[Dshield] Weird from address

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Sun Oct 16 20:11:13 GMT 2005


On Sun, 16 Oct 2005 11:31:04 +0400, Emmanuel Steve Dulvin said:
> 
> Hi Guys, 
> I received something weird this morning if you see below the from
> address in this mail shows as jblue at getresponse.com but when I checked
> on my gateway I see From:
> bounce-514542-steve.d=adcb.com at citius.getresponse.com 

There's 2 separate "from" addresses attached to most e-mail.

One is the RFC822 "From:" header (which in the case of the mail I'm replying to
is "<Steve.d at adcb.com>", and your odd mail is "jblue at getresponse.com".  This is
the "user visible" address that an MUA (Mail User Agent) should be using when
it displays the mail or generates a reply.

The other is the RFC821 'MAIL FROM:', which is also known as the "envelope
address".  The name is somewhat of a misnomer, as it isn't where the mail is
from, exactly.  It's where a mail server is supposed to send bounces if the
mail goes ka-boing.  For most user-to-user mail, it happens to be the same
as the RFC822 address, so that you (the sending user) get a "User Unknown"
message back if you make a typo.  For mailing lists, it's usually set to some
special address that the mailing list software will catch and DTRT (usually
flag a user for deletion).  So for the mail I'm replying to, the MAIL FROM:
was '<list-bounces at lists.dshield.org>', and for your odd mail, it was
bounce-mumble at citius.getresponse.com.  If mail to the list bounces, it goes
to list-bounces which will get tossed to MailMan.

Your bounce- address appears to be VERP'ed, which means that the destination
address is encoded in the address to send the bounce to.  This is because an
amazing number of mail systems manage to generate bounces that don't have any useful
mention of the address that actually bounced.  But if the MAIL FROM is VERP'ed,
then the sending site (getresponse.com) knows that it can toss *all* mail it gets
to any bounce-* into the bounce processor, and it can break it down:

bounce-514542-steve.d=abcb.com@

bounce- - it's a bounce.
514542- some code number indicating which list/mailing/etc this was from
steve.d=abdb.com - change the = to an @ and you have the address that ka-boinged.

The RFC821 MAIL FROM: is often put into an RFC822 Returh-Path: header when it
gets dropped into a final mailbox, so that user programs can use the value if
appropriate

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051016/c2d75f1d/attachment.bin


More information about the list mailing list