Ron -- I'm not just trying to correct you at every turn here, rather
trying to prevent misinfo in the ng archives if I can -- but this is
incorrect.

The primary data stream of the file is the RFC822 message headers/body
ready to be sent as-is to the remote server. This will NOT include
envelope sender + recipient information (which is what the OP wants)
in common legitimate cases (mailing lists, BCCs), and furthermore is
readily forged.

The :PROPERTIES and :PROPERTIES-LIVE streams are where the actual
routing information is stored.

--Sandy

Just a quick note, Textpad is an excellent tool, but it is not free, it's
something like shareware or "try before you buy". But if you can live with
the nag screen and the moral pain, it's ok this way :)

Thanks, Sandy, that's exactly what I was looking for. Please excuse me for my
English, it is not my native language.
As you correctly guessed, it's a mailing list with BCC, so the
destination(s) doesn't appear in the EML.
I checked the :PROPERTIES data stream, and here are all the original
recipients, unfortunately it doesn't give a clear indication to which
recipients the message was delivered and to which not, must be somewhere in
the binary content in the file, I will have to do a correlation with the logs.

The problem is that I am having emails delivered many times to some of the
recipients, probably (I thought) because of slow connections with some hosts.
I checked the log file and found that effectively there was some breaks to
the SMTP dialogs that could lead to the repetitions, but I found too that
sometimes the email was delivered completely to some recipients, with
presence of the >QUIT <221 Closing connection. dialog, but anyway later the
messages to these recipients where delivered again, as if the SMTP server did
not deleted the email address from the recipients list, maybe because there
where other recipients in the same .EML that where not delivered? I don't
believe this is a bug or something in the IIS SMTP server, or I'm missing
something?
Finally I moved the messages from Queue to other folder so they will not be
delivered again, but I don't know for sure to which recipients it was
delivered, without a deep revision of the log.
I will adjust the SMTP parameters so not so many emails are delivered at the
same time, and limit the conections for each domain to 1, hope this fix the
problem, if not I will have to change to another SMTP program :(.
Any thoughts?

Thanks again,
Ariel

Search my posts for PROPERTIES-LIVE.

--Sandy

They are alternate data streams within the queue files.
That's right: the queue file bodies, SMTP envelope info, and control
metadata are all unified in one file through the of ADS.

Some applications are incapable of reading ADS in some contexts. At
simplest, go to a command prompt, change to your queue folder, and try
this:

more < testfile.eml:PROPERTIES-LIVE

Also get the streams.exe tool from MS.

--Sandy

No, that's not relevant.

NTFS alternate data streams have nothing to do with AD.

--Sandy

They are a feature of NTFS and stored within the filesystem and its
indices, just like default (a.k.a. primary) data streams.

You might look at ADSes as being the opposite of hardlinks.

While hardlinks allow you to refer to a single underlying set of bytes
by two different names, ADSes allow you to use a single
name-plus-subname to refer to two different, but usually very closely
related, sets of data. Each data stream is equivalent to a fully
separate "file" in conventional terms. Indeed, one file's alternate
data stream can be copied out into another standard, standalone file
-- becoming that second file's default data stream.
Not that I know of, no.

Converting an NTFS partition to a FAT partition and back again will
remove ADSes, but it will remove a heckuva lot of other stuff as well,
like NTFS permissions. In theory, you could backup NTFS permissions to
an answer file, convert the filesystem, convert it back, and reapply
permissions. Windows would just recreate any ADSes as needed. But don't
do this :)

--Sandy

No, there is no "physical" file that can be viewed with non-ADS-aware
utilities.

Of course, there is no such thing as a physical file for either primary or
alternate streams -- just pointers to sets of disk blocks that are read
together _as if_ they have a permanent start and end point. The structure
of a primary or alternate stream, once it gets loaded into memory, is
exactly the same. You can store a database in an alternate stream, with
an INI file in the primary stream of the same file; or vice versa. Only
thing you can't do is access the alternate streams from applications that
aren't aware of the possibility of ADSes. For example, an application
that prohibits a colon in a filename will choke if you try to enter an
ADS, since an ADS is located using a colon as the separator.

--Sandy

As files without any more qualification, no.

They would always be referenced using either the colon-separated
format 'name:stream' (typically if you are passing a stream name to
compiled application, or if you already know the name of a stream) or
by using special API functions (if you are scanning for unknown
streams). The functions are able to extract all of the stream names
and stream data given the standard name of the file (first you get a
handle to the file by name, _then_ you loop through its streams,
reinforcing the parent-child kind of relationship I've been trying to
put across).
Chkdsk *will not* increment the number of files if you add ADSes to a
given file. It "will" see that there are more allocation units in use
on the disk.
No.

An ADS-aware application must still treat ADSes as ADSes. They are not
simple files. Either the colon-separated syntax or the ADS-aware API
functions must be used.
Wherever your classic view is taking you is obvs. causing too much
confusion for a pretty simple, albeit cool, technology. I think your
view is too rooted in the (mis)apprehension that discrete files are
"real" or "physical" -- as opposed to being arbitrary constructs of
the particular filesystem in use that allow assemblages of bytes to be
viewed as discrete wholes. Try accessing an NTFS partition as if it
were FAT32; you'll see that _all_ your files are suddenly un-"real",
not just the ADSes!

ADSes are definitely present on disk in physically separate (and quite
possibly discontiguous) areas, just like primary data streams. You can
see that they take up allocation units, just like anything else that
gets saved. Major, really only, diff is that they don't have their own
standalone names, being only addressable as subnames of a "master"
file. This ensures that ADSes, which typically provide supporting
data, such as user settings, or store state, as with the SMTP queue,
will be deleted along with the (sole) data to which they relate.

--Sandy