I don't use SpamAssassin, but I do attempt to reduce the spam by turning off the Catch-All Alias. Recently I have noticed a lot more spam emailed to non-existent accounts. The mail server automagically forwards addresses like <administrator@mine.com> to the main account. Has it always worked this way?

I ran some tests, and could only reproduce the forwarding about half the time.

Hello,

As noted in this Knowledgebase Article (http://Service.FutureQuest.net/kb266), any email to the following email addresses will automatically be sent to your Shell email address unless you specifically create alias or POP accounts for those addresses:

abuse
postmaster
mailer-daemon
php
php3
webmaster
root

http://Service.FutureQuest.net/kb266

-Bob

Thanks for the quick reply, Rob. I knew about webmaster and root, but forgot about the others.

I have received these too:
administrator
mail
uucp

Also, you may be receiving a Bcc:

To: notavalidaccount@yourdomain.com
Bcc: webmaster@yourdomain.com

shows up as
To: notavalidaccount@yourdomain.com


Checked the Delivered-to: lines in the header.

Yeah, that BCC thing happened to me once. I deleted an alias that was getting a ton of spam yet continued to get spam addressed to it. After further investigation they were sending the spam to that alias with a BCC to another :(

I've already deleted them all, but I checked the raw headers pretty closely to see what was happening, and I'm sure there was no bcc. It definitely hit the FQ servers destined for the nonexistent account, and was fowarded.

In at least on case, it was forwarded twice: I think it was "administrator" to "advertising" to the main account. I got the idea that it was forwarded to the closest match (alphabetically), but I couldn't reproduce the effect.

This all happened within a few minutes--I think the timestamp was around 3 am. Perhaps it was just a hiccup. I never got "administrator", "mail", or "uucp" to forward.

BTW, I'm not worried about this at all. It just caught my eye this morning.

I got a few more this morning at 7:10 and 8:10. The addresses used:

majordomo
support
contact

Here is the raw header from one. I have inserted brackets to break my email addresses. I got two copies of this one sent to majordomo@ -- this one got forwarded to root and the other to postmaster. Is it possible I'm missing the BCC field? I tried emailing to majordomo and got the appropriate response: recipient does not exist.


Return-Path: <evan@berlusconi.com>
Delivered-To: [my.main.account]@awardannals.com
Received: (fqmail 5529 invoked from network); 27 Jun 2006 14:10:30 -0000
Received: from mx02.futurequest.net (mx02.futurequest.net [69.5.6.172])
by pt02.futurequest.net ([69.5.6.173])
with FQDP via TCP; 27 Jun 2006 14:10:30 -0000
Received: (qmail 29606 invoked from network); 27 Jun 2006 14:10:30 -0000
Received: from pt02.futurequest.net (pt02.futurequest.net [69.5.6.173])
by mx02.futurequest.net ([69.5.6.172])
with QMQP via TCP; 27 Jun 2006 14:10:30 -0000
Delivered-To: [root]@awardannals.com
Received: (fqmail 5516 invoked from network); 27 Jun 2006 14:10:30 -0000
Received: from mx04.futurequest.net (mx04.futurequest.net [69.5.6.175])
by pt02.futurequest.net ([69.5.6.173])
with FQDP via TCP; 27 Jun 2006 14:10:30 -0000
Received: (qmail 31348 invoked from network); 27 Jun 2006 14:10:30 -0000
Received: from CAD_06.u0172zau.net (pd95fff9b.dip.t-dialin.net [217.95.255.155])
by mx04.futurequest.net ([69.5.6.175])
with ESMTP via TCP; 27 Jun 2006 14:10:30 -0000
From: "Tom Wesley" <evan@berlusconi.com>
To: <majordomo@awardannals.com>
Subject: Open something new for your self
Date: Tue, 27 Jun 2006 16:10:33 -0100
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: edYjbzQnD1fI0SIaNYT5KsNZoP1jTI3EnRCL
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

I would like to emphasize that I am talking about a measly 4 emails here, so an answer is not critical.

Any BCC addresses will not show up in the header, which is the whole point of BCC, Blind Carbon Copy...

The Delivered To: address would have been the BCC address.

-Bob

What I meant was: "is it possible the email was somehow addressed to root and I can't see it". It's a rhetorical question meant to express my puzzlement.

