Misparsed for company internal routing

[william_sc]

I am wondering why the following headers (sanitized to protect the innocent) would direct abuse reports to the emails noted for MF.com, rather than comcast.net?  What is happening is that, since MF.com is internal routing, the abuse reports get sent to my company and we get blacklisted.

Received: from bnwems02.CNA.COMPANY.com (IP) by
	rtwems08.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id
	15.0.1320.4 via Mailbox Transport; Tue, 12 Sep 2017 12:17:10 -0400
Received: from bnwems03.CNA.COMPANY.com (IP) by
	bnwems02.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id
	15.0.1320.4; Tue, 12 Sep 2017 12:17:09 -0400
Received: from mx0a-00266502.MF.com (IP) by
	bnwems03.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id
	15.0.1320.4 via Frontend Transport; Tue, 12 Sep 2017 12:17:09 -0400
Received: from MFS.filterd (m0122629.MFOPS.net [127.0.0.1])
                        by mx0a-00266502.MF.com (IP/IP) with SMTP id v8CGFOtS000474
                        for <LASTNAMEw@COMPANY.com>; Tue, 12 Sep 2017 12:17:08 -0400
Received: from esa2.COMPANY.MP.com (esa2.COMPANY.MP.com [IP])
                        by mx0a-00266502.MF.com with ESMTP id 2cvau2gx07-1
                        (version=TLSv1.2 cipher=RC4-SHA bits=128 verify=NOT)
                        for <LASTNAMEw@COMPANY.com>; Tue, 12 Sep 2017 12:17:08 -0400
Received: from o1.delegates.cioarena.com ([IP])
  by esa2.COMPANY.MP.com with ESMTP/TLS/DHE-RSA-AES128-GCM-SHA256; 12 Sep 2017 12:16:25 -0400
Received: by filter1077p1mdw1.sendgrid.net with SMTP id filter1077p1mdw1-27332-59B80858-15
        2017-09-12 16:16:24.588092298 +0000 UTC
Received: from STAVRO-PC (c-24-13-33-151.hsd1.il.comcast.net [IP])
                        by ismtpd0004p1iad1.sendgrid.net (SG) with ESMTP id 1QC0oXBlSTOHRHSxN1R2Ig
                        for <LASTNAME_FI@COMPANY.com>; Tue, 12 Sep 2017 16:16:24.313 +0000 (UTC)
From: XXX YYY <XXX@cioarena.com>
To: "LASTNAME, FNN" <LASTNAME_FI@COMPANY.com>
Subject: [External] RE: Reserved Ticket for FIRSTNAME LASTNAME to CIOarena NYC at
the Conrad Hotel
Thread-Topic: [External] RE: Reserved Ticket for FIRSTNAME LASTNAME to CIOarena
NYC at the Conrad Hotel
Thread-Index: AQHTK+KVaazU6gxqLkyJiimUpkwZ/Q==
Date: Tue, 12 Sep 2017 16:16:24 +0000
Message-ID: <20170912111627.504209864@cioarena.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: bnwems03.CNA.COMPANY.com
X-MS-Has-Attach: 
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-TNEF-Correlator: 
received-spf: Pass (esa2.COMPANY.MP.com: domain of
  bounces+5440949-49ec-LASTNAME_FI=COMPANY.com@delegates.cioarena.com  designates
168.245.23.176 as permitted sender)  identity=mailfrom;
client-ip=168.245.23.176;  receiver=esa2.COMPANY.MP.com;
  envelope-from="bounces+5440949-49ec-LASTNAMEw=COMPANY.com@delegates.cioarena.com";
  x-sender="bounces+5440949-49ec-LASTNAMEw=COMPANY.com@delegates.cioarena.com";
  x-conformance=spf_only; x-record-type="v=spf1"
Content-Type: multipart/alternative;
                        boundary="_000_20170912111627504209864cioarenacom_"
MIME-Version: 1.0

 

[petzl]

1 hour ago, william_sc said:

I am wondering why the following headers (sanitized to protect the innocent) would direct abuse reports to the emails noted for MF.com, rather than comcast.net?  What is happening is that, since MF.com is internal routing, the abuse reports get sent to my company and we get blacklisted.

What's the IP you are not making it easy? 

