[Dshield] Weird from address

Brian Dessent brian at dessent.net
Sun Oct 16 22:27:06 GMT 2005

Emmanuel Steve Dulvin wrote:

> I received something weird this morning if you see below the from
> address in this mail shows as jblue at getresponse.com but when I checked
> on my gateway I see From:
> bounce-514542-steve.d=adcb.com at citius.getresponse.com  does anybody know
> on why this happened I mean even if it is spoofed the spoofed e-mail id
> should be shown on the mail. Let me know if any of you know anything
> about it.......

There are two 'from' addresses on every email: the envelope-from and the
header-from.  The former is what is actually used by the MTA during
delivery, and is the address used to send bounces.  The latter is just
informational, and is displayed by the MUA to the user when viewing the

Mailing list software makes use of this to handle users whose addresses
are bouncing.  They will send each email with an envelope-from that
contains coded information of which message was trying to be send, and
the 'to' address that it was trying to send it to.  That way, if the
message is undeliverable, it receives a bounce to that coded address,
and it can keep track of exactly which address is bouncing and which
messages have bounced.  Using that info it can send a warning/probe to
the user telling them which messages have bounced, and if it continues
it can remove their address from the subscriber list.

Thus the "bounce-514542-...." address you are seeing is the
envelope-from, which makes sense because MTAs don't really consider the
header-from, only the envelope-from, so this is the address your MTA
will report.

If mailing list software did not do this, the subscriber that actually
wrote the list post would directly receive bounces for every subscriber
whose address is bouncing (e.g. they are out of disk space and their
quota has filled up.)  This would make mailing lists quite worthless,
because it is not the problem of the poster to deal with that, it is the
mailing list software's responsibility.  Plus it would be bloody
annoying to post to a list and then receive all that crap.


