[quote user="Brian Fluet"]

... Some of them are "blind link clickers" and "mindless attachment openers" so if I see a message that is of concern malware-wise I want to get it out of other mailboxes as soon as possible. ...

[/quote]

Brian

I have to give security awareness training sessions where I work which educates staff so they can look for the tell-tale signs of malicious messages and social engineering techniques. If you send me a PM with your email address I will send you a copy of my notes if you'd like them (18 pages). They contain examples etc., of alerts and are useful to give out to attendees as they can use them for their personal devices as well.

I'm using MercuryD to retrieve messages from each users hosted mailbox which Mercury then delivers to the appropriate local mailbox.  I have noticed messages getting delivered even though they are missing a To: header.  Odder still is that some of these messages appear identical yet get delivered to different mailboxes.  The only difference I see is the Envelope-to: header so I'm curious how these message get delivered the hosted mailboxes when I can not find any reference to the recipient in the raw views other than the Envelope-to which is written by Mercury.

Hi Brian,

Afaik the "From:" and "To:" fields are header infos only, means information for the user, but not necessary for the technical process of transportation. For the transportation the "envelope to:" is important, but the most e-mail clients are not showing this information to the user. Insofar I'm not sure whether Mercury is really adding any "envelope to:" headers to the e-mail. Rather Mercury makes it visible only.

As said, it's the envelope that contains the sender/recipient data and this stripped off from the normal view. As you say, the RAW view gives you the envelope to: header, but where this may be a blind cc I don't think the recipient address is always included. I have to admit that my understanding of how this works is muddied at best.

You can see how Pegasus Mail's distribution lists are addressed when delivered when hiding recipient addresses, and we have received mail from other mail clients where the recipient address is the original To: header but the final recipient is someone else entirely and their address is not in the headers at all.

Freaky :) 

Greenman,

Concealing the recipient list in a message sent to a dlist is an excellent analogy to what I see.  How it works remains a mystery. 

I brought this topic up because when I see a message get past the filters I assume it has been sent to multiple users.  Some of them are "blind link clickers" and "mindless attachment openers" so if I see a message that is of concern malware-wise I want to get it out of other mailboxes as soon as possible.  I search POPFile's recent files list to see how many came and to whom but was hoping to figure out an easier way.

[quote user="Brian Fluet"]

Greenman,

Concealing the recipient list in a message sent to a dlist is an excellent analogy to what I see.  How it works remains a mystery.[/quote]

;) The envelope is a fundamental process of email transportation and is a good analogy.  The envelope, usually created by the original sender, contains the Mailfrom address and one or more Recipient addresses.  What ends up in your mailbox (and seen by you in your mail client) is the contents of the envelope.  There may be some header in the delivered contents that shows you who it is to.  (And sometimes not - hence the problem with domain mailboxes.)

[quote]I brought this topic up because when I see a message get past the filters I assume it has been sent to multiple users.  Some of them are "blind link clickers" and "mindless attachment openers" so if I see a message that is of concern malware-wise I want to get it out of other mailboxes as soon as possible.  I search POPFile's recent files list to see how many came and to whom but was hoping to figure out an easier way. [/quote]

That sounds like a social engineering problem which can best be solved by education (or a better filter).