Hi again,

When someone adds a BCC address or addresses they do not show up as a To: or CC: address would within the headers. This allows you to send a copy of an email to another person without the original recipient knowing what address it was also sent to.

The email you included actually appears to have been a BCC: to root as you will see there is a prior Delivered-To: line within the header of the email.

"Delivered-To: [root]@awardannals.com"

To stop those you would want to create a blackhole address "root" and then anything that was BCC'd to root would simply go *poof*, same for webmaster and any of the other default addresses you don't want to receive.

-Bob

That is contrary to my understanding, though I'm no expert. Please explain a little further if I am wrong.

A list of addresses in a BCC field is parsed by the sending emailer (CAD_06.u0172zau.net) and a separate email for each BCC address is generated with the address in the To: field. If root was included in the BCC, I would have received this email To:root. The FQ servers never received a BCC header field.

If I am to assume that you are correct, then CAD_06.u0172zau.net would have to have sent the entire BCC list to FQ (mx04.futurequest.net), and FQ created a copy of the email for each recipient, removed the BCC field from the header, and then delivered them. That just sounds unlikely to me, because I assume the sending emailer does that sort of thing, but if that is how it happened, please reiterate for me.

Thanks.

That is contrary to my understanding, though I'm no expert. Please explain a little further if I am wrong.

A list of addresses in a BCC field is parsed by the sending emailerCorrect
and a separate email for each BCC address is generatedMaybe. It depends on how the sending server software, and where the recipients are. qmail always generates one delivery per recipient.
with the address in the To: field.Wrong. Addresses in a Bcc: header are stripped and not revealed by any email system I am aware of.

To make this a little clearer, there are actually two parts to every email -- the envelope and the message. The envelope is composed of a sender address and a list of recipient addresses, while the message is split into a header and a body. The envelope controls how a message is delivered, and the message is the content that gets delivered. The data in the envelope does not necessarily match the contents of the message's header. Everything in the message's header (that hasn't been added by the receiving server, such as the top Received: header) can be forged by the sender.

One of the methods for generating the envelope, and the most familiar for script writers, is to have the mail injection program (/usr/sbin/sendmail or equivalent) parse the message header and extract addresses from various headers. From the qmail-header man page:qmail-inject looks for sender address lists in the following fields: Sender, From, Reply-To, Return-Path, Return-Receipt-To, Errors-To, Resent-Sender, Resent-From, Resent-Reply-To.
...
qmail-inject looks for recipient address lists in the following fields: To, Cc, Bcc, Apparently-To, Resent-To, Resent-Cc, Resent-Bcc.Every message must contain at least one To or Cc or Bcc. qmail-inject deletes any Bcc field.In no case does any of the recipients listed on any Bcc header get rewritten into a To: header.

This header parsing happens only once, and only when the message is first injected. At all other points in the mail system(s) the message is handled based on its envelope and not its header. No further parsing of the header is done (with the exception of scanning during delivery by SpamAssassin or similar). At every delivery step, the receiving server is supposed to add a Received: header to the top of the message (so they appear in reverse order). qmail systems also add a Delivered-To: header when a delivery happens to show the process of deliveries as well.
The FQ servers never received a BCC header field.Correct, since the originating system would have stripped the Bcc header before delivery. The address would remain in the envelope, though.

If I am to assume that you are correct, then CAD_06.u0172zau.net would have to have sent the entire BCC list to FQ (mx04.futurequest.net), and FQ created a copy of the email for each recipient, removed the BCC field from the header, and then delivered them.The sending server may have sent the entire envelope to our MX. Our mail systems do generate a seperate delivery for each recipient, producing in effect multiple "copies", but the Bcc header would have been removed by the sending system.

Thank you, Bruce. I was under the impression that the raw header I receive is the envelope. No wonder I was confused.

BTW, I like the Untroubled masthead design :-)

Thank you, Bruce. I was under the impression that the raw header I receive is the envelope. No wonder I was confused.No problem. The envelope/header distinction is a common misconception since the envelope is almost always invisible (except to those of us actually working the mail systems).
BTW, I like the Untroubled masthead design :-)Thank you. Unfortunately I can't take credit for it, as my wife made it.