If 'To' and 'From' headers are the spammer's email address, how did I get this email?

I tried to check header 1. I see my email address in "Envelope-to: my_email@my_domain.com" but not in To/CC/BCC

how sender is able to do this?
I think I'm not a BCC recepient because Thunderbird didn't tell me about this.

Please see headers below (changed some names):

From - Wed Nov 03 20:54:11 2010
X-Account-Key: account7
X-UIDL: UID4036-1213982649
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-path: <rajan@abc.com>
Envelope-to: my_email@my_domain.com
Delivery-date: Wed, 03 Nov 2010 09:17:32 -0600
Received: from pro237-180.mxout.rediffmailpro.com
 by my_mailserver.com with smtp (Exim 4.69)
 (envelope-from <rajan@abc.com>)
 id 1PDf5b-0000wT-J1
 for my_email@my_domain.com; Wed, 03 Nov 2010 09:17:31 -0600
Received: (qmail 34966 invoked from network); 3 Nov 2010 15:16:24 -0000
X-CTCH-Spam: Unknown
X-CTCH-VOD:  Unknown
X-CTCH-Flags: : 0
X-CTCH-RefID: str=0001.0A0B0207.4CD17D02.01C2,ss=1,pt=DBB_65837,fgs=0
Received: from unknown (HELO Rajan) (rajan@abc.com@122.170.25.63)
  by mailserver with SMTP; 3 Nov 2010 15:16:17 -0000
From: "Rajan Kr. Tahalani" <rajan@abc.com>
To: "Rajan Kr. Tahalani" <rajan@abc.com>
Subject: Diwali Greetings ~ StepStone Manpower Solutions.
Date: Wed, 3 Nov 2010 20:48:01 +0530
Message-ID: <005101cb7b6a$51a2ba80$f4e82f80$@com>
MIME-Version: 1.0
Content-Type: multipart/related;
 boundary="----=_NextPart_000_0052_01CB7B98.6B5AF680"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Act6/TQ1zdEz/sjoQBGWN/etyyH1dwAasROw
Content-Language: en-gb

This is a multipart message in MIME format.

------=_NextPart_000_0052_01CB7B98.6B5AF680
Content-Type: multipart/alternative;
 boundary="----=_NextPart_001_0053_01CB7B98.6B5AF680"


------=_NextPart_001_0053_01CB7B98.6B5AF680
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: 7bit

nash

Posted 2010-11-06T18:45:23.907

Reputation: 103

Related: http://superuser.com/questions/665477/why-is-my-own-e-mail-address-not-listed-in-the-to-field. Also, adding some search engine keywords: spam recipient not me, emails not addressed to me

– aexl – 2016-12-26T09:55:28.930

2BCC is not an actual header. It is only sent in the SMTP session as a "RCPT TO". The fact that it is not sent in the header is what makes it a BCC. – Belmin Fernandez – 2010-11-07T01:57:56.927

Answers

How can you see if you are a BCC recipient if you really are a BCC recipient? The nature of BCC is that it hides all the recipients of the message listed in the BCC field...

I've worked with distribution lists before in Outlook, and if I put all my recipients in the BCC field, and my own email/name in the To field, then no one but me can see who else the email was sent to...

Also, the spammer's email address in the To field could be the name of a distribution list... - thus hiding all of the emails that way...

studiohack

Posted 2010-11-06T18:45:23.907

Reputation: 13 125

The e-mail address in the envelope ”To” has as much to do with the addresses in the To: and Cc: fields in the e-mail headers as the address on a snail mail envelope has to do with the recipient address on the letterhead of the paper in the envelope. That is, it is the responsibility of the sender to make them match, and the mail delivery service is not going to open the letter to check that it hasn't been misaddressed.