148.163.151.35 a lot of spam reported through that IP each report is sent to registered abuse address?
SCAN INFECTED COMPUTER MOBILES FOR MALWARE - THEN Change Passwords for email accounts etc!
Could be you have a compromised computer does not appear to be a Botnet but may be a "sink" for a botnet

[william_sc]

When I run the headers through spamcop, it only reports to the address for "MF.com".  It doesn't even mention the comcast.com.  This is not a one-off problem.  Dozens of similar headers with the internal "MP" and "MF" filter routing ignore the original "Received:" line.  So, over the past few weeks since implementing the additional internal spam filters, all emails submitted to spamcop have been reporting "COMPANY.com" as the abuser.

[petzl]

15 minutes ago, william_sc said:

When I run the headers through spamcop, it only reports to the address for "MF.com".  It doesn't even mention the comcast.com.  This is not a one-off problem.  Dozens of similar headers with the internal "MP" and "MF" filter routing ignore the original "Received:" line.  So, over the past few weeks since implementing the additional internal spam filters, all emails submitted to spamcop have been reporting "COMPANY.com" as the abuser.

got the IP wrong so updated reply the injection IP that's being reported is 148.163.151.35

you are not email marketing?
removed 

 

 

[Lking]

Of course if we had a Tracking URL "we" could see why the parser chose not to process down to the comcast.net entry.

[william_sc]

No.  This is an email I received (that was marketing), and I am submitting it to spamcop.  Instead of reporting to the ISP of the offender (comcast), it reports to my company, blacklisting us in the process.

[william_sc]

"proofpoint", is the internal filtering, which gets forwarded to us.

[william_sc]

Well, it looks like you can figure out a lot more stuff than I'm comfortable posting on a public forum.

[petzl]

2 minutes ago, william_sc said:

Well, it looks like you can figure out a lot more stuff than I'm comfortable posting on a public forum.

yes take care! without seeing a tracking URL from SpamCop we are in the dark!

At top of page after SpamCop parse
https://www.spamcop.net/sc?id=z6406210361z274d5c6e68b8c25bbe871163ab0dac4cz

[william_sc]

Yes, I see that.  But then if I post it, rather confidential information is revealed in a public forum.  I can't do that.  If one of you wants to chat with me direct, I can see about making that happen.

[petzl]

5 minutes ago, william_sc said:

Yes, I see that.  But then if I post it, rather confidential information is revealed in a public forum.  I can't do that.  If one of you wants to chat with me direct, I can see about making that happen.

Try complaining to "deputies [at] spamcop [dot] net" that will go to Cisco tech

[william_sc]

Thank you.

[petzl]

1 minute ago, william_sc said:

Thank you.

I'm just a user of SpamCop not a tech

[petzl]

1 hour ago, william_sc said:

24-13-33-151

your remailer is not stamping IP correctly which don't help contact your remailer service also.
24.13.33.151 should be how?

[william_sc]

12 minutes ago, petzl said:

your remailer is not stamping IP correctly which don't help contact your remailer service also.
24.13.33.151 should be how?

That's presumably the source IP of the offender.  My take is that the spammer is sending from that IP (nicknamed "STAVRO-PC") to comcast ISP, which in turn passes it to sendgrid.net, who then sends it to cioarena.com, where it is then picked up by my company's outside filter "esa2".  It then bounces around a bit internally through various firewalls and filters and arrives in my inbox.  But, as I point out, when spamcop parses this, the "originator" is picked up as the esa2 server inside our network, and ignores everything earlier than that.

[petzl]

8 minutes ago, william_sc said:

That's presumably the source IP of the offender.  My take is that the spammer is sending from that IP (nicknamed "STAVRO-PC") to comcast ISP, which in turn passes it to sendgrid.net, who then sends it to cioarena.com, where it is then picked up by my company's outside filter "esa2".  It then bounces around a bit internally through various firewalls and filters and arrives in my inbox.  But, as I point out, when spamcop parses this, the "originator" is picked up as the esa2 server inside our network, and ignores everything earlier than that.

IF its you reporting spam make sure you have put your email address in mailhosts or spamcop can get it wrong?

https://www.spamcop.net/fom-serve/cache/397.html

[Lking]

48 minutes ago, william_sc said:

Yes, I see that.  But then if I post it, rather confidential information is revealed in a public forum.  I can't do that. 

Sense the Tracking URL is yours what you see on the screen is different than what others see.  For example if you click on the tracking URL petzl gave as an example, above, you will see places were <x> replaces personal information.

[william_sc]

14 minutes ago, Lking said:

Sense the Tracking URL is yours what you see on the screen is different than what others see.  For example if you click on the tracking URL petzl gave as an example, above, you will see places were <x> replaces personal information.

