Mailing List Message #96907
From: Jakob Peterhänsel <>
Subject: Re: New way of sending spam??
Date: Sun, 14 Dec 2008 23:02:07 +0100
To: CommuniGate Pro Discussions <>
X-Mailer: Apple Mail (2.930.3)

But the message below does Not have an empty Return-Path. It has an empty FROM command, but it seems as if the header in the raw message contain both - right?

How often does this happen? 
And what's the difference on having an empty FROM in the headers?

Personally, I have a rule that discard any message that has an empty From header and empty Subject..

    Jakob Peterhänsel

"Be a part of the Love Generation - carry a smile, not a gun."
- JP, May 2006

AIM:         Marook
Phone:     +45 30787715

On 14/12/2008, at 19.02, Technical Support, Stalker Labs wrote:

Jeff Wark on 11.12.2008 20:17 wrote:

[Note: recipient addresses in the logs have been changed to protect the innocent.  IP addresses remain the same as do email addresses in the included header sample.]
We have had a customer questioning the amount of bouncebacks he was receiving this morning.
Initially, I just thought that someone had used his email address as the Return-Path and he was getting some backscatter.  However, the logs contained the following lines:
04:58:42.41 4 SMTPI-95731([]) rsp: 250 SMTP state reset
04:58:42.45 4 SMTPI-95731([]) cmd: MAIL FROM:<>
04:58:42.45 4 SMTPI-95731([]) rsp: 250 <> sender accepted
04:58:42.49 4 SMTPI-95731([]) cmd: RCPT TO:<>
04:58:42.49 4 SMTPI-95731([]) rsp: 250 will leave the Internet
04:58:42.49 4 SMTPI-95731([]) cmd: RCPT TO:<>
04:58:42.50 4 SMTPI-95731([]) rsp: 250 will leave the Internet
04:58:42.50 4 SMTPI-95731([]) cmd: RCPT TO:<>
04:58:42.50 4 SMTPI-95731([]) rsp: 250 will leave the Internet
04:58:42.50 4 SMTPI-95731([]) cmd: RCPT TO:<>
04:58:42.50 4 SMTPI-95731([]) rsp: 250 will leave the Internet
04:58:42.75 4 SMTPI-95731([]) cmd: DATA
04:58:42.75 4 SMTPI-95731([]) rsp: 354 Enter mail, end with "." on a line by itself
04:58:42.81 2 SMTPI-95731([]) [103379590] received, 3408 bytes
04:58:42.81 4 SMTPI-95731([]) rsp: 250 103379590 message accepted for delivery
04:58:42.87 4 SMTPI-95731([]) cmd: RSET
My understanding, limited though it may be, says that empty return paths are generally delivery status notifications of some sort sent to the original sender.

Generally, but not exclusively.

Empty return-path only means that the sender does not want to receive any notifications/bounces about problems delivering that message. The sender can be not only MAILER-DAEMON but anything else, e.g. a mailing list where there are can be multiple recipients in one message. So such messages are pretty legitimate
> If so, how can this message with an empty return path
be sent to 4 different people?  It seems to me that this is just another clever way to deliver spam to people in that it may more effectively get them to open the message.
Oh yeah, and the headers in the original bounced message contained no reference to any of the accounts listed up in the logs, or any of our IP addresses:
Received: from ([]) by OPENFIRE.cacrawco.local with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 11 Dec 2008 06:08:25 -0500
To: <>
Subject: Re: Order status
From: <>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-ID: <OPENFIRESWerOc0Ne0P000012be@OPENFIRE.cacrawco.local>
X-OriginalArrivalTime: 11 Dec 2008 11:08:25.0626 (UTC) FILETIME=[C9CB5FA0:01C95B80]
Date: 11 Dec 2008 06:08:25 -0500

