• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

Mesage with no 'Send To' defined ends up in users inbox.

I have a client running Domino 7.03 and the latest Symantec Mail Security with Premium Anti-SPAM enabled.  It seems to be working well except for this one thing.

One of the users is now getting messages in his inbox with no subject or recipients.  The body of the email shows a bunch of different RCPT TO: statements as well as a subject line.  I'm wondering if Symantec could be catching the emails, but corrupting them.  This message should be caught as SPAM, and then marked with SPAM in the subject and then delivered. (Notice that the subject in the body of the email does start with SPAM)

When I look at the document properties, there is not 'Sent To' or 'Copy To' defined, I cannot determine how the messages end up in this mans inbox.

Here is a message as it shows up for the user.

Any ideas?

erikjj@electroheadfilms.com
02/20/2009 10:40 AM       To      
cc      
Subject      


MAIL FROM: <bobwhitesrog9@app-schaefer.com>
RCPT TO: <swede@video.org>
RCPT TO: <trainingdirector@video.org>
RCPT TO: <pritchardmarkp@video.org>
RCPT TO: <pritchardmarkpi@video.org>
RCPT TO: <pscotth@video.org>
RCPT TO: <normanzy1q8@video.org>
DATA
Message-ID: <000d01c993c4$ea316ab0$6400a8c0@bobwhitesrog9>
From: "Sybil Torres" <bobwhitesrog9@app-schaefer.com>
To: <swede@video.org>
Subject: Spam:Plan a romantic weekend the way you want it.
Date: Sat, 21 Feb 2009 02:37:10 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_NextPart_000_0007_01C993C4.EA316AB0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Brightmail-Tracker: AAAAAgzSvtgNCQpx

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C993C4.EA316AB0
Content-Type: text/plain;
                charset="windows-1250"
Content-Transfer-Encoding: quoted-printable

With that pill you can try different experiments in bed.
&nbsp;

Enter fast
------=_NextPart_000_0007_01C993C4.EA316AB0
Content-Type: text/html;
                charset="windows-1250"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-125=
0">
<META content=3D"MSHTML 6.00.3790.1830" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>With that pill you can try =
different experiments in bed.</FONT></DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>
<A href=3D"http://swissloveme.com.es">Enter fast</A></FONT></DIV></BODY></H=
TML>

------=_NextPart_000_0007_01C993C4.EA316AB0--
0
ITDharam
Asked:
ITDharam
  • 2
  • 2
2 Solutions
 
fgrushevskyCommented:
Do you have a rule on Symantec Mail Security to mark suspicious spam messages with the word "SPAM" in the subject?

Few other thought:
Junk mail does not have to be properly formatted mail (one of the reason it is called junk).
The Sendto or CopyTo fields that you are looking for are not responsible to directing mail into users mailbox. These fields are defined in RFC2822 that describes message header
The message is directed into user mailbox based on rcpt to: command received by your mail server. It is described in RFC 2821. The information from rcpt to: is not recorded in the message. You will need to check mail server logs for that
0
 
ITDharamAuthor Commented:
Yes, Symantec will mark the message as SPAM and then deliver.

Strange thing is, some of the spam gets tagged and delivered and shows up with the 'Send To' and Subject fields intact, while some of it gets messed up like the above.

I compared the document information between emails that appear to be correctly labeled, and these strange SPAM ones, I guess I don't know how Domino will take the incoming email, and translate it.  Based on the above, none of the RCPT TO match the address to where it was delivered.
0
 
fgrushevskyCommented:
Couple thoughts:

1. You don't know how message looked like when it arrived to your system, before Symantec checked it for spam/viruses. You don't know that the message was correctly formatted to begin with. Junk messages are often misformatted and don't follow RFC rules as they are junk

2. How did you check RCPT TO information? This information is NOT recorded in the message header or body. Be default, it is also NOT recorded in the log.
You will need to have debug smtp enabled (see http://www-01.ibm.com/support/docview.wss?&uid=swg27003007   for more details) to capture this information.

3. I don't have latest Symantec Mail Security handy (my guess it would be version 6), but from my expirience with previous versions it would be quite possible for Symantec to have problem dealing with misformatted messages.
0
 
qwaleteeCommented:
You can also turn on mail tracing to see what Domino saw as delivery instructions.

Remember, SendTo is not delivery instruction. The client copies SendTo to the Recipients list for delivery instructions. Similarly, inbound SMTP has RCPT TO for delivery instructions, independent of the header displayed to the user. Domino maps the envelope's RCPT TO into RECIPIENTS, and the SMTP message content's To: header into SendTo. As others have mentioned, spammers may put out a RCPT TO for your user without a matching To: for the user.

Message tracking records the RCPT TO information, so you can see what came in, mapping it against the delivered message.
0
 
ITDharamAuthor Commented:
I guess that why it's called Experts Exchange.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now