Re: spam emails with "to:" line missing

[Viktor Dukhovni]

On Tue, Apr 19, 2022 at 09:45:12PM -0600, @lbutlr wrote:

> On 2022 Apr 15, at 16:53, Viktor Dukhovni  wrote:
> > On Fri, Apr 15, 2022 at 04:30:19PM -0600, @lbutlr wrote:
> > 
> >> However, it is *very* common for a BBC email to have a To header with
> >> no email address in it at all,
> > 
> > This violates RFC5322 and earlier versions.
> 
> No it does not.

My comment was about *empty* "To:" headers.

> > The "To:" header must
> 
> *IF* present.

That's all I said, at least one mailbox or group if present.

-- 
Viktor.

Re: spam emails with "to:" line missing

[@lbutlr]

On 2022 Apr 15, at 16:53, Viktor Dukhovni  wrote:
> On Fri, Apr 15, 2022 at 04:30:19PM -0600, @lbutlr wrote:
> 
>> However, it is *very* common for a BBC email to have a To header with
>> no email address in it at all,
> 
> This violates RFC5322 and earlier versions.

No it does not.

> The "To:" header must

*IF* present.

> contain at least one address (or group).

But is not required to be present at all.

-- 
Billionaire beats up a schizophrenic woman and a deformed little person
who likes birds.
(Batman Returns)

Re: spam emails with "to:" line missing

[David Neil]

On 16/04/2022 10.53, Viktor Dukhovni wrote:
> On Fri, Apr 15, 2022 at 04:30:19PM -0600, @lbutlr wrote:
> 
>> However, it is *very* common for a BBC email to have a To header with
>> no email address in it at all,
> 
> This violates RFC5322 and earlier versions.  The "To:" header must
> contain at least one address (or group).
> 
> https://datatracker.ietf.org/doc/html/rfc5322#section-3.4
> https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.3


Which says that the word "To", followed by a colon, must be followed by
a list.

Whilst this is correct, the To-header itself, is optional.


However, in the 'not allowed' reaction, there is some room for
ironic amusement. The Robustness principle, ie

  "be conservative in what you send, be liberal in what you accept"

is also known as Postel's law. Jon Postel was the editor of the RFCs,
for something like 30-years.


TLDR: some history, which (eventually) confirms the above!

It won't tell you (Victor or others of my 'betters' on this list)
anything, but diving down this 'rabbit-hole', as a break from other
research (courtesy of this list) and because the topic amused me,
tickling at my memory:-


Originally, ie way-back, as far as last century; email was sent over FTP.

RFC524 is more interested in mailbox@host, but talks of "recipient" in
the "short body".

An early attempt to harmonise several differing email ideas was RFC680
which talked about a "header" - but neither the example message nor the
formal syntax included a recipient/To:

As well as the "Message Transmission Protocol" (RFC680) starting the
separation from FTP, talks of distinguishing "human processing and
features for machine processing". It's "required headers" continued by
only including date and sender. It recognised three "Receiver
Specifications", our familiar To, CC, and BCC. However,
misunderstandings and factions followed, and this became known as an
"interim" arrangement.

1977 was a busy year. Ideas such as one user having multiple mail-boxes
and messages being sent to "Address lists" or "Groups" were formally
proposed in RFC724. Two interesting statements appear in one paragraph:

"No mechanism for authentication is provided,  since  the  Network
provides  no  mechanisms for enforcing mail security. The syntax does
provide for one aspect of "correctness":  a  distinction  is made
between  an  address which is claimed to be a valid network address and
one which is  simply  free  text, included for the convenience of the
human participants."

Then there is:
"some of the header fields must be included in all messages.  In
addition to the fields specified in this  document, it  is  expected
that  other fields will gain common use.  User-defined header fields
allow systems to extend their functionality while  maintaining  a
uniform framework." Postel's law in other words!

General Syntax allowed for a message to be all headers or headers +
message-text. I guess if all one wishes to say is "come here, I want to
see you", 'headers' is all that is needed to convey the message!

Headers were split into "required" and "optional", and the only
required-headers were date and "originator".

The "receiver fields" were expanded to include "Fcc:" (for a few months,
that is).

By the end of the year, that "Proposed official standard" was re-drafted
as RFC733 "Standard for the format of ARPA network text messages". The
introduction loses no time getting into our topic:

"A distinction should be made between what the  specification REQUIRES
and  what  it ALLOWS".

"To:" (etc) remain as "optional-field[s]".

Five years later, RFC822 intended to update (the above) and emphasised
the "requires" and "allows", particularly in the context of specific
systems being 'different', but requiring a basic convention towards
interoperability.

The pertinent change was:

 fields  =dates  ; Creation time,
  source ;  author id & one
1*destination;  address required
 *optional-field ;  others optional

With "destination" explained as:

 destination =  "To"  ":" 1#address  ; Primary
 /  "Resent-To"   ":" 1#address
 /  "cc"  ":" 1#address  ; Secondary
 /  "Resent-cc"   ":" 1#address
 /  "bcc" ":"  #address  ; Blind carbon
 /  "Resent-bcc"  ":"  #address

Thus, a To-field is not required, but at least one 'destination' is.

