Strange "To:" address?

[kgr]

Got a spam Email a couple of days ago with a delivery address that I can't reproduce in my filters. It was "Adobe|adobe-forums[at]<mydomain>.com" (the <mydomain> obfuscation is mine).

The Pipe character is not valid in delivery addresses, so how can I filter this out, and more to the point, how did this Email with an invalid delivery address manage to successfully arrive at my subdomain?

Do MTAs interpret "XXX|YYY[at]domain.com" as "XXX[at]domain.com,YYY[at]domain.com"?

Thanks.

--

[H]omer

[dbiel]

A mistake that I have made in the past and may be the case here, is that the "to" address may have nothing to do with how the mail got to you. It is very likely that your address is included in a list of BCC addresses, which are never displayed. If you look at the headers, specifically the "Delivered-To:" it should give you a better idea as to what address was actually used to get the mail to your inbox. Again, if that address was in the list of BCC address then the "To" address is actually meaningless and can be an invalid address

[swingspacers]

Do MTAs interpret "XXX|YYY[at]domain.com" as "XXX[at]domain.com,YYY[at]domain.com"?

Generally not. The pipe character is an illegal character that should not be used in the local part of your email address at all. However, many MTAs will transport messages regardless of the contents of the local part.

If you do not have an account named "adobe|adobe-forums", it is most likely that this message was received via the "catch-all" feature of your domain. This feature catches all messages received at your domain that were not addressed to existing accounts.

To address your problem, you could

(1) Turn off the catch all feature, or

(2) If possible, reconfigure your catch all feature so that it does not catch messages containing illegal characters in the local part of the email address, or

(3) Use filters that can work with illegal characters.

[kgr]

A mistake that I have made in the past and may be the case here, is that the "to" address may have nothing to do with how the mail got to you.

29404[/snapback]

Yeah, I did look at the message source, and the *actual* envelope was to "Adobe|adobe-forums[at]..etc", rather than just the "To:" field.

[dbiel]

Yeah, I did look at the message source, and the *actual* envelope was to "Adobe|adobe-forums[at]..etc", rather than just the "To:" field.

29411[/snapback]

This may not help but I have found that some software appends additional text to the front part of the email address - example

Delivered-To: spamcop-net-xxxxxxx[at]spamcop.net

the section is red was added to the actual email address represented by xxxxxxx

[kgr]

If you do not have an account named "adobe|adobe-forums", it is most likely that this message was received via the "catch-all" feature of your domain. This feature catches all messages received at your domain that were not addressed to existing accounts.

29406[/snapback]

I don’t have an account by that name, but my subdomain Email account at my ISP’s MTA (postfix) is configured in a blacklist arrangement, rather than whitelist, with the end of the chain *allowing* rather than *rejecting* all non-matches.

I’d rather not do whitelisting, as I tend to set up new aliases quite frequently to handle many new correspondents (each with a unique ID for tracking purposes). That way, if I receive Email to an alias that does not originate from the designated correspondents host system, I can immediately score it as suspect (and more importantly, ask questions about why my Email address was sold/passed-on to another person/company).

(2) If possible, reconfigure your catch all feature so that it does not catch messages containing illegal characters in the local part of the email address.

That is in the hands of my ISP (Nildram) … I could always ask.

(3) Use filters that can work with illegal characters.

Ditto.

Thanks for the info.