Not just personal information, but hostnames, IP addresses, internal to our network.

[william_sc]

25 minutes ago, petzl said:

IF its you reporting spam make sure you have put your email address in mailhosts or spamcop can get it wrong?

https://www.spamcop.net/fom-serve/cache/397.html

I have never done that, and it looks too risky for me to do given the multiple emails that I report.  Also, since Yahoo! is one of my primary report from accounts, I still need the quick-report (since I can't forward as an attachment from Yahoo! anymore).

[petzl]

56 minutes ago, william_sc said:

I have never done that, and it looks too risky for me to do given the multiple emails that I report.  Also, since Yahoo! is one of my primary report from accounts, I still need the quick-report (since I can't forward as an attachment from Yahoo! anymore).

you need to set your mailhosts or you will report yourself

[william_sc]

1 minute ago, petzl said:

you need to set your mailhosts or you will report yourself

This is bigger than just me.  It's my entire company.  The problem is emails sent to my company through these filters, not my personal emails.  Entering mailhosts for me only solves the problem for me, and creates a risk for my personal emails.  Sorry, please help me figure out what else might be causing it.

[petzl]

48 minutes ago, william_sc said:

This is bigger than just me.  It's my entire company.  The problem is emails sent to my company through these filters, not my personal emails.  Entering mailhosts for me only solves the problem for me, and creates a risk for my personal emails.  Sorry, please help me figure out what else might be causing it.

just needs your ONE email address? Not every email address (unless a different domain addy)
SpamCop will send you a verification email for each host which you copy and past into top link
For Fastmail I got two validate emails from SpamCop which identifies all mailhosts

[william_sc]

Ok, I did a bit of hacking and have found two variants of the same header, one that "works" and one that "fails".

https://www.spamcop.net/sc?id=z6406368915z3c233e5f6b35df52e43f378d28d0b9f2z  This one parses "correctly" by picking up the IP of the originator.

https://www.spamcop.net/sc?id=z6406369049zc70613d15e81e38ceff9ce99252dac8ez This one parses incorrectly, by picking up the intermediate IP (in this case, I randomly picked an IP, which happens to be NASA.)

The one difference is the top (newest) Received: line: 127.163.151.35 (parses correctly) vs 129.163.151.35 (parses incorrectly and flags NASA).

Ideas?

Received: from null.net (129.163.151.35)
 by s03.null.net (255.254.253.252); 07 Sep 2017 10:55:26 -0400
Received: from null.com ([255.254.253.252])
 by esa3.null.edu with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Sep 2017 10:55:21 -0400
From: User <User@bogusemail.com>
To: "x" <x>
Subject: This is spam!
Date: Thu, 7 Sep 2017 14:55:18 +0000
Message-ID: <6c29________________________2fda@anywheres.au>
Content-Language: en-US
Content-Type: multipart/alternative;
       boundary="_000_6c296c4007fa2384928b5c7de3d02fdasmtp13abcdefgcom_"
MIME-Version: 1.0

Body of Message

 

[petzl]

Quote

Ok, I did a bit of hacking and have found two variants of the same header, one that "works" and one that "fails".

https://www.spamcop.net/sc?id=z6406368915z3c233e5f6b35df52e43f378d28d0b9f2z  This one parses "correctly" by picking up the IP of the originator.

https://www.spamcop.net/sc?id=z6406369049zc70613d15e81e38ceff9ce99252dac8ez This one parses incorrectly, by picking up the intermediate IP (in this case, I randomly picked an IP, which happens to be NASA.)

The one difference is the top (newest) Received: line: 127.163.151.35 (parses correctly) vs 129.163.151.35 (parses incorrectly and flags NASA).deas?

Your problems should end if you just used SpamCops mailhost program?
Just requires you to have your email address to be sent a validation which identifiess your mailhost
This belongs in the just "too easy" basket?

You are making reporting hard for yourself!

[william_sc]

10 hours ago, petzl said:

Your problems should end if you just used SpamCops mailhost program?
Just requires you to have your email address to be sent a validation which identifiess your mailhost
This belongs in the just "too easy" basket?

You are making reporting hard for yourself!

I'm going to say this again, this isn't just me, it's the entire company.  Everyone who reports spam through spamcop is getting this problem.  Solving it only for me with my email (a) only fixes it for my reporting and (b) makes it harder when I have to report through other emails.