Are BCC's Visible In Email Headers?

[ixie02]

I am suddenly get strange emails addressed to other people (not from a votech server). The emails appear to have originated from various sources like hotmail, FBI, CIA(these 2 have zm9 attachments). The subjects in the ones from the cia and fbi are: "You visit illegal websites". I was wonder if the Blind Copy funtion shows up in the header. Here is the header for the one from the FBI:

Return-path: <Mail@fbi.gov>
Received: from ms-mta-02-eri0 (ms-mta-02-eri0 [10.25.8.235])
by ms-mss-05.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005))
with ESMTP id <0IQE003KEP85AK@ms-mss-05.southeast.rr.com>; Wed,
23 Nov 2005 06:57:41 -0500 (EST)
Received: from lamx03.mgw.rr.com (lamx03.mgw.rr.com [66.75.160.11])
by ms-mta-02.southeast.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005))
with ESMTP id <0IQE004XVP84LH@ms-mta-02.southeast.rr.com>; Wed,
23 Nov 2005 06:57:41 -0500 (EST)
Received: from orngca-mx-09.mgw.rr.com
(orngca-mx-09.mgw.rr.com [66.75.160.143]) by lamx03.mgw.rr.com
(8.12.10/8.12.8) with ESMTP id jANBuSq7018003; Wed,
23 Nov 2005 06:57:35 -0500 (EST)
Received: from rrcs-24-199-253-250.midsouth.biz.rr.com (HELO cmcow.gov)
(24.199.253.250) by orngca-mx-09.mgw.rr.com with SMTP; Wed,
23 Nov 2005 06:57:08 -0500
Date: Wed, 23 Nov 2005 11:46:31 +0000 (UTC)
From: Mail@fbi.gov
Subject: You visit illegal websites
To: x-Recipient@sc.rr.com
Message-id: <c5cbf1fb0ee.38bb28d0@fbi.gov>
MIME-version: 1.0
Content-type: multipart/mixed; boundary="====ed53727a89bfeb755d9474"
Content-transfer-encoding: 7bit
Importance: Normal
X-Priority: 3 (Normal)
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scan-Result: Repaired 17534 W32.Sober.X@mm

The content of the email read:

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison



*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000


I don't know who x-Recipient(not vaild) is but some of the others I've gotten are vaid email addresses. The one above has a zm9 attachment which I viewed in word pad and only could see about a dozen non-displayable characters.

PS: Exactly what is an illegal website? This sounds like some kind of spam scam, but the ones from hotmail look legitimate. I forwarded those to the correct addressee. I also forwarded the one from the CIA to correct addressee because it was a vailid email address. Anybody else seen these type of emails floating around?

EDIT: With a little further research in google I discovered that all these emails originally conatianed the Sober virus(I believe it was an issue about a ear ago) in a .zip attachment which my antivirus software innocculated to a .zm9 file. I'm still wondering about how to see the BCC's though beacuse these emails are not addressed to me(the To: field).

[mresell]

ix look at the virus result....see you figured that out
If you look at the raw view that will show you about all you can see...or extended headers. Sometimes bcc is withheld.

[suki]

its a new worm called Sober Worm which spoofs as its from the fbi or cia

http://www.informationweek.com/story...leID=174401321

[Silverbug]

Yeah i have a client who's geting a tonne of these, but not just from the fbi or cia. All of a sudden too.

[Brangwyn]

Theres also another new virus that started circulating heavily a day or so back which is probably the root cause for the mail problems here and elsewhere.

X-Heders are "reserved" for application/personal use i.e they're not generally inserted by the SMTP Server but by the client instead, in the example above they're inserted by the Symantec Anti-virus engine (though, theres no proof of that, any spammer can insert X headers claiming to be any program .. anyone noticed much of the spam out there now is including "scanned by xxxx" in the body text to try and fool you into thinking it's a clean email).

Anyway as to .bcc addresses, they will NEVER appear in the email headers.

[ixie02]

Quote:

Originally Posted by Silverbug

Yeah i have a client who's geting a tonne of these, but not just from the fbi or cia. All of a sudden too.

Me TOO. I'm getting them @hotmail.com also. They are really pouring in.