3 Replies Latest reply on Jun 15, 2014 2:05 PM by malware-alerts

    Empty smtp header "Sender"

    mvillase

      Hi all, I am having a issue wih an application generated email which is relayed through the McAfee Email Gateway 7.5 (Cluster) and delivery without SENDER header, I checked the coversation logs in MEG and is all right in the delivery section the MAIL FROM:example@test.com, Do you have any ideas why the email client is not showing the sender field? I am attaching the headers of the example email in the email client where the FROM:<example@test.com> line is missing

       

      Any Ideas?

       

       

      ------------------Begin Header----------------------

      Received: from VSRMEX09.intra.nafin.gob.mx (130.0.25.175) by

      VSRMEX09.intra.nafin.gob.mx (130.0.25.175) with Microsoft SMTP Server (TLS)

      id 15.0.775.38 via Mailbox Transport; Fri, 30 May 2014 13:57:35 -0500

      Received: from VSRMEX08.intra.nafin.gob.mx (130.0.25.169) by

      VSRMEX09.intra.nafin.gob.mx (130.0.25.175) with Microsoft SMTP Server (TLS)

      id 15.0.775.38; Fri, 30 May 2014 13:57:35 -0500

      Received: from srvout02.intra.nafin.gob.mx (130.0.24.44) by

      VSRMEX08.intra.nafin.gob.mx (130.0.25.169) with Microsoft SMTP Server (TLS)

      id 15.0.775.38 via Frontend Transport; Fri, 30 May 2014 13:57:34 -0500

      Received: from VSRVXAP01.intra.nafin.gob.mx (unknown [130.0.25.212]) by

      srvout02.intra.nafin.gob.mx with smtp    <----------This is the MEG

      id 182d_11ed_885542a0_d5c8_495c_abd8_15948ead22c9;   

      Fri, 30 May 2014 13:57:24 -0500

      Date: Fri, 30 May 2014 13:57:24 -0500

      To: <lsalazard@afirme.com.mx>

      CC: <gsolorzano@nafin.gob.mx>, <vmartin@nafin.gob.mx>,

                <javelazquez@nafin.gob.mx>, <jmorales@nafin.gob.mx>,

                <miglesias@nafin.gob.mx>, <pamela.saenz@afirme.com>,

                <blanca.perez@afirme.com>, <supervisagar@nafin.gob.mx>, <flugo@nafin.gob.mx>,

                <aghernandez@nafin.gob.mx>, <tcuellar@nafin.gob.mx>, <ajgomez@nafin.gob.mx>,

                <mrgarza@nafin.gob.mx>, <jaguerrero@nafin.gob.mx>, <lmrojas@nafin.gob.mx>,

                <druizs@nafin.gob.mx>

      Message-ID: <693950181.1.1401476244655.JavaMail.miglesias@VSRVXAP01>

      Subject: Dictamen Final Rescate AFIRME 04/2014

      MIME-Version: 1.0

      Content-Type: multipart/mixed;

                boundary="----=_Part_0_731400457.1401476244452"

      charset: UTF-8

      Return-Receipt-To: <supervisagar@nafin.gob.mx>

      Disposition-Notification-To: <supervisagar@nafin.gob.mx>

      X-NAI-Spam-Flag: NO

      X-NAI-Spam-Level:

      X-NAI-Spam-Threshold: 6

      X-NAI-Spam-Score: 0.5

      X-NAI-Spam-Version: 2.3.0.9378 : core <4958> : inlines <951> : streams

      <1198544> : uri <1771099>

      Return-Path: supervisagar@nafin.gob.mx

      X-MS-Exchange-Organization-Network-Message-Id: 1fa2a75f-4dd8-43f9-bee6-08d14a50274c

      X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXtG}w;1082700;0;This mail has

      been scanned by Trend Micro ScanMail for Microsoft Exchange;

      X-MS-Exchange-Organization-SCL: 0

      X-MS-Exchange-Organization-AuthSource: VSRMEX08.intra.nafin.gob.mx

      X-MS-Exchange-Organization-AuthAs: Anonymous

      -----------------------------end header--------------------------------

        • 1. Re: Empty smtp header "Sender"
          andyclements

          The MAIL FROM: and From: headers are completely separate and defined by different RFCs.

               -The MAIL FROM command was origianlly defined by RFC 821, and is used in the delivery of mail.  The end user does not see the contents of this header.

