[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: interpreting email headers

On 21/01/02, Russell Coker wrote:
> I have attached a strange bounce message I received, and would like some 
> advice in understanding exactly what happened.

Well, since you didn't include any specific information, I can only try
to analyze the header step by step and hope that's what you are asking
for. Otherwise please tell us, what your exact problem is.

> >>From MAILER-DAEMON@coker.com.au Mon Jan 21 01:37:31 2002
> Return-Path: <>

Since the Return-Path has been set to <>, we can assume that this mail
is coming from the address <> which is used for sending bounces.

> Delivered-To: rjc@sws.net.au

Added by the MTA on sws_sat.sws.net.au when he delievered the mail into
a mailbox. Could have been written by postfix.

> Received: (qmail 23329 invoked from network); 21 Jan 2002 00:34:17 -0000

qmail received a mail from the network, but wrote no further details.

> Received: from unknown (HELO sws?sat.sws.net.au) (
>   by with SMTP; 21 Jan 2002 00:34:17 -0000

The time looks fine, so we assume that this line is correct. A Host with
the IP received a mail from an host with the IP
which claimed to be sws_sat.sws.net.au, but which was not verifiable via
DNS. Looks like an internal forwarding.

> Received: from ivanova.coker.com.au (ivanova.coker.com.au [])
> 	by sws_sat.sws.net.au (Postfix) with ESMTP id 6E647CA51
> 	for <rjc@sws.net.au>; Mon, 21 Jan 2002 11:34:16 +1100 (EST)

The host ivanova.coker.com.au send a mail to the host called
sws_sat.sws.net.au. The IP for this host is and the name
is also correct. The mail was destinated for rjc.sws.net.au. Compared
with the headers which are following, I would assume that ivanova is
either rewriting this or some more headers or simply forwarding
everything. But since it's your MX this should be well know to you. ;-)

> Received: by ivanova.coker.com.au (Postfix)
> 	id 02D7CFAD2; Mon, 21 Jan 2002 11:34:15 +1100 (EST)

The postfix instance on ivanova received a mail which. If I'm not
mistaken the header also suggest that it was directly forwarded because
of the postfix setup and not by an external tool.

> Delivered-To: rjc@coker.com.au

Added by postfix on ivanova.coker.com.au, I would say.

> Received: from debianlinux.net (c88006.upc-c.chello.nl [])
> 	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
> 	(Client did not present a certificate)
> 	by ivanova.coker.com.au (Postfix) with ESMTP id 79134FB51
> 	for <russell@coker.com.au>; Mon, 21 Jan 2002 11:34:04 +1100 (EST)

Okay, so ivanova.coker.com.au received this mail from a host which
pretended to be debianlinux.net, but is really c88006.upc-c.chello.nl
witht the IP address It used TLS to deliver the mail, but
didn't had a certificate available. The mail was for
russell@coker.com.au. Again a look in the logfiles on your MX should
help you figure out what's exactly happening.

> Received: from localhost (localhost [])
>   (ftp://ftp.isi.edu/in-notes/rfc1894.txt)
>   by debianlinux.net with dsn; Mon, 21 Jan 2002 01:37:31 +0100

debianlinux.net received a mail from a host called localhost, which has
been verified. After checking the URL that is mentioned in this header
here, I would say that DSN stands for Delivery Status Notification. 

> To: undisclosed-recipients: ;

Hm, that one looks a bit strange here. Looks to me like it was send via
Bcc instead of To or Cc.

> From: MAILER-DAEMON@coker.com.au

And this header seems to be from the MTA for the domain.coker.com.au,
which was involved. Such a header would also be allowed for a DSN. But
for a real DSN this header is lacking at least a correct content-type
header. So I would merely suspect it's either a bounce generated because
of a wrongly-formatted mail, which may should have been a DSN. Without
inspecting the logfiles on the host ivanova.coker.com.au to find out as
much information and then contacting the owner of the MTA for the domain
debianlinux.net (IP: and letting him inspect his logfiles
also, this will be difficult to say. But at least the protocol that was
used between localhost and debianlinux.net suggest that it should have
been a DSN.

> Status: R 
> X-Status: N

Do you use mutt to read and write mails? If yes, mutt has certainly
added those headers.

           Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpYPzBSZcT5C.pgp
Description: PGP signature

Reply to: