Cutsnake88

NEW ISSUE/BUG - Parsing Outlook headers and showing Hotmail reporting address

5 posts in this topic

I do a few reports a day. My email comes in through Outlook365 Exchange and I generally report messages that hit my quarantine.

Just in the past few days, about half of the messages I report to Spamcop come back saying that the report will go to Hotmail, when the sender is clearly someone else. Below is a screenshot. Looking at the header, the email is clearly coming from Sendgrid.

I haven't change the way I'm reporting, and report using the full (huge) Outlook365 Exchange headers. What's going on?

 

Spamcop_reporting_error.png

Share this post


Link to post
Share on other sites

https://www.spamcop.net/sc?id=z6365955700z76292dfde07e1d1d20f190a3456f09f4z

The Tracking URI from above so others can see what the parser did, and why report was sent to hotmail.

Quote
3: Received: from ME1AUS01FT007.eop-AUS01.prod.protection.outlook.com (2a01:111:f400:7eb4::204) by ME1PR01CA0078.outlook.office365.com (2603:10c6:200:18::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.14 via Frontend Transport; Mon, 27 Mar 2017 10:46:29 +0000

Hostname verified: mail-me1aus01lp0204.outbound.protection.outlook.com

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Tracking message source: 2603:10c6:200:18:0:0:0:11:

Routing details for 2603:10c6:200:18:0:0:0:11
[refresh/show] Cached whois for 2603:10c6:200:18:0:0:0:11 : abuse@microsoft.com
abuse@hotmail.com redirects to report_spam@hotmail.com
Using best contacts report_spam@hotmail.com

This post does not provide a suggested correction to the abuse@ address for this IP so moved up a level

Share this post


Link to post
Share on other sites

The email headers don't look at ALL like a forgery. I've attached a PDF of the top part of the (munged) headers, with the very obvious Sendgrid stuff highlighted.

This is the kind of headers (with a bunch of other X- lines below this) that Outlook365 Exchange always has, and up until the past few days, they've all parsed fine. Now, some parse perfectly, others do what this one has done.

 

Spamcop - sendgrid.pdf

Share this post


Link to post
Share on other sites

1. the link you provided is not accessible to anyone except you.

2.  The Tracking URL in my post, copied from your original post, gives everyone access to the munged spam, and the information the parser provided.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now