crouc

[Resolved] Spammer fakes header with our domain and IP which leads to blacklisting

4 posts in this topic

Greetings,

we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Return-Path: <susi-brewu@SPAMTRAP.INVALID>
X-Original-To: FORWARDER@MANITU-SPAMTRAP.INVALID
Delivered-To: FORWARDER@MANITU-SPAMTRAP.INVALID
Received: from mout-xforward.SPAMTRAP.INVALID (mout-xforward.SPAMTRAP.INVALID [82.165.159.12])
    by gollum.manitu.net (Postfix) with ESMTP id 1AC8F79207A
    for <FORWARDER@MANITU-SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:19 +0200 (CEST)
Received: from mail2.our-domain ([our-IP]) by mx-ha.SPAMTRAP.INVALID
 (mxgmx017 [212.227.15.9]) with ESMTPS (Nemesis) id 1M7bhv-1dr3Rl0dhN-0083iD
 for <susi-brewu@SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:16 +0200
Received: from User (185.118.164.141) by owa.our-domain (192.168.20.231)
 with Microsoft SMTP Server id 14.2.247.3; Thu, 31 Aug 2017 01:20:01 +0200
X-CheckPoint: {59A7481B-A4-AA0DBE57-C0000000}
X-MAIL-CPID: 30104665C72DC72407D2835D26D562D5
X-Control-Analysis: str=0001.0A0C0206.59A74822.008B,ss=3,re=0.000,recu=0.000,reip=0.000,vtr=str,vl=0,cl=3,cld=1,fgs=0
Reply-To: <generaleseguross@groupmail.com>
From: <info@our-domain>
Subject: Gewinner
Date: Wed, 30 Aug 2017 16:20:01 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01C2A9A6.71C82E9A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <75913c41-3874-4592-a56a-036ec007c8c4@ex.our-domain.local>
To: Undisclosed recipients:;
X-Originating-IP: [185.118.164.141]
Envelope-To: <susi-brewu@SPAMTRAP.INVALID>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

This is a header from the second wave:

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Received: from
A1-destroyeR.txucwqwcedquzp2bt1attwsbkg.ax.internal.cloudapp.net
(23.100.9.31) by owa.our-domain (192.168.20.231) with Microsoft SMTP
Server (TLS) id 14.2.247.3; Mon, 11 Sep 2017 17:10:01 +0200
Content-Type: multipart/mixed; boundary="===============0168328789=="
MIME-Version: 1.0
Subject: OFFIZIELLE...
To: Recipients <info@our-domain>
From: <info@our-domain>
Date: Mon, 11 Sep 2017 15:09:55 +0000
Reply-To: <generaleseguross@groupmail.com>
Message-ID: <4985ba81-504e-4e06-9dc3-7f76430c2929@ex.our-domain.local>
Return-Path: info@our-domain
X-Originating-IP: [23.100.9.31]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Kind regards.

 

Share this post


Link to post
Share on other sites

This would sure be easier to read if we had the tracking URL.  If I see this correctly, then it appears that the email was forwarded through 82.165.159.12.  Since I am not familiar with this IP, I will take the route of it possibly okay.  Another SpamCop user can take that one on.

From what I see, the order of the headers are "Our-IP" and then 185.118.164.141.  This would mean that 185.118.164.141 probably used your router to send the email.

2 hours ago, crouc said:

Received: from mail2.our-domain ([our-IP]) by mx-ha.SPAMTRAP.INVALID
 (mxgmx017 [212.227.15.9]) with ESMTPS (Nemesis) id 1M7bhv-1dr3Rl0dhN-0083iD
 for <susi-brewu@SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:16 +0200
Received: from User (185.118.164.141) by owa.our-domain (192.168.20.231)
 with Microsoft SMTP Server id 14.2.247.3; Thu, 31 Aug 2017 01:20:01 +0200

If we assume that it did come from your IP, then I would guess you already checked the server logs.  The next thing I would check is your NAT router and make sure did not get hacked.  I have had email seen plenty of email come directly from routers, where it completely bypasses the email server.

Edited by gnarlymarley

Share this post


Link to post
Share on other sites
7 hours ago, crouc said:

Greetings,

we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP.

IP 23.100.9.31 is a Boitnet?
https://www.talosintelligence.com/reputation_center/lookup?search=23.100.9.31

 I count 12 reports made through SpamCop  last one
"
Submitted: 9/12/2017, 10:50:49 AM +1000: 
OFFIZIELLE GEWINNBENACHRITIGUNG"

This may or may not be a shared IP (speak to your provider)
That said do a scan FOR MALWARE - THEN Change Password - ALL computers mobiles using that IP
The Malware infection/trojan is described here
https://www.abuseat.org/lookup.cgi?ip=23.100.9.31

Believed infected with "SendSafe"   - Windows Defender will pick it up. Cleaning it ??

23.100.9.31 is listed

This IP address was detected and listed 73 times in the past 28 days, and 3 times in the past 24 hours. The most recent detection was at Tue Sep 12 09:25:00 2017 UTC +/- 5 minutes

This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably sendsafe.

 

 

Edited by petzl
update

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now