               -The From header that the users do see was defined in RFC 822.  This is also what you would see in the headers of the message, as what you put in your post.

           

          The sending application needs to include both of these for your expected behavior.  If the 822 From address is left off, then the users will see the blank sender address as you report.  It is possible that something is stripping out the header, but we would need to see more details from various logs, or packet captures showing where that happened.

           

          Message was edited by: andyclements Formatting on 6/4/14 3:40:11 AM CDT
          1 of 1 people found this helpful
          • 2. Re: Empty smtp header "Sender"
            mvillase

            Thank Andy, here are some captures of this case:

            Can I conclude the problem is that the source is not sending the "from" header?

            Is possible that exist other problem?

             

             

            Source 130.0.25.213 is not sending the from: herader as

            Screen Shot 2014-06-06 at 11.00.37 AM.png

             

            Received packets from IP 130.0.25.213

             

            No                    Time                              IP Source                    IP Destination          Protocol          Length          Info

             

            35139          23.906575          130.0.25.213          130.0.24.41          SMTP          89                    C: EHLO VSRVXAP02.intra.nafin.gob.mx

            35173          23.914668          130.0.25.213          130.0.24.41          SMTP          93                    C: MAIL FROM:<supervisagar@nafin.gob.mx>

            35177          23.917245          130.0.25.213          130.0.24.41          SMTP          93                    C: RCPT TO:<arturo.vazquez@navistar.com>

            38172          26.132986          130.0.25.213          130.0.24.41          SMTP          89                    C: RCPT TO:<gsolorzano@nafin.gob.mx>

            38188          26.138784          130.0.25.213          130.0.24.41          SMTP          84                    C: RCPT TO:<lpita@nafin.gob.mx>

            38200          26.144517          130.0.25.213          130.0.24.41          SMTP          90                    C: RCPT TO:<javelazquez@nafin.gob.mx>

            38212          26.150079          130.0.25.213          130.0.24.41          SMTP          87                    C: RCPT TO:<jmorales@nafin.gob.mx>

            38232          26.155579          130.0.25.213          130.0.24.41          SMTP          88                    C: RCPT TO:<miglesias@nafin.gob.mx>

            38236          26.161666          130.0.25.213          130.0.24.41          SMTP          90                    C: RCPT TO:<sandra.tena@navistar.com>

            38245          26.167202          130.0.25.213          130.0.24.41          SMTP          90                    C: RCPT TO:<jorge.moron@navistar.com>

            38263          26.172692          130.0.25.213          130.0.24.41          SMTP          91                    C: RCPT TO:<supervisagar@nafin.gob.mx>

            38267          26.178764          130.0.25.213          130.0.24.41          SMTP          84                    C: RCPT TO:<flugo@nafin.gob.mx>

            38275          26.184718          130.0.25.213          130.0.24.41          SMTP          87                    C: RCPT TO:<tcuellar@nafin.gob.mx>

            38298          26.188445          130.0.25.213          130.0.24.41          SMTP          86                    C: RCPT TO:<ajgomez@nafin.gob.mx>

            38302          26.193821          130.0.25.213          130.0.24.41          SMTP          87                    C: RCPT TO:<smorelos@nafin.gob.mx>

            38314          26.199095          130.0.25.213          130.0.24.41          SMTP          60                    C: DATA

            38419          26.270166          130.0.25.213          130.0.24.41          SMTP          1514          C: DATA fragment, 1460 bytes

             

             

             

             

            DATA Offset Hex Text from packet 38419

             

             

            0000   44 61 74 65 3a 20 57 65 64 2c 20 34 20 4a 75 6e            Date: Wed, 4 Jun

             

            0010   20 32 30 31 34 20 31 31 3a 32 30 3a 35 37 20 2d             2014 11:20:57 -

            0020   30 35 30 30 20 28 43 44 54 29 0d 0a 54 6f 3a 20           0500 (CDT)..To:

            0030   61 72 74 75 72 6f 2e 76 61 7a 71 75 65 7a 40 6e            arturo.vazquez@n

            0040   61 76 69 73 74 61 72 2e 63 6f 6d 0d 0a 43 63 3a            avistar.com..Cc:

            0050   20 67 73 6f 6c 6f 72 7a 61 6e 6f 40 6e 61 66 69             gsolorzano@nafi

            0060   6e 2e 67 6f 62 2e 6d 78 2c 20 6c 70 69 74 61 40            n.gob.mx, lpita@

            0070   6e 61 66 69 6e 2e 67 6f 62 2e 6d 78 2c 20 6a 61            nafin.gob.mx, ja

            0080   76 65 6c 61 7a 71 75 65 7a 40 6e 61 66 69 6e 2e            velazquez@nafin.

