs.

So then we will advise our customers to not longer use yahoo anymore.

Thx Roberto


-------------
SF4.5.0.1-beta


Posted By: LogSat
Date Posted: 19 September 2011 at 3:46pm
Hi Wayne,

You could try manually adding the entries I mentioned in the other posts to the GreyListAllowed.txt file - they are the known outbound SMTP servers for Yahoo at the time. That may help alleviate the issue with Yahoo.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Wayne
Date Posted: 19 September 2011 at 3:56pm
Roberto

I've checked your list with the IP's, but in all our examples the mails were sent from IP's from Yahoo server who are not in this list. So for me it's not worth to hunting always the IP's of their server.

But thx

-------------
SF4.5.0.1-beta



Print Page | Close Window