In the case of e-mail, this isn't completely true: e-mail delivery systems do inspect the mail contents (headers and body) to catch spam and viruses. But if you're Bcc'ed on an e-mail, your address will be on the envelope but not anywhere in the mail (that's why it's called a blind carbon copy — some e-mail clients generate a separate copy of the mail where they include your address in an extra field, but this is not universal). This is a legitimate use case, and spammers make use of it. (You are bcc'ed on that mail, by definition — you are an indetended recipient without being a documented recipient.)

Having an envelope “To” that is not mentioned in the headers is a hint that the mail may be spam, but it's only a hint. It happens legitimately to bcc's and bounced mails.

Gilles 'SO- stop being evil'

Posted 2010-11-06T18:45:23.907

Reputation: 58 319

The whole point of a Bcc: list is that the recipients can't see it. It's perfectly lawful for the envelope recipient (the recipient specified in the RCPT TO: SMTP transaction) and the header recipient (the address in the To: line) to be different; that's how Bcc lists are achieved.

So don't worry, this is completely normal.

MadHatter

Posted 2010-11-06T18:45:23.907

Reputation: 381

And to see the BCC in action, here's what happens when sending some test message to a Gmail account (which probably will end up in the junk folder).

First, figure out who's handling incoming Gmail messages:

host gmail.com
_{gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.

gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.

gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.}

Next, type the commands in bold, like in Terminal on a Mac or a DOS prompt in Windows. Don't change the dummy mail from: <me@example.com>:

telnet gmail-smtp-in.l.google.com 25
_{Trying 74.125.79.27...

Connected to gmail-smtp-in.l.google.com.

Escape character is '^]'.

220 mx.google.com ESMTP p57si7771934eeh.86}

helo example.com
_{250 mx.google.com at your service}

mail from: <me@example.com>
_{250 2.1.0 OK p57si7771934eeh.86}

Next, type the following, changing your-real-gmail-address@gmail into whatever Gmail address you want the test message to be delivered to. (The angle brackets <...> are required.) You can also use multiple rcpt to: lines, as long as these are known to Gmail:

rcpt to: <your-real-gmail-address@gmail>
_{250 2.1.5 OK p57si7771934eeh.86}

data
_{354 Go ahead p57si7771934eeh.86}

After the 354 Go ahead, anything you type up to a line with just a dot, will be considered to be the message. This is totally independent of the rcpt to: you already issued above. The headers go first, then a blank line, followed by the body text. Just paste something like the following. Again, don't change the @example.com addresses:

Date: Sun, 7 Nov 2010 11:40:00 +0100 (CET)
From: Him <him@example.com>
To: Someone <someone@example.com>
Cc: "Someone else" <someoneelse@example.com>
Subject: Not in the TO, not in the CC

Hello Someone!
.

(Eventually press Ctrl-] and type quit to exit Telnet.)

Note that in the actual message above your own email address is not mentioned at all. This is also how BCC is handled; it often does not use the Bcc: header, as then the sending party could not deliver the same message to multiple recipients of the same provider in one go.

Upon receiving this message, this yields:

Delivered-To: <your-real-gmail-address@gmail>
Received: ...
Return-Path: <me@example.com>
Received: from example.com (<the sender DNS name and IP address here>)
Message-Id: <4cd67cb8.427e0e0a.60a2.4040SMTPIN_ADDED@mx.google.com>
...
Date: Sun, 7 Nov 2010 11:40:00 +0100 (CET)
From: Him <him@example.com>
To: Someone <someone@example.com>
Cc: "Someone else" <someoneelse@example.com>
Subject: Not in the TO, not in the CC

Hello Someone!

Here, Gmail added the Delivered-To: header; I am not sure if all mail servers do that.

But: the regular headers do not mention the true recipient at all, and are really just a copy of whatever you typed. And your email client typically only shows details from the message. For example, the bounce address (mail from: and Return-path:) might be different from the displayed sender (From:), and both might be false. And the date is really just the date that the sender has set. Sometimes spam has a date in the future or past, in an attempt to get the message displayed on top of your screen even after new messages have arrived.

Arjan

Posted 2010-11-06T18:45:23.907

Reputation: 29 084