            0090   67 6f 62 2e 6d 78 2c 20 0d 0a 09 6a 6d 6f 72 61            gob.mx, ...jmora

            00a0   6c 65 73 40 6e 61 66 69 6e 2e 67 6f 62 2e 6d 78            les@nafin.gob.mx

            00b0   2c 20 6d 69 67 6c 65 73 69 61 73 40 6e 61 66 69            , miglesias@nafi

            00c0   6e 2e 67 6f 62 2e 6d 78 2c 20 0d 0a 09 73 61 6e            n.gob.mx, ...san

            00d0   64 72 61 2e 74 65 6e 61 40 6e 61 76 69 73 74 61            dra.tena@navista

            00e0   72 2e 63 6f 6d 2c 20 6a 6f 72 67 65 2e 6d 6f 72            r.com, jorge.mor

            00f0   6f 6e 40 6e 61 76 69 73 74 61 72 2e 63 6f 6d 2c            on@navistar.com,

            0100   20 0d 0a 09 73 75 70 65 72 76 69 73 61 67 61 72             ...supervisagar

            0110   40 6e 61 66 69 6e 2e 67 6f 62 2e 6d 78 2c 20 66            @nafin.gob.mx, f

            0120   6c 75 67 6f 40 6e 61 66 69 6e 2e 67 6f 62 2e 6d            lugo@nafin.gob.m

            0130   78 2c 20 74 63 75 65 6c 6c 61 72 40 6e 61 66 69            x, tcuellar@nafi

            0140   6e 2e 67 6f 62 2e 6d 78 2c 20 0d 0a 09 61 6a 67            n.gob.mx, ...ajg

            0150   6f 6d 65 7a 40 6e 61 66 69 6e 2e 67 6f 62 2e 6d            omez@nafin.gob.m

            0160   78 2c 20 73 6d 6f 72 65 6c 6f 73 40 6e 61 66 69            x, smorelos@nafi

            0170   6e 2e 67 6f 62 2e 6d 78 0d 0a 4d 65 73 73 61 67            n.gob.mx..Messag

            0180   65 2d 49 44 3a 20 3c 31 30 31 35 39 36 35 37 35            e-ID: <101596575

            0190   34 2e 31 2e 31 34 30 31 38 39 38 38 35 39 38 39            4.1.140189885989

            01a0   30 2e 4a 61 76 61 4d 61 69 6c 2e 73 6d 6f 72 65            0.JavaMail.smore

            01b0   6c 6f 73 40 56 53 52 56 58 41 50 30 32 3e 0d 0a            los@VSRVXAP02>..

            01c0   53 75 62 6a 65 63 74 3a 20 44 69 63 74 61 6d 65            Subject: Dictame

            01d0   6e 20 46 69 6e 61 6c 20 4e 41 56 49 53 54 41 52            n Final NAVISTAR

            01e0   20 30 34 2f 32 30 31 34 0d 0a 4d 49 4d 45 2d 56             04/2014..MIME-V

            01f0   65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a 43 6f 6e            ersion: 1.0..Con

            0200   74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69            tent-Type: multi

            0210   70 61 72 74 2f 6d 69 78 65 64 3b 20 0d 0a 09 62            part/mixed; ...b

            0220   6f 75 6e 64 61 72 79 3d 22 2d 2d 2d 2d 3d 5f 50            oundary="----=_P

            0230   61 72 74 5f 30 5f 37 33 31 34 30 30 34 35 37 2e            art_0_731400457.

            0240   31 34 30 31 38 39 38 38 35 37 33 35 39 22 0d 0a            1401898857359"..

            0250   63 68 61 72 73 65 74 3a 20 55 54 46 2d 38 0d 0a            charset: UTF-8..

