Article ID: 257538 - View products that this article applies to.
This article was previously published under Q257538
This article has been archived. It is offered "as is" and will no longer be updated.
In e-mail client software, Internet mail and unsolicited commercial e-mail (UCE) in an Exchange Server recipient's mailbox may be displayed without the recipient's display name or Simple Mail Transfer Protocol (SMTP) address in the To line. Instead, the To line is either blank, or it contains other recipients' names or the address of an external distribution list. The From line may also contain incorrect information, or it may be missing information.
This article explains how to view the Request for Comments (RFC) 821 portion of the Internet mail message to obtain information that is not displayed in e-mail client software.
Each Internet mail message contains two portions: the RFC 821 portion (sometimes called the P1 header) and the RFC 822 portion (sometimes called the P2 body). When e-mail client software receives Internet messages, you can only view the RFC 822 portion in the e-mail client software. Although the RFC 822 portion contains a To and From field that the client uses, these fields technically do not need to be correct because they are not used to route SMTP messages.
Therefore, in junk e-mail (or "spam" e-mail), UCE, and outside e-mail that is made to falsely appear to come from an authorized user (or "spoofed" e-mail), addresses in the To and From fields are often replaced with incorrect information or are missing. The data that is used to direct the message to the recipient is actually contained in the RFC 821 portion of the SMTP message, which is further explained below.
A common problem can occur if a recipient has multiple SMTP addresses and the recipient wants to unsubscribe from a junk e-mail mailing list. You may find it difficult to determine which SMTP address to use to unsubscribe the recipient from the sender, because the subscribed address is not displayed in the message. You can only determine the SMTP address if you perform a network trace or enable SMTP protocol logging to examine the RFC 821 portions of SMTP traffic.
To determine the e-mail address that was used to route a message to a recipient, or to gather more information about a spoofed message, search the SMTP protocol logs:
199051It is safe to delete the log files when you stop the Internet Mail Service. To prevent disk space from running out, periodically stop the Internet Mail Service and remove the .log files, or disable SMTP protocol logging altogether.
(http://support.microsoft.com/kb/199051/ )In Exchange, incoming SMTP messages are missing information in the To field, the From field, or the Subject field
Article ID: 257538 - Last Review: October 20, 2013 - Revision: 4.1