Interestingly, a field need NOT hold meaningful content:

field   =  field-name ":" [ field-body ] CRLF

My small brain can't cope with the syllogism of having (only) field
'labels' with no content, as acceptable (required) destination-fields -
but perhaps I'm mis-reading (mea culpa).

Rolling forward to this century, and the reading extends beyond fifty
pages! (progress?)

RFC 2822 3.6. Field definitions says "The only required header fields

Re: spam emails with "to:" line missing

[li...@lazygranch.com]

On Fri, 15 Apr 2022 11:06:35 +0200
Tinne11  wrote:

> 
> > Am 15.04.2022 um 08:49 schrieb Fourhundred Thecat
> > <400the...@gmx.ch>:
> > 
> > Are there any legitimate cases where "to:" might be missing?
> 
> 
> RFC 5322 says: "The only required header fields are the origination
> date field and the originator address field(s).", i. e. the "Date:"
> and the "From:" header field.
> 
> 
> 
> I have sent this answer without any address in the to header field.

This email had a "TO" to me. 

I just experimented on my own, that is do a message using BCC and then
one with the TO field. I can confirm the message using BCC didn't have
a TO field. This is on my own postfix/dovecot implementation.

I routinely send messages just using BCC if I know that all the
recipients don't have each others email addresses. 

Re: spam emails with "to:" line missing

[Viktor Dukhovni]

On Fri, Apr 15, 2022 at 04:30:19PM -0600, @lbutlr wrote:

> However, it is *very* common for a BBC email to have a To header with
> no email address in it at all,

This violates RFC5322 and earlier versions.  The "To:" header must
contain at least one address (or group).

https://datatracker.ietf.org/doc/html/rfc5322#section-3.4
https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.3

-- 
Viktor.

Re: spam emails with "to:" line missing

[@lbutlr]

> On 2022 Apr 15, at 07:30, Benny Pedersen  wrote:
> 
> On 2022-04-15 10:47, Bernardo Reino wrote:
> 
>> Many e-mails are sent to "BCC" lists, so they have no To: header (or
>> have one with "undisclosed-recipients").
> 
> bcc does not remove or add to

No, and that's not what what said. However, it is *very* common for a BBC email 
to have a To header with no email address in it at all, and not that uncommon 
to see one with no To address at all )or at least it was, since I recall being 
confused by this last century).

>> So I'd be careful with rejecting/filtering only based on that.
> 
> spammers does not know all that details :=)

Rejecting messages that are valid based on a misunderstanding of what is 
correct is a mistake that WILL end up biting someone hard.

If you're picking around with your own email, have at it, you've no one to 
blame but yourself. However, if your mail server handles email for anyone but 
you, you should be respectful enough of the rules and norms to not screw up 
their email.

-- 
A bird in the hand makes it difficult to blow your nose.

Re: spam emails with "to:" line missing

[Bernardo Reino]

On Fri, 15 Apr 2022, Benny Pedersen wrote:


On 2022-04-15 10:47, Bernardo Reino wrote:


 Many e-mails are sent to "BCC" lists, so they have no To: header (or
 have one with "undisclosed-recipients").


bcc does not remove or add to


I didn't say that :)
(maybe the "so they have no.." implied some causality?)

Rephrased: There are e-mails sent only to addresses in [B]CC: which might not 
have a To: header at all.



 So I'd be careful with rejecting/filtering only based on that.


spammers does not know all that details :=)


It is IMHO irrelevant what you think spammers may or may not know.. I would just 
advice not to reject/block based on lack of To: header.


Rspamd tags such e-mails with the MISSING_TO flag, to which you can assign 
whatever score you wish (default is 2.0 IIRC).


Cheers,
Bernardo

Re: spam emails with "to:" line missing

[Benny Pedersen]

On 2022-04-15 10:47, Bernardo Reino wrote:


Many e-mails are sent to "BCC" lists, so they have no To: header (or
have one with "undisclosed-recipients").


bcc does not remove or add to


So I'd be careful with rejecting/filtering only based on that.


spammers does not know all that details :=)

Re: spam emails with "to:" line missing

[Benny Pedersen]

On 2022-04-15 08:49, Fourhundred Thecat wrote:


I am receiving spam emails, where the "to:" line is entirely missing in
the email header.

The header has "X-Original-To:" and "Delivered-To:", but no "to:" line.

I have pasted the header here: https://ctxt.io/2/AABg30FRFQ

How could I block such emails? Can I use header-check for this?

Are there any legitimate cases where "to:" might be missing?


not really, i would like to see what "spamassassin -t spam.msg" gives at 
your install

Re: spam emails with "to:" line missing

[Jaroslaw Rafa]

Dnia 15.04.2022 o godz. 02:21:46 li...@lazygranch.com pisze:
> 
> The header doesn't look odd because the mailing list provides a TO
> field.