            0260   52 65 74 75 72 6e 2d 52 65 63 65 69 70 74 2d 54            Return-Receipt-T

            0270   6f 3a 20 73 75 70 65 72 76 69 73 61 67 61 72 40            o: supervisagar@

            0280   6e 61 66 69 6e 2e 67 6f 62 2e 6d 78 0d 0a 44 69            nafin.gob.mx..Di

            0290   73 70 6f 73 69 74 69 6f 6e 2d 4e 6f 74 69 66 69            sposition-Notifi

            02a0   63 61 74 69 6f 6e 2d 54 6f 3a 20 73 75 70 65 72            cation-To: super

            02b0   76 69 73 61 67 61 72 40 6e 61 66 69 6e 2e 67 6f            visagar@nafin.go

            02c0   62 2e 6d 78 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 3d 5f            b.mx....------=_

            02d0   50 61 72 74 5f 30 5f 37 33 31 34 30 30 34 35 37            Part_0_731400457

            02e0   2e 31 34 30 31 38 39 38 38 35 37 33 35 39 0d 0a            .1401898857359..

            02f0   43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65            Content-Type: te

            0300   78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74            xt/html; charset

            0310   3d 75 73 2d 61 73 63 69 69 0d 0a 43 6f 6e 74 65            =us-ascii..Conte

            0320   6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f            nt-Transfer-Enco

            0330   64 69 6e 67 3a 20 37 62 69 74 0d 0a 0d 0a 53 65            ding: 7bit....Se

            0340   20 61 6e 65 78 61 20 64 69 63 74 61 6d 65 6e 20             anexa dictamen

            0350   66 69 6e 61 6c 20 4e 41 56 49 53 54 41 52 20 30            final NAVISTAR 0

            0360   34 2f 32 30 31 34 2c 20 63 6f 6e 20 65 6c 20 72            4/2014, con el r

            0370   65 73 75 6c 74 61 64 6f 20 64 65 20 6c 61 20 73            esultado de la s

            0380   75 70 65 72 76 69 73 69 26 23 32 34 33 3b 6e 0d            upervisi&#243;n.

            0390   0a 2d 2d 2d 2d 2d 2d 3d 5f 50 61 72 74 5f 30 5f            .------=_Part_0_

            03a0   37 33 31 34 30 30 34 35 37 2e 31 34 30 31 38 39            731400457.140189

            03b0   38 38 35 37 33 35 39 0d 0a 43 6f 6e 74 65 6e 74            8857359..Content

            03c0   2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69            -Type: applicati

            03d0   6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 3b            on/octet-stream;

            03e0   20 0d 0a 09 6e 61 6d 65 3d 43 61 72 74 61 5f 44             ...name=Carta_D

            03f0   69 63 74 61 6d 65 6e 5f 46 69 6e 61 6c 5f 4e 41            ictamen_Final_NA

            0400   56 49 53 54 41 52 5f 30 34 2d 32 30 31 34 2e 70            VISTAR_04-2014.p

            0410   64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e            df..Content-Tran

            0420   73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62            sfer-Encoding: b

            0430   61 73 65 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44            ase64..Content-D

            0440   69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61            isposition: atta

            0450   63 68 6d 65 6e 74 3b 20 0d 0a 09 66 69 6c 65 6e            chment; ...filen

            0460   61 6d 65 3d 43 61 72 74 61 5f 44 69 63 74 61 6d            ame=Carta_Dictam

            0470   65 6e 5f 46 69 6e 61 6c 5f 4e 41 56 49 53 54 41            en_Final_NAVISTA

            0480   52 5f 30 34 2d 32 30 31 34 2e 70 64 66 0d 0a 0d            R_04-2014.pdf...

            0490   0a 4a 56 42 45 52 69 30 78 4c 6a 45 4e 43 6a 45            .JVBERi0xLjENCjE

            04a0   67 4d 43 42 76 59 6d 6f 4e 43 6a 77 38 44 51 6f            gMCBvYmoNCjw8DQo

            04b0   76 51 33 4a 6c 59 58 52 76 63 69 41 6f 52 47 56            vQ3JlYXRvciAoRGV

            04c0   32 5a 57 78 76 63 47 56 79 49 44 49 77 4d 44 41            2ZWxvcGVyIDIwMDA

            04d0   70 44 51 6f 76 51 33 4a 6c 59 58 52 76 0d 0a 63            pDQovQ3JlYXRv..c

            04e0   6b 52 68 64 47 55 67 4b 41 30 4b 4c 30 46 31 64            kRhdGUgKA0KL0F1d

            04f0   47 68 76 63 69 41 6f 54 33 4a 68 59 32 78 6c 49            GhvciAoT3JhY2xlI

            0500   46 4a 6c 63 47 39 79 64 48 4d 70 44 51 6f 76 55            FJlcG9ydHMpDQovU

