On 12/20/18 7:54 PM, Amir Caspi wrote:
Some of the ones with equal-signs look like bounce addresses from envelopes, that would not be in the From header.
I'm going back through and analyzing how I'm extracting data and trying to satisfactorily explain some oddities. I don't think there will be any significant change in the numbers. But it wouldn't be the first time I was wrong about something, even today.
I have found that one of the IETF mailing lists that I subscribe to and participate in seemingly encodes the sending address as original from user part, =40 (hex for @), original from domain part, (actual) @, mailing list, .ietf.org. This seems to especially be the case for senders from domains with DMARC enabled.
So: john....@example.com Becomes: john.doe=40example....@list.ietf.org This is the contents of the From: header.I consider that to be a legitimate email address. Granted, it's probably atypical. But none-the-less legitimate.
I'm also seeing email addresses use the (…) comments in From: headers. From: "So and So" <john....@example.com> (please no spam) Again, legitimate email addresses. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
