I have received a suspicious e-mail. I am not affiliated with the company mentioned in the e-mail body, or the signer. However, I have been using the app they mention in the e-mail. They are inviting me to a Beta test. But the e-mail is not by the original author of the app. But I'm thinking they might have hired an external company to do this version of the app. There is a link to a TestFlight page. So I'm not sure what to make of this.

Now this is what mainly arose my attention.

From:    Anders Bergman <[email protected]>
To:      Bon Support
Cc:
Subject: Test av nya BBK för Android

This is how it shows up in Outlook 2010. The "To" field is addressed to "Bon Support" and when I double-click on that I see [email protected]. I can assure you that none of these are my e-mail addresses. So where the heck is my own e-mail address? How could I have received this if it was addressed to someone else? If not spammers and skimmers and other criminals, who else is using this practice and why? And how can I tell now to what e-mail account I received this? I have more than one account set up in Outlook.

Update


X-T2-Real-To: <[email protected]>
Return-Path: <[email protected]>
X-T2-Spam-Status: No, hits=-0.1 required=5.0 tests=BAYES_50,
    HTML_MESSAGE,RCVD_IN_DNSWL_LOW
Received: from <[email protected]>
  by mailbe03.swip.net (CommuniGate Pro RULE 5.4.4)
  with RULE id 171382165; Wed, 23 Oct 2013 10:30:14 +0200
X-Autogenerated: Mirror
Resent-From: <[email protected]>
Resent-Date: Wed, 23 Oct 2013 10:30:14 +0200
X-T2-Real-To: <[email protected]>
X-T2-Spam-Status: No, hits=-0.1 required=5.0 tests=BAYES_50,
    HTML_MESSAGE,RCVD_IN_DNSWL_LOW
Received: from mail-la0-f49.google.com ([209.85.215.49] verified)
  by mailfe07.swip.net (CommuniGate Pro SMTP 5.4.4)
  with ESMTPS id 446061965 for [email protected]; Wed, 23 Oct 2013 10:30:12 +0200
Received-SPF: none
 receiver=mailfe07.swip.net; client-ip=209.85.215.49; [email protected]
Received: by mail-la0-f49.google.com with SMTP id eh20so357260lab.8
        for <[email protected]>; Wed, 23 Oct 2013 01:30:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:content-type:date:subject:to:message-id
         :mime-version;
        bh=JprkfYQhNUhcVFA7ZpzJa94c1OV0Fabysm64G9QOXlI=;
        b=XGMTt4NB4404RL0z5tKQNIYX8WJw6fr73dQNS3+wXxijyXWcXY0AVjQkKg6r9mY3uy
         RecuFcwuZo6UeXNr6fDqR3gVTsEfXKe8OxNQAZY5LJVCUKbX9LvxkBnFvcRt690fLe2l
         CRlJkfrGg/pxsX1dvoCbtGpR/zOZLkt+3Y1p6LyYuMZBtTMSKxyF0lNoML2JwnF0hf5w
         LayOFidlYtYhCwXo01tpg2MXxIAxrk3UH+IcVLDjr/M/+Cd+I0j3COeKTq3oL7e3p58s
         vuRUZrYdgsdOYxWwD8UmIrS40sTsSgV3hMm1jftCiQGqnTT6o3llYxCVjIE5Ki0HG/My
         RkfQ==
X-Gm-Message-State: ALoCoQkZJT/ZGaGrnfpKLyO8LRTO1EuDp39F4SZ9Gax9puG3RlHfTAe8cUIqZdvPSVOiiXJ0gS+l
X-Received: by 10.152.171.72 with SMTP id as8mr258717lac.33.1382517010017;
        Wed, 23 Oct 2013 01:30:10 -0700 (PDT)
X-Original-Return-Path: <[email protected]>
Received: from [10.0.1.144] (77.72.97.10.c.fiberdirekt.net. [77.72.97.10])
        by mx.google.com with ESMTPSA id mr1sm18536043lbc.16.2013.10.23.01.30.04
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 23 Oct 2013 01:30:09 -0700 (PDT)
From: Anders Bergman <[email protected]>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D829B436-0812-4CDC-BE9A-555257A9A44B"
Date: Wed, 23 Oct 2013 10:30:02 +0200
Subject: =?iso-8859-1?Q?Testa_av_nya_BBK_f=F6r_Android?=
To: Bon Support <[email protected]>
Message-Id: <[email protected]>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)

Now here are the interesting bits of information. The "real" To address:

X-T2-Real-To: <[email protected]>

The "return path" address:

Return-Path: <[email protected]>

It has been scanned for SPAM with Spam Assasin (Bayes 50 rule). "SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. Bayesian spam probability is 40 to 60%."

X-T2-Spam-Status: No, hits=-0.1 required=5.0 tests=BAYES_50

I can see it was sent to multiple recipients. I'd say this is indicative of a Bcc mail.

for <multiple recipients>

I also see he used Apple Mail 6.5 to send the e-mail.

Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)

So it looks like he's running OS X 10.8.x Mountain Lion. That's kind of cool to know.

He is in fact running Mac OS X, so I'd say it's a genuine e-mail, and not a spam. Yes, I know that by the fact that he is using a Mac! Apple users have a life, they don't do spam. ;)


Solution 1:

The From, To, and Cc headers might have no relation at all to where the mail was delivered. They are not authenticated by the mail systems that the mail passes through and are completely forgeable. A good analogy for these headers is the address, greeting and signature on the pages of a business letter. These usually match the author and recipient of the letter because most messages aren't forgeries but there's nothing that prevents them from being complete fabrications.

What determines where a physical letter is delivered is the address on the outside of the envelope. Similarly, what determines where an electronic mail message is delivered is the address or addresses on its protocol envelope. This information is passed out-of-band via the SMTP protocol and are wholly independent of the message headers. Sometimes SMTP envelope information is copied into the mail headers (e.g. Received and Return-Path headers), but you have no way of knowing how much of the headers reflect this envelope and how much is forged, so you should trust none of it for anything vital. But as with business letters most of the time, excepting spam, messages are not forgeries, so the sender and recipient headers are truthful, for some values of truth.