            0510   48 4a 76 5a 48 56 6a 5a 58 49 67 4b 45 39 79 59            HJvZHVjZXIgKE9yY

            0520   57 4e 73 5a 53 42 51 52 45 59 67 0d 0a 5a 48 4a            WNsZSBQREYg..ZHJ

            0530   70 64 6d 56 79 4b 51 30 4b 4c 31 52 70 64 47 78            pdmVyKQ0KL1RpdGx

            0540   6c 49 43 68 44 59 58 4a 30 59 56 39 45 61 57 4e            lIChDYXJ0YV9EaWN

            0550   30 59 57 31 6c 62 6c 39 47 61 57 35 68 62 46 39            0YW1lbl9GaW5hbF9

            0560   4f 51 56 5a 4a 55 31 52 42 55 6c 38 77 4e 43 30            OQVZJU1RBUl8wNC0

            0570   79 4d 44 45 30 4c 6e 42 6b 0d 0a 5a 69 6b 4e 43            yMDE0LnBk..ZikNC

            0580   6a 34 2b 44 51 70 6c 62 6d 52 76 59 6d 6f 4e 43            j4+DQplbmRvYmoNC

            0590   6a 4d 67 4d 43 42 76 59 6d 6f 4e 43 6a 77 38 44            jMgMCBvYmoNCjw8D

            05a0   51 6f 76 56 48 6c 77 5a 53 41 76 55 47 46 6e 5a            QovVHlwZSAvUGFnZ

            05b0   58 4d 4e 43                                                                              XMNC

             

             

             

            Clear text form the same packet 38419.

             

            Date: Wed, 4 Jun 2014 11:20:57 -0500 (CDT)

            To: arturo.vazquez@navistar.com

            Cc: gsolorzano@nafin.gob.mx, lpita@nafin.gob.mx, javelazquez@nafin.gob.mx,

                      jmorales@nafin.gob.mx, miglesias@nafin.gob.mx,

                      sandra.tena@navistar.com, jorge.moron@navistar.com,

                      supervisagar@nafin.gob.mx, flugo@nafin.gob.mx, tcuellar@nafin.gob.mx,

                      ajgomez@nafin.gob.mx, smorelos@nafin.gob.mx

            Message-ID: <1015965754.1.1401898859890.JavaMail.smorelos@VSRVXAP02>

            Subject: Dictamen Final NAVISTAR 04/2014

            MIME-Version: 1.0

            Content-Type: multipart/mixed;

                      boundary="----=_Part_0_731400457.1401898857359"

            charset: UTF-8

            Return-Receipt-To: supervisagar@nafin.gob.mx

            Disposition-Notification-To: supervisagar@nafin.gob.mx

             

            ------=_Part_0_731400457.1401898857359

            Content-Type: text/html; charset=us-ascii

            Content-Transfer-Encoding: 7bit

             

            Se anexa dictamen final NAVISTAR 04/2014, con el resultado de la supervisi&#243;n

            ------=_Part_0_731400457.1401898857359

            Content-Type: application/octet-stream;

                      name=Carta_Dictamen_Final_NAVISTAR_04-2014.pdf

            Content-Transfer-Encoding: base64

            Content-Disposition: attachment;

                      filename=Carta_Dictamen_Final_NAVISTAR_04-2014.pdf

             

            JVBERi0xLjENCjEgMCBvYmoNCjw8DQovQ3JlYXRvciAoRGV2ZWxvcGVyIDIwMDApDQovQ3JlYXRv

            ckRhdGUgKA0KL0F1dGhvciAoT3JhY2xlIFJlcG9ydHMpDQovUHJvZHVjZXIgKE9yYWNsZSBQREYg

            ZHJpdmVyKQ0KL1RpdGxlIChDYXJ0YV9EaWN0YW1lbl9GaW5hbF9OQVZJU1RBUl8wNC0yMDE0LnBk

            ZikNCj4+DQplbmRvYmoNCjMgMCBvYmoNCjw8DQovVHlwZSAvUGFnZXMNC

             

             

            Can I conclude the problem is that the source is not sending the "from" header?

            • 3. Re: Empty smtp header "Sender"
              malware-alerts

              Andy Clements is right.

               

              From the trace you provided, the 'From' header is never sent from the application. It provides the Date and then goes directly to "To:" in the DATA phase which is why the e-mail looks to be from a blank sender when looking at the e-mail in a client application.