An Internet e-mail message consists of two parts. We can refer to them as the envelope and the payload message or simply message.
The envelope has routing data: primarily, this is the sender address and one or more recipient addresses.
The message has the message content: subject line, message body, attachments, and so on. It also carries some technical information such as trace (Received:
) headers, DKIM data, and so on; as well as the displayed sender and recipient addresses (what you see in the From
, To
and Cc
fields in your mail client).
Here's the crux of it: The two don't have to agree!
A mail server will look at the envelope data to determine how to send the message. On the other hand, with few exceptions, the message itself will be treated as just data. Particularly, a well-behaved mail server does not look at the To:
and Cc:
fields of the message itself to determine the list of recipients, nor does it look at the From:
field to determine the sender's address.
When you compose and send an e-mail, your e-mail client takes what you entered into the To, Cc and Bcc fields, and translates that into envelope routing information. This is mainly done by removing any full names (leaving only e-mail addresses), but can also involve things like address rewriting, alias expansion, and so on. The result is a list of e-mail addresses which are given to the mail server your mail client is talking to as the list of recipients. The To and Cc lists are kept in the e-mail, but the Bcc is not passed along to the server, making it invisible to message recipients. The sender address works very similarly.
When the message reaches its final destination, the envelope data is either thrown away, or retained in the detailed message headers. That's one part of the reason why Spittin' IT asked for the full message headers in a comment to your question.
Additionally, with Internet e-mail, it is possible to talk directly to a mail server, and thus inject a message that has a mismatch between the envelope data and the message data that a normal, well-behaved e-mail client wouldn't let you compose. Also, mail servers do varying degrees of checks on the sender address that they are given in the envelope data; some barely check it at all beyond making sure it's a syntactically valid e-mail address. The From header of the message data is subjected to even less scrutiny.
Since the receiving e-mail client displays what's in the From, To and Cc headers, not the address data from the envelope, it's possible to put anything you want there and the receiving e-mail client will have no recourse but to trust that it is reasonably accurate. For legitimate mail it usually is accurate enough; for spam, it almost never is.
In the world of tangible, physical objects inhabited by us mere humans, the envelope sender and envelope recipient corresponds to the return address and recipient address, respectively, that you write on the outside of the envelope; and the From:
and To:
/Cc:
headers correspond to whatever you put as your and the recipient's addresses, respectively, in the letter which you put in the envelope.
8Post the full message headers... also you may have a secondary SMTP address on the email server that this was sent to perhaps. Email server admins should be able to help advise you on this but [edit] you answer and post the full message header detail of this message too. – Pimp Juice IT – 2017-05-15T18:27:49.250
55
You were probably in the blind carbon copy field of the email.
– Mokubai – 2017-05-15T18:30:35.18761
You won't see the BCC list, that's the "B"lind part. ;)
– Ƭᴇcʜιᴇ007 – 2017-05-15T18:41:04.5532@Ƭᴇcʜιᴇ007 but wouldn't I at least see myself? – tuskiomi – 2017-05-15T18:46:56.807
14@tuskiomi No, not in Outlook. Gmail does show
bcc: me
, perhaps others do as well...But if you look at the full message headers you should see your email there – wysiwyg – 2017-05-15T18:49:34.86020@tuskiomi - No, you will never see anyone listed in BCC, not even yourself. Moreover, if it's spam, there may not even be a true BCC list; spamware can manage the recipient list any way it wants, and what ultimately matters is what the spamware's dialogue with the mail server looks like - not what the content of the mail is. The only way you'll see your email address is if you look at the internet headers. – Jeff Zeitlin – 2017-05-15T18:50:05.660
2Someone can take a message from Alice to Bill and mail it to Charlie if they want to. Heck, I can compose a fake letter from God to the Pope and mail it to you if I want. – David Schwartz – 2017-05-16T00:11:51.090
1
Cross-stack see https://security.stackexchange.com/questions/9487/how-can-paypal-spoof-emails-so-easily-to-say-it-comes-from-someone-else
– dave_thompson_085 – 2017-05-16T06:48:18.5275"At first, I suspected a CC, or a BCC, but nowhere does it have my address on the mail." Well, if it was a BCC, then you wouldn't. That's the whole point. – Lightness Races with Monica – 2017-05-16T15:36:28.327
1Most likely a spam sender does not use the Bcc mechanism. The actual machinism used is that he was in the envelop-to of the SMTP transmission. The Mail is delivered regardless of beeing listed in To or Cc or not. – eckes – 2017-05-16T21:44:13.187
3Is that image real? I would recommend editing it to remove your actual name and email address. Also, why on earth did you reply to it? – David K – 2017-05-19T19:15:11.253
1I can't comment due to lack of reputation but I actually worked at the Service Desk @ UofSC. Forward that email to phishing@sc.edu and IT Security can prevent further emails from the sender from being sent to other students and faculty. Also, you may want to remove your email from being publicly listed from sc.edu/directory. You can make the change at my.sc.edu. – ansario – 2017-05-21T17:03:48.563