No, it doesn't. I don't see any "To:" field in the headers of Tinne11's
message. I do see a "Cc:" field, but not "To:".

And referring to the original questions about legit cases of e-mails without
"To:" field - if someone sends an email to multiple recipients that are
listed in the "Bcc:" field (as it is often done due to privacy), and does
not specify the "To:" field, this will be the case.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: spam emails with "to:" line missing

[Peter]

On 15/04/22 6:49 pm, Fourhundred Thecat wrote:

I am receiving spam emails, where the "to:" line is entirely missing in
the email header.

The header has "X-Original-To:" and "Delivered-To:", but no "to:" line.

I have pasted the header here: https://ctxt.io/2/AABg30FRFQ

How could I block such emails? Can I use header-check for this?


The short answer is you can't.  the long answer is that header_checks 
each header individually and compares them against your pcre file. 
Since a legitimate email will match several headers that don't start 
with To: you can't try to match that and reject the message accordingly.


In order to do it you will need a milter or content filter.


Are there any legitimate cases where "to:" might be missing?


It is possible, although rather unusual.  A message must have a 
recipient, but not necessarily specified in a To: header.  You're not 
likely to get much, if any legitimate mail with a missing To: header, 
though.



Peter

Re: spam emails with "to:" line missing

[Bernardo Reino]

On Fri, 15 Apr 2022, li...@lazygranch.com wrote:


On Fri, 15 Apr 2022 11:06:35 +0200
Tinne11  wrote:




Am 15.04.2022 um 08:49 schrieb Fourhundred Thecat
<400the...@gmx.ch>:

Are there any legitimate cases where "to:" might be missing?



RFC 5322 says: "The only required header fields are the origination
date field and the originator address field(s).", i. e. the "Date:"
and the "From:" header field.



I have sent this answer without any address in the to header field.


The header doesn't look odd because the mailing list provides a TO
field. I'm fine if you want to send me an email without a TO field. I'd
like to look at the header.


I've just sent you an e-mail with no "To:" header.

Cheers.

Re: spam emails with "to:" line missing

[li...@lazygranch.com]

On Fri, 15 Apr 2022 11:06:35 +0200
Tinne11  wrote:

> 
> > Am 15.04.2022 um 08:49 schrieb Fourhundred Thecat
> > <400the...@gmx.ch>:
> > 
> > Are there any legitimate cases where "to:" might be missing?
> 
> 
> RFC 5322 says: "The only required header fields are the origination
> date field and the originator address field(s).", i. e. the "Date:"
> and the "From:" header field.
> 
> 
> 
> I have sent this answer without any address in the to header field.

The header doesn't look odd because the mailing list provides a TO
field. I'm fine if you want to send me an email without a TO field. I'd
like to look at the header.

Re: spam emails with "to:" line missing

[Tinne11]

> Am 15.04.2022 um 08:49 schrieb Fourhundred Thecat <400the...@gmx.ch>:
> 
> Are there any legitimate cases where "to:" might be missing?


RFC 5322 says: "The only required header fields are the origination date field 
and the originator address field(s).", i. e. the "Date:" and the "From:" header 
field.



I have sent this answer without any address in the to header field.

Re: spam emails with "to:" line missing

[Bernardo Reino]

On Fri, 15 Apr 2022, Fourhundred Thecat wrote:


I am receiving spam emails, where the "to:" line is entirely missing in
the email header.

[...]

Are there any legitimate cases where "to:" might be missing?


Many e-mails are sent to "BCC" lists, so they have no To: header (or have one 
with "undisclosed-recipients").


So I'd be careful with rejecting/filtering only based on that.

AW: spam emails with "to:" line missing

[Ludi Cree]

Hi,

not exactly what you ask for, but:

I think it is absolutely safe to block "From: Smart Invest" and "Subject: 
become rich" with PCRE rules in header checks.

Greets,
Ludi


-Ursprüngliche Nachricht-
Von: owner-postfix-us...@postfix.org  Im 
Auftrag von Fourhundred Thecat
Gesendet: Freitag, 15. April 2022 08:49
An: Postfix users 
Betreff: spam emails with "to:" line missing

Hello,

I am receiving spam emails, where the "to:" line is entirely missing in the 
email header.

The header has "X-Original-To:" and "Delivered-To:", but no "to:" line.

I have pasted the header here: https://ctxt.io/2/AABg30FRFQ

How could I block such emails? Can I use header-check for this?

Are there any legitimate cases where "to:" might be missing?

spam emails with "to:" line missing

[Fourhundred Thecat]

Hello,

I am receiving spam emails, where the "to:" line is entirely missing in
the email header.

The header has "X-Original-To:" and "Delivered-To:", but no "to:" line.

I have pasted the header here: https://ctxt.io/2/AABg30FRFQ

How could I block such emails? Can I use header-check for this?

Are there any legitimate cases where "to:" might be missing?